feat(daemon): add authentication for daemon API routes

Issue daemon auth tokens (mdt_) on pairing session claim, bound to workspace_id + daemon_id with 1-year expiry. Add DaemonAuth middleware that validates these tokens and falls back to JWT/PAT for backward compatibility. Apply middleware to all daemon routes except pairing endpoints.
2026-03-31 14:41:26 +08:00 · 2026-03-31 14:41:26 +08:00 · afdfee78b9
commit afdfee78b9
parent dc3dec8ebe
9 changed files with 306 additions and 16 deletions
--- a/server/pkg/db/generated/daemon_token.sql.go
+++ b/server/pkg/db/generated/daemon_token.sql.go
@ -0,0 +1,88 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.30.0
+// source: daemon_token.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const createDaemonToken = `-- name: CreateDaemonToken :one
+INSERT INTO daemon_token (token_hash, workspace_id, daemon_id, expires_at)
+VALUES ($1, $2, $3, $4)
+RETURNING id, token_hash, workspace_id, daemon_id, expires_at, created_at
+`
+
+type CreateDaemonTokenParams struct {
+	TokenHash   string             `json:"token_hash"`
+	WorkspaceID pgtype.UUID        `json:"workspace_id"`
+	DaemonID    string             `json:"daemon_id"`
+	ExpiresAt   pgtype.Timestamptz `json:"expires_at"`
+}
+
+func (q *Queries) CreateDaemonToken(ctx context.Context, arg CreateDaemonTokenParams) (DaemonToken, error) {
+	row := q.db.QueryRow(ctx, createDaemonToken,
+		arg.TokenHash,
+		arg.WorkspaceID,
+		arg.DaemonID,
+		arg.ExpiresAt,
+	)
+	var i DaemonToken
+	err := row.Scan(
+		&i.ID,
+		&i.TokenHash,
+		&i.WorkspaceID,
+		&i.DaemonID,
+		&i.ExpiresAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const deleteDaemonTokensByWorkspaceAndDaemon = `-- name: DeleteDaemonTokensByWorkspaceAndDaemon :exec
+DELETE FROM daemon_token
+WHERE workspace_id = $1 AND daemon_id = $2
+`
+
+type DeleteDaemonTokensByWorkspaceAndDaemonParams struct {
+	WorkspaceID pgtype.UUID `json:"workspace_id"`
+	DaemonID    string      `json:"daemon_id"`
+}
+
+func (q *Queries) DeleteDaemonTokensByWorkspaceAndDaemon(ctx context.Context, arg DeleteDaemonTokensByWorkspaceAndDaemonParams) error {
+	_, err := q.db.Exec(ctx, deleteDaemonTokensByWorkspaceAndDaemon, arg.WorkspaceID, arg.DaemonID)
+	return err
+}
+
+const deleteExpiredDaemonTokens = `-- name: DeleteExpiredDaemonTokens :exec
+DELETE FROM daemon_token
+WHERE expires_at <= now()
+`
+
+func (q *Queries) DeleteExpiredDaemonTokens(ctx context.Context) error {
+	_, err := q.db.Exec(ctx, deleteExpiredDaemonTokens)
+	return err
+}
+
+const getDaemonTokenByHash = `-- name: GetDaemonTokenByHash :one
+SELECT id, token_hash, workspace_id, daemon_id, expires_at, created_at FROM daemon_token
+WHERE token_hash = $1 AND expires_at > now()
+`
+
+func (q *Queries) GetDaemonTokenByHash(ctx context.Context, tokenHash string) (DaemonToken, error) {
+	row := q.db.QueryRow(ctx, getDaemonTokenByHash, tokenHash)
+	var i DaemonToken
+	err := row.Scan(
+		&i.ID,
+		&i.TokenHash,
+		&i.WorkspaceID,
+		&i.DaemonID,
+		&i.ExpiresAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}