auth

package
v0.60.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

Package auth handles inbound caller authentication for codex-app-gateway.

Phase 1 uses an HMAC-signed token of the form 

<workspace_id>.<thread_id>.<hex-hmac-sha256>

where the HMAC covers `<workspace_id>\0<thread_id>` keyed by a deployment-shared secret. This matches the wstoken / internal-API pattern used elsewhere in agentserver and avoids pulling a JWT lib just for phase 1. Phase 2 can swap in a JWT impl behind the same `Authenticator` interface.

Package auth implements inbound bearer-token verification.

Phase 2 default is RemoteVerifier: each ws connect POSTs the supplied bearer to agentserver's /api/internal/codex/tokens/verify, which owns the codex_remote_tokens table and applies bcrypt + expiry + revocation policy. This couples the gateway to agentserver's lifecycle but keeps the gateway stateless.

HMACAuthenticator stays in the package as a break-glass / local-test implementation but is no longer used in chart-deployed pods.

Index

Constants

This section is empty.

Variables

View Source 
var ErrUnauthorized = errors.New("auth: unauthorized")

ErrUnauthorized is returned by Verify when agentserver responds 401. Distinguishable so handlers can map directly to HTTP 401 without leaking other error reasons (network failure → 500, etc.).

Functions

func ExtractBearer 

func ExtractBearer(r *http.Request) (string, bool)

ExtractBearer pulls the token out of `Authorization: Bearer <tok>`.

Types

type Authenticator 

type Authenticator interface {
	Verify(ctx context.Context, token string) (Identity, error)
}

Authenticator is the seam for inbound auth. Phase-1 impl is HMAC.

type HMAC 

type HMAC struct {
	// contains filtered or unexported fields
}

HMAC is the phase-1 Authenticator.

func NewHMAC 

func NewHMAC(secret []byte) *HMAC

NewHMAC returns a phase-1 Authenticator. The secret must be non-empty for tokens to verify; an empty secret will still mint and verify against itself but represents a deployment misconfiguration.

func (*HMAC) Mint 

func (a *HMAC) Mint(workspaceID, threadID string) string

Mint produces a token for `(workspaceID, threadID)`. Useful for tests and CLI tools; production callers receive tokens from agentserver.

func (*HMAC) Verify 

func (a *HMAC) Verify(_ context.Context, token string) (Identity, error)

Verify parses and HMAC-verifies a token.

Token format: <workspace_id>.<thread_id>.<hex-hmac>

Expects exactly 3 dot-separated parts. The legacy threadID portion (parts[1]) is intentionally discarded — Phase 2 carries identity via the UserID field populated by RemoteVerifier, not by the token payload.

type Identity 

type Identity struct {
	UserID      string
	WorkspaceID string
}

Identity is what a verified token decodes to.

type RemoteVerifier added in v0.50.0 

type RemoteVerifier struct {
	// contains filtered or unexported fields
}

RemoteVerifier delegates token verification to agentserver's internal API.

func NewRemoteVerifier added in v0.50.0 

func NewRemoteVerifier(baseURL, bearer string) *RemoteVerifier

NewRemoteVerifier constructs a verifier targeting agentserver's internal HTTP API. baseURL is the http base (e.g. "http://release-agentserver.namespace.svc:8080"); bearer is the value of INTERNAL_API_SECRET used as the X-Internal-Secret header.

func (*RemoteVerifier) Verify added in v0.50.0 

func (v *RemoteVerifier) Verify(ctx context.Context, token string) (Identity, error)

Verify implements Authenticator.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.