Annotate permission errors (#67)

client.go

@@ -199,7 +199,7 @@ func (c *Client) CheckPermission(ctx context.Context, projectID uint64, minPermi
 	}
 	perm, _, err := c.FetchPermission(ctx, projectID)
 	if err != nil {
-		return false, err
+		return false, fmt.Errorf("fetch permission: %w", err)
 	}
 	return perm >= minPermission, nil
 }
@@ -227,7 +227,7 @@ func (c *Client) FetchPermission(ctx context.Context, projectID uint64) (proto.U
 	perm, access, err = c.quotaClient.GetUserPermission(ctx, projectID, userID)
 	if err != nil {
 		logger.Error("unexpected client error", slog.Any("error", err))
-		return proto.UserPermission_UNAUTHORIZED, nil, err
+		return proto.UserPermission_UNAUTHORIZED, nil, fmt.Errorf("get user permission from quotacontrol server: %w", err)
 	}
 	return perm, access, nil
 }

middleware/middleware_permission.go

@@ -19,20 +19,20 @@ func EnsurePermission(client Client, minPermission proto.UserPermission, o Optio
 
 			ctx := r.Context()
 
-			// check if we alreayd have a project ID from the JWT
+			// check if we already have a project ID from the JWT
 			q, ok := GetAccessQuota(ctx)
 			if !ok || !q.IsJWT() {
-				o.ErrHandler(r, w, proto.ErrUnauthorizedUser)
+				o.ErrHandler(r, w, proto.ErrUnauthorizedUser.WithCausef("no AccessQuota in context"))
 				return
 			}
 
 			ok, err := client.CheckPermission(ctx, q.GetProjectID(), minPermission)
 			if err != nil {
-				o.ErrHandler(r, w, proto.ErrUnauthorizedUser.WithCause(err))
+				o.ErrHandler(r, w, proto.ErrUnauthorizedUser.WithCausef("check permission: %w", err))
 				return
 			}
 			if !ok {
-				o.ErrHandler(r, w, proto.ErrUnauthorizedUser)
+				o.ErrHandler(r, w, proto.ErrUnauthorizedUser.WithCausef("not enough permissions"))
 				return
 			}