Merge pull request #214 from multica-ai/agent/lambda/4771d426

feat(daemon): add authentication for daemon API routes
2026-03-31 15:27:11 +08:00 · 2026-03-31 15:27:11 +08:00 · cfd2fdf70f
commit cfd2fdf70f
parent 987984431b 497fce0061
9 changed files with 306 additions and 16 deletions
--- a/server/internal/auth/jwt.go
+++ b/server/internal/auth/jwt.go
@ -37,6 +37,15 @@ func GeneratePATToken() (string, error) {
 	return "mul_" + hex.EncodeToString(b), nil
 }

+// GenerateDaemonToken creates a new daemon auth token: "mdt_" + 40 random hex chars.
+func GenerateDaemonToken() (string, error) {
+	b := make([]byte, 20) // 20 bytes = 40 hex chars
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("generate daemon token: %w", err)
+	}
+	return "mdt_" + hex.EncodeToString(b), nil
+}
+
 // HashToken returns the hex-encoded SHA-256 hash of a token string.
 func HashToken(token string) string {
 	h := sha256.Sum256([]byte(token))
--- a/server/internal/handler/daemon_pairing.go
+++ b/server/internal/handler/daemon_pairing.go
@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"net/url"
 	"os"
@ -14,6 +15,8 @@ import (

 	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgtype"
+	"github.com/multica-ai/multica/server/internal/auth"
+	db "github.com/multica-ai/multica/server/pkg/db/generated"
 )

 const daemonPairingTTL = 10 * time.Minute
@ -50,6 +53,7 @@ type DaemonPairingSessionResponse struct {
 	CreatedAt      string  `json:"created_at"`
 	UpdatedAt      string  `json:"updated_at"`
 	LinkURL        *string `json:"link_url,omitempty"`
+	DaemonToken    *string `json:"daemon_token,omitempty"`
 }

 type CreateDaemonPairingSessionRequest struct {
@ -382,5 +386,39 @@ func (h *Handler) ClaimDaemonPairingSession(w http.ResponseWriter, r *http.Reque
 		return
 	}

