Cut user-owned API keys; redesign subject model

Removes the APIKey primitive entirely (Auth.IssueAPIKey/AuthenticateAPIKey/ RevokeAPIKey, APIKeyStore, Deps.APIKeys, Stores.APIKeys, Tables.APIKeys, ErrAPIKeyInvalid, AuthMethodAPIKey, Principal.{APIKeyID, Abilities, HasAbility}, prefixAPIKey, RequireAPIKey, and the 6 SQL templates). Migration 0003_drop_api_keys.sql hard-drops authkit_api_keys. The new subject model: *Principal carries identity only (sessions, JWTs); *ServiceKey is the only abilities-bearing credential and gains a HasAbility(name) method. RequireAbility now reads *ServiceKey from context (user principals 403 by design). RequireRole/RequirePermission stay Principal-only. New RequireServiceKey + ServiceKeyFrom + MustServiceKey, and a heterogeneous RequireAnyOrServiceKey for routes that accept either. RequireAny is now Principal-only (default [Session, JWT]). Adds 7 middleware tests (auth, revoked, ability accept/reject across subjects, role rejects service key, RequireAnyOrServiceKey both paths) and 1 (*ServiceKey).HasAbility unit test. Existing API-key tests deleted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 20:29:17 +00:00 · 2026-04-26 20:29:17 +00:00 · 7f1db871bc
commit 7f1db871bc
parent 4942e4dbdc
24 changed files with 773 additions and 496 deletions
--- a/errors.go
+++ b/errors.go
@ -10,7 +10,6 @@ var (
 	ErrTokenInvalid       = errors.New("authkit: invalid or expired token")
 	ErrTokenReused        = errors.New("authkit: token reuse detected")
 	ErrSessionInvalid     = errors.New("authkit: invalid or expired session")
-	ErrAPIKeyInvalid      = errors.New("authkit: invalid or expired api key")
 	ErrServiceKeyInvalid  = errors.New("authkit: invalid or expired service key")
 	ErrPermissionDenied   = errors.New("authkit: permission denied")
 	ErrRoleNotFound       = errors.New("authkit: role not found")