Implement JWT token auth with transparent auto-renewal.

Replace per-call SSH signing with a two-layer auth system: Server: AuthInterceptor verifies JWT tokens (HMAC-SHA256 signed with repo-local jwt.key). Authenticate RPC accepts SSH-signed challenges and issues 30-day JWTs. Expired-but-valid tokens return a ReauthChallenge in error details (server-provided nonce for fast re-auth). Authenticate RPC is exempt from token requirement. Client: TokenCredentials replaces SSHCredentials as the primary PerRPCCredentials. NewWithAuth creates clients with auto-renewal — EnsureAuth obtains initial token, retryOnAuth catches Unauthenticated errors and re-authenticates transparently. Token cached at $XDG_STATE_HOME/sgard/token (0600). CLI: dialRemote() helper handles token loading, connection setup, and initial auth. Push/pull/prune commands simplified to use it. Proto: Added Authenticate RPC, AuthenticateRequest/Response, ReauthChallenge messages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 00:52:16 -07:00
parent b7b1b27064
commit edef642025
18 changed files with 890 additions and 283 deletions
--- a/sgardpb/sgard_grpc.pb.go
+++ b/sgardpb/sgard_grpc.pb.go
@@ -19,6 +19,7 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
+	GardenSync_Authenticate_FullMethodName = "/sgard.v1.GardenSync/Authenticate"
 	GardenSync_PushManifest_FullMethodName = "/sgard.v1.GardenSync/PushManifest"
 	GardenSync_PushBlobs_FullMethodName    = "/sgard.v1.GardenSync/PushBlobs"
 	GardenSync_PullManifest_FullMethodName = "/sgard.v1.GardenSync/PullManifest"
@@ -32,6 +33,8 @@ const (
 //
 // GardenSync is the sgard remote sync service.
 type GardenSyncClient interface {
+	// Authenticate exchanges an SSH-signed challenge for a JWT token.
+	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
 	// Push flow: send manifest, then stream missing blobs.
 	PushManifest(ctx context.Context, in *PushManifestRequest, opts ...grpc.CallOption) (*PushManifestResponse, error)
 	PushBlobs(ctx context.Context, opts ...grpc.CallOption) (grpc.ClientStreamingClient[PushBlobsRequest, PushBlobsResponse], error)
@@ -50,6 +53,16 @@ func NewGardenSyncClient(cc grpc.ClientConnInterface) GardenSyncClient {
 	return &gardenSyncClient{cc}
 }

+func (c *gardenSyncClient) Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(AuthenticateResponse)
+	err := c.cc.Invoke(ctx, GardenSync_Authenticate_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *gardenSyncClient) PushManifest(ctx context.Context, in *PushManifestRequest, opts ...grpc.CallOption) (*PushManifestResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(PushManifestResponse)
@@ -118,6 +131,8 @@ func (c *gardenSyncClient) Prune(ctx context.Context, in *PruneRequest, opts ...
 //
 // GardenSync is the sgard remote sync service.
 type GardenSyncServer interface {
+	// Authenticate exchanges an SSH-signed challenge for a JWT token.
+	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
 	// Push flow: send manifest, then stream missing blobs.
 	PushManifest(context.Context, *PushManifestRequest) (*PushManifestResponse, error)
 	PushBlobs(grpc.ClientStreamingServer[PushBlobsRequest, PushBlobsResponse]) error
@@ -136,6 +151,9 @@ type GardenSyncServer interface {
 // pointer dereference when methods are called.
 type UnimplementedGardenSyncServer struct{}

+func (UnimplementedGardenSyncServer) Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
+}
 func (UnimplementedGardenSyncServer) PushManifest(context.Context, *PushManifestRequest) (*PushManifestResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method PushManifest not implemented")
 }
@@ -172,6 +190,24 @@ func RegisterGardenSyncServer(s grpc.ServiceRegistrar, srv GardenSyncServer) {
 	s.RegisterService(&GardenSync_ServiceDesc, srv)
 }

+func _GardenSync_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AuthenticateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(GardenSyncServer).Authenticate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: GardenSync_Authenticate_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(GardenSyncServer).Authenticate(ctx, req.(*AuthenticateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _GardenSync_PushManifest_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(PushManifestRequest)
 	if err := dec(in); err != nil {
@@ -251,6 +287,10 @@ var GardenSync_ServiceDesc = grpc.ServiceDesc{
 	ServiceName: "sgard.v1.GardenSync",
 	HandlerType: (*GardenSyncServer)(nil),
 	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Authenticate",
+			Handler:    _GardenSync_Authenticate_Handler,
+		},
 		{
 			MethodName: "PushManifest",
 			Handler:    _GardenSync_PushManifest_Handler,