-	writeJSON(w, http.StatusOK, daemonPairingSessionToResponse(rec, true))
+	resp := daemonPairingSessionToResponse(rec, true)
+
+	// Issue a daemon auth token bound to the workspace and daemon.
+	if rec.WorkspaceID.Valid {
+		plainToken, err := auth.GenerateDaemonToken()
+		if err != nil {
+			slog.Error("failed to generate daemon token", "error", err)
+			writeError(w, http.StatusInternalServerError, "failed to generate daemon token")
+			return
+		}
+		hash := auth.HashToken(plainToken)
+
+		// Revoke any existing tokens for this workspace+daemon pair.
+		_ = h.Queries.DeleteDaemonTokensByWorkspaceAndDaemon(r.Context(), db.DeleteDaemonTokensByWorkspaceAndDaemonParams{
+			WorkspaceID: rec.WorkspaceID,
+			DaemonID:    rec.DaemonID,
+		})
+
+		_, err = h.Queries.CreateDaemonToken(r.Context(), db.CreateDaemonTokenParams{
+			TokenHash:   hash,
+			WorkspaceID: rec.WorkspaceID,
+			DaemonID:    rec.DaemonID,
+			ExpiresAt:   pgtype.Timestamptz{Time: time.Now().Add(365 * 24 * time.Hour), Valid: true},
+		})
+		if err != nil {
+			slog.Error("failed to store daemon token", "error", err)
+			writeError(w, http.StatusInternalServerError, "failed to store daemon token")
+			return
+		}
+
+		resp.DaemonToken = &plainToken
+		slog.Info("daemon token issued", "daemon_id", rec.DaemonID, "workspace_id", uuidToPtr(rec.WorkspaceID))
+	}
+
+	writeJSON(w, http.StatusOK, resp)
 }
--- a/server/internal/middleware/daemon_auth.go
+++ b/server/internal/middleware/daemon_auth.go
@ -0,0 +1,112 @@
+package middleware
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/multica-ai/multica/server/internal/auth"
+	db "github.com/multica-ai/multica/server/pkg/db/generated"
+)
+
+// Daemon context keys.
+type daemonContextKey int
+
+const (
+	ctxKeyDaemonWorkspaceID daemonContextKey = iota
+	ctxKeyDaemonID
+)
+
+// DaemonWorkspaceIDFromContext returns the workspace ID set by DaemonAuth middleware.
+func DaemonWorkspaceIDFromContext(ctx context.Context) string {
+	id, _ := ctx.Value(ctxKeyDaemonWorkspaceID).(string)
+	return id
+}
+
+// DaemonIDFromContext returns the daemon ID set by DaemonAuth middleware.
+func DaemonIDFromContext(ctx context.Context) string {
+	id, _ := ctx.Value(ctxKeyDaemonID).(string)
+	return id
+}
+
+// DaemonAuth validates daemon auth tokens (mdt_ prefix) or falls back to
+// JWT/PAT validation for backward compatibility with daemons that
+// authenticate via user tokens.
+func DaemonAuth(queries *db.Queries) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			authHeader := r.Header.Get("Authorization")
+			if authHeader == "" {
+				slog.Debug("daemon_auth: missing authorization header", "path", r.URL.Path)
+				writeError(w, http.StatusUnauthorized, "missing authorization header")
+				return
+			}
+
+			tokenString := strings.TrimPrefix(authHeader, "Bearer ")
+			if tokenString == authHeader {
+				slog.Debug("daemon_auth: invalid format", "path", r.URL.Path)
+				writeError(w, http.StatusUnauthorized, "invalid authorization format")
+				return
+			}
+
+			// Daemon token: "mdt_" prefix.
+			if strings.HasPrefix(tokenString, "mdt_") {
+				hash := auth.HashToken(tokenString)
+				dt, err := queries.GetDaemonTokenByHash(r.Context(), hash)
+				if err != nil {
+					slog.Warn("daemon_auth: invalid daemon token", "path", r.URL.Path, "error", err)
+					writeError(w, http.StatusUnauthorized, "invalid daemon token")
+					return
+				}
+
+				ctx := context.WithValue(r.Context(), ctxKeyDaemonWorkspaceID, uuidToString(dt.WorkspaceID))
+				ctx = context.WithValue(ctx, ctxKeyDaemonID, dt.DaemonID)
+				next.ServeHTTP(w, r.WithContext(ctx))
+				return
+			}
+
+			// Fallback: PAT tokens ("mul_" prefix).
+			if strings.HasPrefix(tokenString, "mul_") {
+				hash := auth.HashToken(tokenString)
+				pat, err := queries.GetPersonalAccessTokenByHash(r.Context(), hash)
+				if err != nil {
+					slog.Warn("daemon_auth: invalid PAT", "path", r.URL.Path, "error", err)
+					writeError(w, http.StatusUnauthorized, "invalid token")
+					return
+				}
+				r.Header.Set("X-User-ID", uuidToString(pat.UserID))
+				go queries.UpdatePersonalAccessTokenLastUsed(context.Background(), pat.ID)
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Fallback: JWT tokens.
+			token, err := jwt.Parse(tokenString, func(token *jwt.Token) (any, error) {
+				if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+					return nil, jwt.ErrSignatureInvalid
+				}
+				return auth.JWTSecret(), nil
+			})
+			if err != nil || !token.Valid {
+				slog.Warn("daemon_auth: invalid token", "path", r.URL.Path, "error", err)
+				writeError(w, http.StatusUnauthorized, "invalid token")
+				return
+			}
+
+			claims, ok := token.Claims.(jwt.MapClaims)
+			if !ok {
+				writeError(w, http.StatusUnauthorized, "invalid claims")
+				return
+			}
+			sub, ok := claims["sub"].(string)
+			if !ok || strings.TrimSpace(sub) == "" {
+				writeError(w, http.StatusUnauthorized, "invalid claims")
+				return
+			}
+			r.Header.Set("X-User-ID", sub)
+			next.ServeHTTP(w, r)
+		})
+	}
+}