einherjar/cache-valkey
2
0
Fork 0
Code Issues Pull Requests Packages Releases 1 Activity
Files
main
cache-valkey/blacklist.go

42 lines
1.4 KiB
Go
Raw Permalink Normal View History

feat(cache-valkey): initial implementation — Provider, adapters (v1.0.0) Introduces code.nochebuena.dev/einherjar/cache-valkey — the Valkey cache starter for the Einherjar framework. Absorbs the valkey package from micro-lib and adds three duck-typed adapters that wire directly into auth, web, and auth-jwt. Core: - Provider interface — Get, Set, Del, Exists, Expire, IncrWithTTL, Native() - Component interface — lifecycle.Component + observability.Checkable + Provider - Config struct (EINHERJAR_VALKEY_* env vars) - New(logger, cfg) Component — creates valkey-go client in OnInit; PING in OnStart; logs "valkey: connected" - IncrWithTTL implemented with Lua script (atomic INCR + conditional EXPIRE); race-free fixed-window semantics with no MULTI/EXEC overhead - Priority: LevelDegraded — Valkey outage degrades, does not halt the service Adapters (duck-typed — no import of auth, web, or auth-jwt): - PermissionCache — Get/Set int64 bitmasks as string; satisfies auth/rbac.Cache - RateLimiterStore — fixed-window via IncrWithTTL; satisfies web/mw.RateLimiterStore - Blacklist — Exists/Set "1" with TTL; satisfies auth-jwt.Blacklist Compliance test verifies CT-6, duck-type shape assignments, and full adapter behavioural coverage with a mockProvider (no live server required). - Component interface embeds observability.Identifiable; identifiable.go implements ModulePath and ModuleVersion via runtime/debug.ReadBuildInfo() — prints in launcher banner
2026-05-29 15:58:56 +00:00
package cachevalkey
import (
"context"
"time"
)
// blacklistShape mirrors auth-jwt.Blacklist for compile-time duck-type verification.
// Cache-valkey must not import auth-jwt (D-1), so the shape is defined locally.
type blacklistShape interface {
IsRevoked(ctx context.Context, jti string) (bool, error)
Revoke(ctx context.Context, jti string, ttl time.Duration) error
}
var _ blacklistShape = (*Blacklist)(nil)
// Blacklist is a Valkey-backed JWT refresh token revocation list.
// Satisfies auth-jwt.Blacklist via duck typing — no import of that package required.
//
// JTIs are stored as keys with their remaining TTL; the entry expires naturally
// when the token would have expired. Keys are stored as-is (JTIs are UUIDs and
// do not collide with permission cache keys).
type Blacklist struct {
provider Provider
}
// NewBlacklist returns a Blacklist backed by p.
func NewBlacklist(p Provider) *Blacklist {
return &Blacklist{provider: p}
}
// IsRevoked reports whether the refresh token identified by jti has been revoked.
func (b *Blacklist) IsRevoked(ctx context.Context, jti string) (bool, error) {
return b.provider.Exists(ctx, jti)
}
// Revoke marks jti as revoked for the given TTL.
// TTL should match the token's remaining lifetime so the entry expires naturally.
func (b *Blacklist) Revoke(ctx context.Context, jti string, ttl time.Duration) error {
return b.provider.Set(ctx, jti, "1", ttl)
}
Reference in New Issue Copy Permalink