wishlist-service/app/Http/Middleware/JwtAuthMiddleware.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Exception;

class JwtAuthMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        // 1. Ler Authorization e extrair Bearer <token>
        $authHeader = $request->header('Authorization');

        if (!$authHeader || !preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
            return response()->json(['message' => 'Missing or invalid Authorization header'], 401); // Retorna 401 se falhar
        }

        $token = $matches[1];

        // Corrige as quebras de linha da chave pública que vêm do .env
        $publicKey = str_replace('\\n', "\n", env('JWT_PUBLIC_KEY_PEM'));
        $issuer = env('JWT_ISSUER');
        $audience = env('JWT_AUDIENCE');

        try {
            // 2. Validar assinatura RS256 com JWT_PUBLIC_KEY_PEM e expiração (automático pela biblioteca)
            $decoded = JWT::decode($token, new Key($publicKey, 'RS256'));

            // 3. Validar iss e aud
            if ($decoded->iss !== $issuer) {
                throw new Exception('Invalid issuer');
            }

            $tokenAudience = is_array($decoded->aud) ? $decoded->aud[0] : $decoded->aud;
            if ($tokenAudience !== $audience) {
                throw new Exception('Invalid audience');
            }

            // 4. Validar se sub existe (nosso user_id confiável)
            if (!isset($decoded->sub) || empty(trim((string)$decoded->sub))) {
                throw new Exception('Invalid token claims: sub is missing');
            }

            // 5. Montar a identificação para as rotas usarem (equivalente ao request.auth = { id: sub, token })
            $request->attributes->add([
                'auth_id' => $decoded->sub,
                'token'   => $token
            ]);

            return $next($request);

        } catch (Exception $e) {
            // Retorna 401 para token inválido ou expirado
            return response()->json(['message' => 'Invalid or expired access token'], 401);
        }
    }
}