feat(cache-valkey): initial implementation — Provider, adapters (v1.0.0)
Introduces code.nochebuena.dev/einherjar/cache-valkey — the Valkey cache starter for the Einherjar framework. Absorbs the valkey package from micro-lib and adds three duck-typed adapters that wire directly into auth, web, and auth-jwt. Core: - Provider interface — Get, Set, Del, Exists, Expire, IncrWithTTL, Native() - Component interface — lifecycle.Component + observability.Checkable + Provider - Config struct (EINHERJAR_VALKEY_* env vars) - New(logger, cfg) Component — creates valkey-go client in OnInit; PING in OnStart; logs "valkey: connected" - IncrWithTTL implemented with Lua script (atomic INCR + conditional EXPIRE); race-free fixed-window semantics with no MULTI/EXEC overhead - Priority: LevelDegraded — Valkey outage degrades, does not halt the service Adapters (duck-typed — no import of auth, web, or auth-jwt): - PermissionCache — Get/Set int64 bitmasks as string; satisfies auth/rbac.Cache - RateLimiterStore — fixed-window via IncrWithTTL; satisfies web/mw.RateLimiterStore - Blacklist — Exists/Set "1" with TTL; satisfies auth-jwt.Blacklist Compliance test verifies CT-6, duck-type shape assignments, and full adapter behavioural coverage with a mockProvider (no live server required). - Component interface embeds observability.Identifiable; identifiable.go implements ModulePath and ModuleVersion via runtime/debug.ReadBuildInfo() — prints in launcher banner
This commit is contained in:
41
blacklist.go
Normal file
41
blacklist.go
Normal file
@@ -0,0 +1,41 @@
|
||||
package cachevalkey
|
||||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
)
|
||||
|
||||
// blacklistShape mirrors auth-jwt.Blacklist for compile-time duck-type verification.
|
||||
// Cache-valkey must not import auth-jwt (D-1), so the shape is defined locally.
|
||||
type blacklistShape interface {
|
||||
IsRevoked(ctx context.Context, jti string) (bool, error)
|
||||
Revoke(ctx context.Context, jti string, ttl time.Duration) error
|
||||
}
|
||||
|
||||
var _ blacklistShape = (*Blacklist)(nil)
|
||||
|
||||
// Blacklist is a Valkey-backed JWT refresh token revocation list.
|
||||
// Satisfies auth-jwt.Blacklist via duck typing — no import of that package required.
|
||||
//
|
||||
// JTIs are stored as keys with their remaining TTL; the entry expires naturally
|
||||
// when the token would have expired. Keys are stored as-is (JTIs are UUIDs and
|
||||
// do not collide with permission cache keys).
|
||||
type Blacklist struct {
|
||||
provider Provider
|
||||
}
|
||||
|
||||
// NewBlacklist returns a Blacklist backed by p.
|
||||
func NewBlacklist(p Provider) *Blacklist {
|
||||
return &Blacklist{provider: p}
|
||||
}
|
||||
|
||||
// IsRevoked reports whether the refresh token identified by jti has been revoked.
|
||||
func (b *Blacklist) IsRevoked(ctx context.Context, jti string) (bool, error) {
|
||||
return b.provider.Exists(ctx, jti)
|
||||
}
|
||||
|
||||
// Revoke marks jti as revoked for the given TTL.
|
||||
// TTL should match the token's remaining lifetime so the entry expires naturally.
|
||||
func (b *Blacklist) Revoke(ctx context.Context, jti string, ttl time.Duration) error {
|
||||
return b.provider.Set(ctx, jti, "1", ttl)
|
||||
}
|
||||
Reference in New Issue
Block a user