feat(daemon): add authentication for daemon API routes

Issue daemon auth tokens (mdt_) on pairing session claim, bound to workspace_id + daemon_id with 1-year expiry. Add DaemonAuth middleware that validates these tokens and falls back to JWT/PAT for backward compatibility. Apply middleware to all daemon routes except pairing endpoints.
2026-03-31 14:41:26 +08:00 · 2026-03-31 14:41:26 +08:00 · afdfee78b9
commit afdfee78b9
parent dc3dec8ebe
9 changed files with 306 additions and 16 deletions
--- a/server/pkg/db/generated/models.go
+++ b/server/pkg/db/generated/models.go
@ -131,6 +131,15 @@ type DaemonPairingSession struct {
 	UpdatedAt      pgtype.Timestamptz `json:"updated_at"`
 }

+type DaemonToken struct {
+	ID          pgtype.UUID        `json:"id"`
+	TokenHash   string             `json:"token_hash"`
+	WorkspaceID pgtype.UUID        `json:"workspace_id"`
+	DaemonID    string             `json:"daemon_id"`
+	ExpiresAt   pgtype.Timestamptz `json:"expires_at"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+}
+
 type InboxItem struct {
 	ID            pgtype.UUID        `json:"id"`
 	WorkspaceID   pgtype.UUID        `json:"workspace_id"`