sc/sgard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implement JWT token auth with transparent auto-renewal.

Browse Source 
Replace per-call SSH signing with a two-layer auth system:

Server: AuthInterceptor verifies JWT tokens (HMAC-SHA256 signed with
repo-local jwt.key). Authenticate RPC accepts SSH-signed challenges
and issues 30-day JWTs. Expired-but-valid tokens return a
ReauthChallenge in error details (server-provided nonce for fast
re-auth). Authenticate RPC is exempt from token requirement.

Client: TokenCredentials replaces SSHCredentials as the primary
PerRPCCredentials. NewWithAuth creates clients with auto-renewal —
EnsureAuth obtains initial token, retryOnAuth catches Unauthenticated
errors and re-authenticates transparently. Token cached at
$XDG_STATE_HOME/sgard/token (0600).

CLI: dialRemote() helper handles token loading, connection setup,
and initial auth. Push/pull/prune commands simplified to use it.

Proto: Added Authenticate RPC, AuthenticateRequest/Response,
ReauthChallenge messages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-24 00:52:16 -07:00
parent b7b1b27064
commit edef642025
18 changed files with 890 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
server/server.go
View File

@@ -24,6 +24,7 @@ type Server struct {
garden *garden.Garden
mu sync.RWMutex
pendingManifest *manifest.Manifest
auth *AuthInterceptor // nil if auth is disabled
}
// New creates a new Server backed by the given Garden.
@@ -31,6 +32,19 @@ func New(g *garden.Garden) *Server {
return &Server{garden: g}
}
// NewWithAuth creates a new Server with authentication enabled.
func NewWithAuth(g *garden.Garden, auth *AuthInterceptor) *Server {
return &Server{garden: g, auth: auth}
}
// Authenticate handles the auth RPC by delegating to the AuthInterceptor.
func (s *Server) Authenticate(ctx context.Context, req *sgardpb.AuthenticateRequest) (*sgardpb.AuthenticateResponse, error) {
if s.auth == nil {
return nil, status.Error(codes.Unimplemented, "authentication not configured")
}
return s.auth.Authenticate(ctx, req)
}
// PushManifest compares the client manifest against the server manifest and
// decides whether to accept, reject, or report up-to-date.
func (s *Server) PushManifest(_ context.Context, req *sgardpb.PushManifestRequest) (*sgardpb.PushManifestResponse, error) {