Rene Nochebuena
df7aa63e5c
Introduces code.nochebuena.dev/einherjar/cache-valkey — the Valkey cache starter for the Einherjar framework. Absorbs the valkey package from micro-lib and adds three duck-typed adapters that wire directly into auth, web, and auth-jwt. Core: - Provider interface — Get, Set, Del, Exists, Expire, IncrWithTTL, Native() - Component interface — lifecycle.Component + observability.Checkable + Provider - Config struct (EINHERJAR_VALKEY_* env vars) - New(logger, cfg) Component — creates valkey-go client in OnInit; PING in OnStart; logs "valkey: connected" - IncrWithTTL implemented with Lua script (atomic INCR + conditional EXPIRE); race-free fixed-window semantics with no MULTI/EXEC overhead - Priority: LevelDegraded — Valkey outage degrades, does not halt the service Adapters (duck-typed — no import of auth, web, or auth-jwt): - PermissionCache — Get/Set int64 bitmasks as string; satisfies auth/rbac.Cache - RateLimiterStore — fixed-window via IncrWithTTL; satisfies web/mw.RateLimiterStore - Blacklist — Exists/Set "1" with TTL; satisfies auth-jwt.Blacklist Compliance test verifies CT-6, duck-type shape assignments, and full adapter behavioural coverage with a mockProvider (no live server required). - Component interface embeds observability.Identifiable; identifiable.go implements ModulePath and ModuleVersion via runtime/debug.ReadBuildInfo() — prints in launcher banner
42 lines
1.4 KiB
Go
42 lines
1.4 KiB
Go
package cachevalkey
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
)
|
|
|
|
// blacklistShape mirrors auth-jwt.Blacklist for compile-time duck-type verification.
|
|
// Cache-valkey must not import auth-jwt (D-1), so the shape is defined locally.
|
|
type blacklistShape interface {
|
|
IsRevoked(ctx context.Context, jti string) (bool, error)
|
|
Revoke(ctx context.Context, jti string, ttl time.Duration) error
|
|
}
|
|
|
|
var _ blacklistShape = (*Blacklist)(nil)
|
|
|
|
// Blacklist is a Valkey-backed JWT refresh token revocation list.
|
|
// Satisfies auth-jwt.Blacklist via duck typing — no import of that package required.
|
|
//
|
|
// JTIs are stored as keys with their remaining TTL; the entry expires naturally
|
|
// when the token would have expired. Keys are stored as-is (JTIs are UUIDs and
|
|
// do not collide with permission cache keys).
|
|
type Blacklist struct {
|
|
provider Provider
|
|
}
|
|
|
|
// NewBlacklist returns a Blacklist backed by p.
|
|
func NewBlacklist(p Provider) *Blacklist {
|
|
return &Blacklist{provider: p}
|
|
}
|
|
|
|
// IsRevoked reports whether the refresh token identified by jti has been revoked.
|
|
func (b *Blacklist) IsRevoked(ctx context.Context, jti string) (bool, error) {
|
|
return b.provider.Exists(ctx, jti)
|
|
}
|
|
|
|
// Revoke marks jti as revoked for the given TTL.
|
|
// TTL should match the token's remaining lifetime so the entry expires naturally.
|
|
func (b *Blacklist) Revoke(ctx context.Context, jti string, ttl time.Duration) error {
|
|
return b.provider.Set(ctx, jti, "1", ttl)
|
|
}
|