kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d87b4b4042ebf16812fc4b1479df4f1e072cca5e
mcias/proto/mcias/v1/token.proto
Kyle Isom 59d51a1d38 Implement Phase 7: gRPC dual-stack interface 
- proto/mcias/v1/: AdminService, AuthService, TokenService,
  AccountService, CredentialService; generated Go stubs in gen/
- internal/grpcserver: full handler implementations sharing all
  business logic (auth, token, db, crypto) with REST server;
  interceptor chain: logging -> auth (JWT alg-first + revocation) ->
  rate-limit (token bucket, 10 req/s, burst 10, per-IP)
- internal/config: optional grpc_addr field in [server] section
- cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr
  when configured; graceful shutdown of both servers in 15s window
- cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands
  (health, pubkey, account, role, token, pgcreds) using TLS with
  optional custom CA cert
- internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering
  public RPCs, auth interceptor (no token, invalid, revoked -> 401),
  non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows,
  AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip,
  credential fields absent from all responses
Security:
  JWT validation path identical to REST: alg header checked before
  signature, alg:none rejected, revocation table checked after sig.
  Authorization metadata value never logged by any interceptor.
  Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from
  all proto response messages — enforced by proto design and confirmed
  by test TestCredentialFieldsAbsentFromAccountResponse.
  Login dummy-Argon2 timing guard preserves timing uniformity for
  unknown users (same as REST handleLogin).
  TLS required at listener level; cmd/mciassrv uses
  credentials.NewServerTLSFromFile; no h2c offered.
137 tests pass, zero race conditions (go test -race ./...)
2026-03-11 14:38:47 -07:00

64 lines
1.9 KiB
Protocol Buffer
Raw Blame History

// TokenService: token validation, service-token issuance, and revocation.
syntax = "proto3";
package mcias.v1;
option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
import "google/protobuf/timestamp.proto";
// --- Validate ---
// ValidateTokenRequest carries the token to validate.
// The token may also be supplied via the Authorization metadata key;
// this field is an alternative for callers that cannot set metadata.
message ValidateTokenRequest {
string token = 1;
}
// ValidateTokenResponse reports validity and, on success, the claims.
message ValidateTokenResponse {
bool valid = 1;
string subject = 2; // UUID of the account; empty if invalid
repeated string roles = 3;
google.protobuf.Timestamp expires_at = 4;
}
// --- Issue ---
// IssueServiceTokenRequest specifies the system account to issue a token for.
message IssueServiceTokenRequest {
string account_id = 1; // UUID of the system account
}
// IssueServiceTokenResponse returns the new token and its expiry.
message IssueServiceTokenResponse {
string token = 1;
google.protobuf.Timestamp expires_at = 2;
}
// --- Revoke ---
// RevokeTokenRequest specifies the JTI to revoke.
message RevokeTokenRequest {
string jti = 1;
}
// RevokeTokenResponse confirms revocation.
message RevokeTokenResponse {}
// TokenService manages token lifecycle.
service TokenService {
// ValidateToken checks whether a JWT is valid and returns its claims.
// Public RPC — no auth required.
rpc ValidateToken(ValidateTokenRequest) returns (ValidateTokenResponse);
// IssueServiceToken issues a new service token for a system account.
// Requires: admin JWT in metadata.
rpc IssueServiceToken(IssueServiceTokenRequest) returns (IssueServiceTokenResponse);
// RevokeToken revokes a token by JTI.
// Requires: admin JWT in metadata.
rpc RevokeToken(RevokeTokenRequest) returns (RevokeTokenResponse);
}
Reference in New Issue View Git Blame Copy Permalink