mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Batch A: blob storage layer, MCIAS auth, OCI token endpoint

Browse Source 
Phase 2 — internal/storage/:
Content-addressed blob storage with atomic writes via rename.
BlobWriter stages data in uploads dir with running SHA-256 hash,
commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>.
Reader provides Open, Stat, Delete, Exists with digest validation.

Phase 3 — internal/auth/ + internal/server/:
MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache
with lazy eviction and injectable clock for testing. TLS 1.3 minimum
with optional custom CA cert.
Chi router with RequireAuth middleware (Bearer token extraction,
WWW-Authenticate header, OCI error format), token endpoint (Basic
auth → bearer exchange via MCIAS), and /v2/ version check handler.

52 tests passing (14 storage + 9 auth + 9 server + 20 existing).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-19 14:51:19 -07:00
parent fde66be9c1
commit 3314b7a618
25 changed files with 1696 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
internal/server/token.go Normal file
View File

@@ -0,0 +1,45 @@
package server
import (
"encoding/json"
"net/http"
"time"
)
// LoginClient abstracts the MCIAS login call so the handler can work
// with the real client or a test fake.
type LoginClient interface {
Login(username, password string) (token string, expiresIn int, err error)
}
// tokenResponse is the JSON body returned by the token endpoint.
type tokenResponse struct {
Token string `json:"token"`
ExpiresIn int `json:"expires_in"`
IssuedAt string `json:"issued_at"`
}
// TokenHandler returns an http.HandlerFunc that exchanges Basic
// credentials for a bearer token via the given LoginClient.
func TokenHandler(loginClient LoginClient) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
username, password, ok := r.BasicAuth()
if !ok || username == "" {
writeOCIError(w, "UNAUTHORIZED", http.StatusUnauthorized, "basic authentication required")
return
}
token, expiresIn, err := loginClient.Login(username, password)
if err != nil {
writeOCIError(w, "UNAUTHORIZED", http.StatusUnauthorized, "authentication failed")
return
}
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(tokenResponse{
Token: token,
ExpiresIn: expiresIn,
IssuedAt: time.Now().UTC().Format(time.RFC3339),
})
}
}