sc/sgard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implement JWT token auth with transparent auto-renewal.

Browse Source 
Replace per-call SSH signing with a two-layer auth system:

Server: AuthInterceptor verifies JWT tokens (HMAC-SHA256 signed with
repo-local jwt.key). Authenticate RPC accepts SSH-signed challenges
and issues 30-day JWTs. Expired-but-valid tokens return a
ReauthChallenge in error details (server-provided nonce for fast
re-auth). Authenticate RPC is exempt from token requirement.

Client: TokenCredentials replaces SSHCredentials as the primary
PerRPCCredentials. NewWithAuth creates clients with auto-renewal —
EnsureAuth obtains initial token, retryOnAuth catches Unauthenticated
errors and re-authenticates transparently. Token cached at
$XDG_STATE_HOME/sgard/token (0600).

CLI: dialRemote() helper handles token loading, connection setup,
and initial auth. Push/pull/prune commands simplified to use it.

Proto: Added Authenticate RPC, AuthenticateRequest/Response,
ReauthChallenge messages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-24 00:52:16 -07:00
parent b7b1b27064
commit edef642025
18 changed files with 890 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
proto/sgard/v1/sgard.proto
View File

@@ -82,8 +82,32 @@ message PruneResponse {
int32 blobs_removed = 1;
}
// Auth messages.
message AuthenticateRequest {
bytes nonce = 1; // 32-byte nonce (server-provided or client-generated)
int64 timestamp = 2; // Unix seconds
bytes signature = 3; // SSH signature over (nonce || timestamp)
string public_key = 4; // SSH public key in authorized_keys format
}
message AuthenticateResponse {
string token = 1; // JWT valid for 30 days
}
// ReauthChallenge is embedded in Unauthenticated error details when a
// token is expired but was previously valid. The client signs this
// challenge to obtain a new token without generating its own nonce.
message ReauthChallenge {
bytes nonce = 1; // server-generated 32-byte nonce
int64 timestamp = 2; // server's current Unix timestamp
}
// GardenSync is the sgard remote sync service.
service GardenSync {
// Authenticate exchanges an SSH-signed challenge for a JWT token.
rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
// Push flow: send manifest, then stream missing blobs.
rpc PushManifest(PushManifestRequest) returns (PushManifestResponse);
rpc PushBlobs(stream PushBlobsRequest) returns (PushBlobsResponse);