feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0)
Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error for consistent 401 responses, and added ECDSA support. Signers and Verifiers (one file per implementation — CT-6 compliant): - Verifier interface — Verify(tokenString string) (*jwt.Token, error) - Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error) - signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify - signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256 - verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only - signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512) - verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only Token lifecycle: - TokenConfig struct — AccessTTL, RefreshTTL, Issuer - TokenPair struct — AccessToken, RefreshToken, ExpiresIn - IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks - Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing - ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection - RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair HTTP middleware: - AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level); publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce narrowest-interface principle for verify-only services Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify, algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/ revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData. Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth-jwt is a function library; not registered with the launcher
This commit is contained in:
1
.gitea/CODEOWNERS
Normal file
1
.gitea/CODEOWNERS
Normal file
@@ -0,0 +1 @@
|
||||
* @einherjar/CoreDevelopers @einherjar/Agents
|
||||
70
.gitea/pull_request_template.md
Normal file
70
.gitea/pull_request_template.md
Normal file
@@ -0,0 +1,70 @@
|
||||
## Summary
|
||||
|
||||
<!-- One or two sentences: what does this PR do and why? -->
|
||||
|
||||
---
|
||||
|
||||
## Type of change
|
||||
|
||||
- [ ] Bug fix — non-breaking change that resolves an issue
|
||||
- [ ] New feature — non-breaking addition of functionality
|
||||
- [ ] Breaking change — alters existing behavior or public API
|
||||
- [ ] Documentation update
|
||||
- [ ] Refactor — no functional change, no new API surface
|
||||
- [ ] Test improvement
|
||||
|
||||
---
|
||||
|
||||
## Description
|
||||
|
||||
<!--
|
||||
Provide enough context for a reviewer who was not in the room:
|
||||
- What problem does this solve?
|
||||
- What approach did you choose, and why?
|
||||
- Were there alternatives you considered and rejected?
|
||||
- Any known limitations or follow-up work?
|
||||
-->
|
||||
|
||||
---
|
||||
|
||||
## Testing
|
||||
|
||||
- [ ] I added or updated tests that cover my changes
|
||||
- [ ] All tests pass locally — `go test ./...`
|
||||
- [ ] No formatting issues — `gofmt -l .` produces no output
|
||||
- [ ] No vet warnings — `go vet ./...` is clean
|
||||
|
||||
---
|
||||
|
||||
## Checklist
|
||||
|
||||
- [ ] At most one exported type per non-test `.go` file (CT-6)
|
||||
- [ ] No new external dependencies added without prior discussion in an issue
|
||||
- [ ] Public API changes are reflected in `CHANGELOG.md`
|
||||
- [ ] Breaking changes include a migration note in the PR description above
|
||||
|
||||
---
|
||||
|
||||
## Contributor License Agreement
|
||||
|
||||
> **This PR will not be merged until the CLA comment is present.**
|
||||
|
||||
Before a Maintainer reviews your code, you must post the following text **as a comment on this PR** — not here in the description. PR description checkboxes can be silently toggled by anyone; a comment is a timestamped, author-attributed record that cannot be quietly removed.
|
||||
|
||||
**Copy and post this exact text as a PR comment:**
|
||||
|
||||
---
|
||||
|
||||
> I have read the Einherjar Contributor License Agreement (CLA.md) and I agree to all its terms.
|
||||
> I confirm this Contribution is my original work. I grant the Maintainers the rights described
|
||||
> therein, including the right to relicense, and I retain ownership of my copyright.
|
||||
> This agreement covers all future Contributions I submit to any Einherjar repository under
|
||||
> this account.
|
||||
|
||||
---
|
||||
|
||||
First time contributing? Read [CLA.md](../CLA.md) for the full agreement before posting the comment.
|
||||
|
||||
If you are contributing on behalf of a company, an authorized representative of that company must post the comment.
|
||||
|
||||
<!-- Thank you for contributing to Einherjar. For those who come after. -->
|
||||
Reference in New Issue
Block a user