Cut user-owned API keys; redesign subject model
Removes the APIKey primitive entirely (Auth.IssueAPIKey/AuthenticateAPIKey/
RevokeAPIKey, APIKeyStore, Deps.APIKeys, Stores.APIKeys, Tables.APIKeys,
ErrAPIKeyInvalid, AuthMethodAPIKey, Principal.{APIKeyID, Abilities, HasAbility},
prefixAPIKey, RequireAPIKey, and the 6 SQL templates). Migration
0003_drop_api_keys.sql hard-drops authkit_api_keys.
The new subject model: *Principal carries identity only (sessions, JWTs);
*ServiceKey is the only abilities-bearing credential and gains a
HasAbility(name) method. RequireAbility now reads *ServiceKey from context
(user principals 403 by design). RequireRole/RequirePermission stay
Principal-only. New RequireServiceKey + ServiceKeyFrom + MustServiceKey,
and a heterogeneous RequireAnyOrServiceKey for routes that accept either.
RequireAny is now Principal-only (default [Session, JWT]).
Adds 7 middleware tests (auth, revoked, ability accept/reject across
subjects, role rejects service key, RequireAnyOrServiceKey both paths) and
1 (*ServiceKey).HasAbility unit test. Existing API-key tests deleted.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
juancwu
parent
4942e4dbdc
commit
7f1db871bc
24 changed files with 773 additions and 496 deletions
16
principal.go
16
principal.go
|
|
@ -11,17 +11,18 @@ type AuthMethod string
|
|||
const (
|
||||
AuthMethodSession AuthMethod = "session"
|
||||
AuthMethodJWT AuthMethod = "jwt"
|
||||
AuthMethodAPIKey AuthMethod = "api_key"
|
||||
)
|
||||
|
||||
// Principal represents an authenticated user. It is produced only by
|
||||
// user-bound auth methods (session, JWT) and carries identity plus
|
||||
// RBAC-resolved roles/permissions. Service-token auth produces a
|
||||
// *ServiceKey instead — those credentials carry abilities, not identity.
|
||||
type Principal struct {
|
||||
UserID uuid.UUID
|
||||
Method AuthMethod
|
||||
SessionID []byte
|
||||
APIKeyID []byte
|
||||
Roles []string
|
||||
Permissions []string
|
||||
Abilities []string
|
||||
IssuedAt time.Time
|
||||
ExpiresAt time.Time
|
||||
}
|
||||
|
|
@ -52,12 +53,3 @@ func (p *Principal) HasPermission(name string) bool {
|
|||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (p *Principal) HasAbility(name string) bool {
|
||||
for _, a := range p.Abilities {
|
||||
if a == name {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue