mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
1405424ded8d24169a0a5c36ba959d3bc2f985b7
mcr/internal/auth/client.go
Kyle Isom d5580f01f2 Migrate module path from kyle/ to mc/ org 
All import paths updated to git.wntrmute.dev/mc/. Bumps mcdsl to v1.2.0.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 02:05:59 -07:00

72 lines
2.0 KiB
Go
Raw Blame History

package auth
import (
"errors"
"log/slog"
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
)
// Client communicates with an MCIAS server for authentication and token
// validation. It delegates to mcdsl/auth.Authenticator and adapts the
// results to MCR's Claims type (which includes AccountType for the policy
// engine).
type Client struct {
auth *mcdslauth.Authenticator
}
// Authenticator returns the underlying mcdsl/auth.Authenticator. This is
// used by the gRPC server which delegates auth to the mcdsl grpcserver
// package.
func (c *Client) Authenticator() *mcdslauth.Authenticator {
return c.auth
}
// NewClient creates an auth Client that talks to the MCIAS server at
// serverURL. If caCert is non-empty, it is used as a custom CA cert.
// TLS 1.3 is required for all HTTPS connections.
func NewClient(serverURL, caCert, serviceName string, tags []string) (*Client, error) {
a, err := mcdslauth.New(mcdslauth.Config{
ServerURL: serverURL,
CACert: caCert,
ServiceName: serviceName,
Tags: tags,
}, slog.Default())
if err != nil {
return nil, err
}
return &Client{auth: a}, nil
}
// Login authenticates a user against MCIAS and returns a bearer token.
func (c *Client) Login(username, password string) (token string, expiresIn int, err error) {
tok, _, loginErr := c.auth.Login(username, password, "")
if loginErr != nil {
if errors.Is(loginErr, mcdslauth.ErrForbidden) {
return "", 0, ErrForbidden
}
if errors.Is(loginErr, mcdslauth.ErrInvalidCredentials) {
return "", 0, ErrUnauthorized
}
return "", 0, loginErr
}
return tok, 0, nil
}
// ValidateToken checks a bearer token against MCIAS. Results are cached
// by SHA-256 hash for 30 seconds (handled by mcdsl/auth).
func (c *Client) ValidateToken(token string) (*Claims, error) {
info, err := c.auth.ValidateToken(token)
if err != nil {
if errors.Is(err, mcdslauth.ErrInvalidToken) {
return nil, ErrUnauthorized
}
return nil, ErrMCIASUnavailable
}
return &Claims{
Subject: info.Username,
AccountType: info.AccountType,
Roles: info.Roles,
}, nil
}
Reference in New Issue View Git Blame Copy Permalink