Kyle Isom
310ed83f28
Replace metacrypt's hand-rolled gRPC interceptor chain with the mcdsl grpcserver package, which provides TLS setup, logging, and method-map auth (public/auth-required/admin-required) out of the box. Metacrypt-specific interceptors are preserved as hooks: - sealInterceptor runs as a PreInterceptor (before logging/auth) - auditInterceptor runs as a PostInterceptor (after auth) The three legacy method maps (seal/auth/admin) are restructured into mcdsl's MethodMap (Public/AuthRequired/AdminRequired) plus a separate seal-required map for the PreInterceptor. Token context is now stored via mcdsl/auth.ContextWithTokenInfo instead of a package-local key. Bumps mcdsl from v1.0.0 to v1.0.1 (adds PreInterceptors/PostInterceptors to grpcserver.Options). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
56 lines
1.6 KiB
Go
56 lines
1.6 KiB
Go
package grpcserver
|
|
|
|
import (
|
|
"context"
|
|
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
|
|
)
|
|
|
|
type authServer struct {
|
|
pb.UnimplementedAuthServiceServer
|
|
s *GRPCServer
|
|
}
|
|
|
|
func (as *authServer) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginResponse, error) {
|
|
token, expiresAtTime, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Unauthenticated, "invalid credentials")
|
|
}
|
|
var expiresAt *timestamppb.Timestamp
|
|
if !expiresAtTime.IsZero() {
|
|
expiresAt = timestamppb.New(expiresAtTime)
|
|
}
|
|
as.s.logger.Info("audit: login", "username", req.Username)
|
|
return &pb.LoginResponse{Token: token, ExpiresAt: expiresAt}, nil
|
|
}
|
|
|
|
func (as *authServer) Logout(ctx context.Context, _ *pb.LogoutRequest) (*pb.LogoutResponse, error) {
|
|
token := extractToken(ctx)
|
|
_ = auth.Logout(as.s.auth, token)
|
|
as.s.logger.Info("audit: logout", "username", callerUsername(ctx))
|
|
return &pb.LogoutResponse{}, nil
|
|
}
|
|
|
|
func (as *authServer) TokenInfo(ctx context.Context, _ *pb.TokenInfoRequest) (*pb.TokenInfoResponse, error) {
|
|
ti := auth.TokenInfoFromContext(ctx)
|
|
if ti == nil {
|
|
// Shouldn't happen — authInterceptor runs first — but guard anyway.
|
|
token := extractToken(ctx)
|
|
var err error
|
|
ti, err = as.s.auth.ValidateToken(token)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Unauthenticated, "invalid token")
|
|
}
|
|
}
|
|
return &pb.TokenInfoResponse{
|
|
Username: ti.Username,
|
|
Roles: ti.Roles,
|
|
IsAdmin: ti.IsAdmin,
|
|
}, nil
|
|
}
|