pptx704
c92cc29b88
Implement email/password auth with JWT sessions and API key auth for sandbox lifecycle. Users get a default team on signup; sandboxes, snapshots, and API keys are scoped to teams. - Add user, team, users_teams, and team_api_keys tables (goose migrations) - Add JWT middleware (Bearer token) for user management endpoints - Add API key middleware (X-API-Key header, SHA-256 hashed) for sandbox ops - Add signup/login handlers with transactional user+team creation - Add API key CRUD endpoints (create/list/delete) - Replace owner_id with team_id on sandboxes and templates - Update all handlers to use team-scoped queries - Add godotenv for .env file loading - Update OpenAPI spec and test UI with auth flows
36 lines
1002 B
Go
36 lines
1002 B
Go
package auth
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"fmt"
|
|
)
|
|
|
|
// GenerateAPIKey returns a plaintext key in the form "wrn_" + 32 random hex chars
|
|
// and its SHA-256 hash. The caller must show the plaintext to the user exactly once;
|
|
// only the hash is stored.
|
|
func GenerateAPIKey() (plaintext, hash string, err error) {
|
|
b := make([]byte, 16) // 16 bytes → 32 hex chars
|
|
if _, err = rand.Read(b); err != nil {
|
|
return "", "", fmt.Errorf("generate api key: %w", err)
|
|
}
|
|
plaintext = "wrn_" + hex.EncodeToString(b)
|
|
hash = HashAPIKey(plaintext)
|
|
return plaintext, hash, nil
|
|
}
|
|
|
|
// HashAPIKey returns the hex-encoded SHA-256 hash of a plaintext API key.
|
|
func HashAPIKey(plaintext string) string {
|
|
sum := sha256.Sum256([]byte(plaintext))
|
|
return hex.EncodeToString(sum[:])
|
|
}
|
|
|
|
// APIKeyPrefix returns the displayable prefix of an API key (e.g. "wrn_ab12...").
|
|
func APIKeyPrefix(plaintext string) string {
|
|
if len(plaintext) > 12 {
|
|
return plaintext[:12] + "..."
|
|
}
|
|
return plaintext
|
|
}
|