mcias/internal/ui/session.go

package ui

import (
	"crypto/ed25519"
	"fmt"
	"time"

	"git.wntrmute.dev/mc/mcias/internal/token"
)

// validateSessionToken wraps token.ValidateToken for use by UI session middleware.
// Security: identical validation pipeline as the REST API — alg check, signature,
// expiry, issuer, revocation (revocation checked by caller).
func validateSessionToken(pubKey ed25519.PublicKey, tokenStr, issuer string) (*token.Claims, error) {
	return token.ValidateToken(pubKey, tokenStr, issuer)
}

// issueToken is a convenience method for issuing a signed JWT.
func (u *UIServer) issueToken(subject string, roles []string, expiry time.Duration) (string, *token.Claims, error) {
	privKey, err := u.vault.PrivKey()
	if err != nil {
		return "", nil, fmt.Errorf("vault sealed: %w", err)
	}
	return token.IssueToken(privKey, u.cfg.Tokens.Issuer, subject, roles, expiry)
}