d2de49a591
Implements API key authentication for all rdev endpoints:
## Database (internal/db)
- Auto-migrating postgres connection
- Embedded SQL migrations via go:embed
- api_keys table with scopes, expiration, project restrictions
## Auth Package (internal/auth)
- Key generation: rdev_sk_<prefix>_<random> format
- Scopes: projects:read, projects:execute, keys:read, keys:write, admin
- SHA-256 key hashing (secrets never stored)
- Expiration options: 30d, 60d, 90d, 1y, never
- Middleware skips /health, /ready, /docs, /openapi.json
## Key Management API
- GET /keys - List keys (keys:read)
- POST /keys - Create key (keys:write)
- GET /keys/{id} - Get key details (keys:read)
- DELETE /keys/{id} - Revoke key (keys:write)
## Environment Variables
- DB_HOST, DB_PORT, DB_USER, DB_PASSWORD, DB_NAME
- RDEV_ADMIN_KEY - Super admin key for bootstrapping
Version bumped to 0.5.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
102 lines
2.5 KiB
Go
102 lines
2.5 KiB
Go
package auth
|
|
|
|
import "slices"
|
|
|
|
// Scope represents an API permission scope.
|
|
type Scope string
|
|
|
|
// Available scopes.
|
|
const (
|
|
ScopeProjectsRead Scope = "projects:read"
|
|
ScopeProjectsExecute Scope = "projects:execute"
|
|
ScopeKeysRead Scope = "keys:read"
|
|
ScopeKeysWrite Scope = "keys:write"
|
|
ScopeAdmin Scope = "admin"
|
|
)
|
|
|
|
// AllScopes is the list of all valid scopes.
|
|
var AllScopes = []Scope{
|
|
ScopeProjectsRead,
|
|
ScopeProjectsExecute,
|
|
ScopeKeysRead,
|
|
ScopeKeysWrite,
|
|
ScopeAdmin,
|
|
}
|
|
|
|
// ScopeDescriptions provides human-readable descriptions.
|
|
var ScopeDescriptions = map[Scope]string{
|
|
ScopeProjectsRead: "List and view project details",
|
|
ScopeProjectsExecute: "Execute commands (claude, shell, git) on projects",
|
|
ScopeKeysRead: "List API keys (metadata only, not secrets)",
|
|
ScopeKeysWrite: "Create and revoke API keys",
|
|
ScopeAdmin: "Full administrative access (includes all scopes)",
|
|
}
|
|
|
|
// IsValid checks if a scope is valid.
|
|
func (s Scope) IsValid() bool {
|
|
return slices.Contains(AllScopes, s)
|
|
}
|
|
|
|
// String returns the scope as a string.
|
|
func (s Scope) String() string {
|
|
return string(s)
|
|
}
|
|
|
|
// ScopesFromStrings converts string slice to Scope slice.
|
|
func ScopesFromStrings(ss []string) []Scope {
|
|
scopes := make([]Scope, len(ss))
|
|
for i, s := range ss {
|
|
scopes[i] = Scope(s)
|
|
}
|
|
return scopes
|
|
}
|
|
|
|
// ScopesToStrings converts Scope slice to string slice.
|
|
func ScopesToStrings(scopes []Scope) []string {
|
|
ss := make([]string, len(scopes))
|
|
for i, s := range scopes {
|
|
ss[i] = string(s)
|
|
}
|
|
return ss
|
|
}
|
|
|
|
// ValidateScopes checks if all scopes are valid.
|
|
func ValidateScopes(scopes []Scope) bool {
|
|
for _, s := range scopes {
|
|
if !s.IsValid() {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
// HasScope checks if a scope list contains a required scope.
|
|
// Admin scope grants access to everything.
|
|
func HasScope(scopes []Scope, required Scope) bool {
|
|
for _, s := range scopes {
|
|
if s == ScopeAdmin || s == required {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// HasAnyScope checks if a scope list contains any of the required scopes.
|
|
func HasAnyScope(scopes []Scope, required ...Scope) bool {
|
|
for _, r := range required {
|
|
if HasScope(scopes, r) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// HasProjectAccess checks if the key has access to a specific project.
|
|
// projectIDs nil means access to all projects.
|
|
func HasProjectAccess(allowedProjects []string, projectID string) bool {
|
|
if allowedProjects == nil {
|
|
return true // nil = all projects
|
|
}
|
|
return slices.Contains(allowedProjects, projectID)
|
|
}
|