Feature/jwt auth cutover#126
Merged
Merged
Conversation
Replace X-API-Key/X-API-Session with Authorization: Bearer JWT access tokens plus opaque refresh tokens. /auth and /signup return a token pair; add /auth/refresh and /auth/logout. Identity comes from JWT claims in all handlers; ogen errors render in the ErrorResponse shape.
Drop X-API-Key/X-API-Session; the API layer holds the access token and attaches Authorization: Bearer to every protected request. Auth/signup store the token pair; add refresh/logout helpers and drop the demo key.
On a 401 the API layer transparently exchanges the refresh token for a new pair and replays the request once; if refresh fails it clears tokens and routes back to login via onAuthExpired.
Cover token rotation, replay rejection of a rotated token, unknown-token 401, and that logout revokes the refresh token.
Add a 403 response to move/skip/propose/accept/reject in the spec, a service.ErrNotParticipant sentinel, and map it to the generated Forbidden response in handlers (previously a non-participant got 500).
Migration 005 drops users.api_key, now dead after the JWT cutover. Remove ValidateAPIKey and the APIKey fields/queries from the storage and service layers.
Document the access/refresh token flow, /auth/refresh and /auth/logout, the Bearer header, refresh_tokens table and role column; drop api_key and the x_api_token flag in both README.md and README.ru.md.
Add an implementation-status section, mark done vs pending (rate limiting, jti blacklist, admin RBAC), and correct deviations: kept /session/ping, api_key dropped in migration 005, HMAC-hashed refresh tokens, ownership 403 via service.ErrNotParticipant, custom ogen ErrorHandler.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.