Kyle Isom
d87b4b4042
- New internal/vault package: thread-safe Vault struct with seal/unseal state, key material zeroing, and key derivation - REST: POST /v1/vault/unseal, POST /v1/vault/seal, GET /v1/vault/status; health returns sealed status - UI: /unseal page with passphrase form, redirect when sealed - gRPC: sealedInterceptor rejects RPCs when sealed - Middleware: RequireUnsealed blocks all routes except exempt paths; RequireAuth reads pubkey from vault at request time - Startup: server starts sealed when passphrase unavailable - All servers share single *vault.Vault by pointer - CSRF manager derives key lazily from vault Security: Key material is zeroed on seal. Sealed middleware runs before auth. Handlers fail closed if vault becomes sealed mid-request. Unseal endpoint is rate-limited (3/s burst 5). No CSRF on unseal page (no session to protect; chicken-and-egg with master key). Passphrase never logged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
26 lines
865 B
Go
26 lines
865 B
Go
package ui
|
|
|
|
import (
|
|
"crypto/ed25519"
|
|
"fmt"
|
|
"time"
|
|
|
|
"git.wntrmute.dev/kyle/mcias/internal/token"
|
|
)
|
|
|
|
// validateSessionToken wraps token.ValidateToken for use by UI session middleware.
|
|
// Security: identical validation pipeline as the REST API — alg check, signature,
|
|
// expiry, issuer, revocation (revocation checked by caller).
|
|
func validateSessionToken(pubKey ed25519.PublicKey, tokenStr, issuer string) (*token.Claims, error) {
|
|
return token.ValidateToken(pubKey, tokenStr, issuer)
|
|
}
|
|
|
|
// issueToken is a convenience method for issuing a signed JWT.
|
|
func (u *UIServer) issueToken(subject string, roles []string, expiry time.Duration) (string, *token.Claims, error) {
|
|
privKey, err := u.vault.PrivKey()
|
|
if err != nil {
|
|
return "", nil, fmt.Errorf("vault sealed: %w", err)
|
|
}
|
|
return token.IssueToken(privKey, u.cfg.Tokens.Issuer, subject, roles, expiry)
|
|
}
|