marketing-shibata50/multica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
multica/server/internal/middleware/daemon_auth.go
Jiayuan afdfee78b9 feat(daemon): add authentication for daemon API routes 
Issue daemon auth tokens (mdt_) on pairing session claim, bound to
workspace_id + daemon_id with 1-year expiry. Add DaemonAuth middleware
that validates these tokens and falls back to JWT/PAT for backward
compatibility. Apply middleware to all daemon routes except pairing
endpoints.
2026-03-31 16:19:02 +08:00

112 lines
3.5 KiB
Go
Raw Blame History

package middleware
import (
"context"
"log/slog"
"net/http"
"strings"
"github.com/golang-jwt/jwt/v5"
"github.com/multica-ai/multica/server/internal/auth"
db "github.com/multica-ai/multica/server/pkg/db/generated"
)
// Daemon context keys.
type daemonContextKey int
const (
ctxKeyDaemonWorkspaceID daemonContextKey = iota
ctxKeyDaemonID
)
// DaemonWorkspaceIDFromContext returns the workspace ID set by DaemonAuth middleware.
func DaemonWorkspaceIDFromContext(ctx context.Context) string {
id, _ := ctx.Value(ctxKeyDaemonWorkspaceID).(string)
return id
}
// DaemonIDFromContext returns the daemon ID set by DaemonAuth middleware.
func DaemonIDFromContext(ctx context.Context) string {
id, _ := ctx.Value(ctxKeyDaemonID).(string)
return id
}
// DaemonAuth validates daemon auth tokens (mdt_ prefix) or falls back to
// JWT/PAT validation for backward compatibility with daemons that
// authenticate via user tokens.
func DaemonAuth(queries *db.Queries) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
authHeader := r.Header.Get("Authorization")
if authHeader == "" {
slog.Debug("daemon_auth: missing authorization header", "path", r.URL.Path)
writeError(w, http.StatusUnauthorized, "missing authorization header")
return
}
tokenString := strings.TrimPrefix(authHeader, "Bearer ")
if tokenString == authHeader {
slog.Debug("daemon_auth: invalid format", "path", r.URL.Path)
writeError(w, http.StatusUnauthorized, "invalid authorization format")
return
}
// Daemon token: "mdt_" prefix.
if strings.HasPrefix(tokenString, "mdt_") {
hash := auth.HashToken(tokenString)
dt, err := queries.GetDaemonTokenByHash(r.Context(), hash)
if err != nil {
slog.Warn("daemon_auth: invalid daemon token", "path", r.URL.Path, "error", err)
writeError(w, http.StatusUnauthorized, "invalid daemon token")
return
}
ctx := context.WithValue(r.Context(), ctxKeyDaemonWorkspaceID, uuidToString(dt.WorkspaceID))
ctx = context.WithValue(ctx, ctxKeyDaemonID, dt.DaemonID)
next.ServeHTTP(w, r.WithContext(ctx))
return
}
// Fallback: PAT tokens ("mul_" prefix).
if strings.HasPrefix(tokenString, "mul_") {
hash := auth.HashToken(tokenString)
pat, err := queries.GetPersonalAccessTokenByHash(r.Context(), hash)
if err != nil {
slog.Warn("daemon_auth: invalid PAT", "path", r.URL.Path, "error", err)
writeError(w, http.StatusUnauthorized, "invalid token")
return
}
r.Header.Set("X-User-ID", uuidToString(pat.UserID))
go queries.UpdatePersonalAccessTokenLastUsed(context.Background(), pat.ID)
next.ServeHTTP(w, r)
return
}
// Fallback: JWT tokens.
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (any, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, jwt.ErrSignatureInvalid
}
return auth.JWTSecret(), nil
})
if err != nil || !token.Valid {
slog.Warn("daemon_auth: invalid token", "path", r.URL.Path, "error", err)
writeError(w, http.StatusUnauthorized, "invalid token")
return
}
claims, ok := token.Claims.(jwt.MapClaims)
if !ok {
writeError(w, http.StatusUnauthorized, "invalid claims")
return
}
sub, ok := claims["sub"].(string)
if !ok || strings.TrimSpace(sub) == "" {
writeError(w, http.StatusUnauthorized, "invalid claims")
return
}
r.Header.Set("X-User-ID", sub)
next.ServeHTTP(w, r)
})
}
}
Reference in a new issue View git blame Copy permalink