feat(daemon): add authentication for daemon API routes

Issue daemon auth tokens (mdt_) on pairing session claim, bound to workspace_id + daemon_id with 1-year expiry. Add DaemonAuth middleware that validates these tokens and falls back to JWT/PAT for backward compatibility. Apply middleware to all daemon routes except pairing endpoints.
2026-03-31 14:41:26 +08:00 · 2026-03-31 14:41:26 +08:00 · 9f56f6af81
commit 9f56f6af81
parent 8fa4c8f576
9 changed files with 306 additions and 16 deletions
--- a/server/cmd/server/router.go
+++ b/server/cmd/server/router.go
@ -79,28 +79,34 @@ func NewRouter(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus) chi.Route
 	r.Post("/auth/send-code", h.SendCode)
 	r.Post("/auth/verify-code", h.VerifyCode)

-	// Daemon API routes (no user auth; daemon auth deferred to later)
+	// Daemon API routes
 	r.Route("/api/daemon", func(r chi.Router) {
+		// Pairing routes — no auth required (daemon doesn't have a token yet).
 		r.Post("/pairing-sessions", h.CreateDaemonPairingSession)
 		r.Get("/pairing-sessions/{token}", h.GetDaemonPairingSession)
 		r.Post("/pairing-sessions/{token}/claim", h.ClaimDaemonPairingSession)

-		r.Post("/register", h.DaemonRegister)
-		r.Post("/deregister", h.DaemonDeregister)
-		r.Post("/heartbeat", h.DaemonHeartbeat)
+		// Authenticated daemon routes — require daemon token (mdt_) or user JWT/PAT.
+		r.Group(func(r chi.Router) {
+			r.Use(middleware.DaemonAuth(queries))

-		r.Post("/runtimes/{runtimeId}/tasks/claim", h.ClaimTaskByRuntime)
-		r.Get("/runtimes/{runtimeId}/tasks/pending", h.ListPendingTasksByRuntime)
-		r.Post("/runtimes/{runtimeId}/usage", h.ReportRuntimeUsage)
-		r.Post("/runtimes/{runtimeId}/ping/{pingId}/result", h.ReportPingResult)
+			r.Post("/register", h.DaemonRegister)
+			r.Post("/deregister", h.DaemonDeregister)
+			r.Post("/heartbeat", h.DaemonHeartbeat)

-		r.Get("/tasks/{taskId}/status", h.GetTaskStatus)
-		r.Post("/tasks/{taskId}/start", h.StartTask)
-		r.Post("/tasks/{taskId}/progress", h.ReportTaskProgress)
-		r.Post("/tasks/{taskId}/complete", h.CompleteTask)
-		r.Post("/tasks/{taskId}/fail", h.FailTask)
-		r.Post("/tasks/{taskId}/messages", h.ReportTaskMessages)
-		r.Get("/tasks/{taskId}/messages", h.ListTaskMessages)
+			r.Post("/runtimes/{runtimeId}/tasks/claim", h.ClaimTaskByRuntime)
+			r.Get("/runtimes/{runtimeId}/tasks/pending", h.ListPendingTasksByRuntime)
+			r.Post("/runtimes/{runtimeId}/usage", h.ReportRuntimeUsage)
+			r.Post("/runtimes/{runtimeId}/ping/{pingId}/result", h.ReportPingResult)
+
+			r.Get("/tasks/{taskId}/status", h.GetTaskStatus)
+			r.Post("/tasks/{taskId}/start", h.StartTask)
+			r.Post("/tasks/{taskId}/progress", h.ReportTaskProgress)
+			r.Post("/tasks/{taskId}/complete", h.CompleteTask)
+			r.Post("/tasks/{taskId}/fail", h.FailTask)
+			r.Post("/tasks/{taskId}/messages", h.ReportTaskMessages)
+			r.Get("/tasks/{taskId}/messages", h.ListTaskMessages)
+		})
 	})

 	// Protected API routes