doc(auth/csvauth): update examples

auth/csvauth/README.md

@@ -8,7 +8,7 @@ Simple, non-scalable credentials stored in a tab-separated file. \
 1. Login Credentials
    - Save recoverable (aes or plain) or salted hashed passwords (pbkdf2 or bcrypt)
    - Great in http middleware, authorizing login or api requests
-    - Stored by _username_
+   - Stored by _username_ (or _token_ hash)
 2. Service Accounts
    - Store API keys for services like SMTP and S3
    - Great for contacting other services
@@ -22,6 +22,11 @@ Can be adapted to pull from a Google Sheets URL (CSV format).
 # create login credentials
 csvauth store 'bot@example.com'
 
+# create login token
+csvauth store --token 'bot@example.com'
+```
+
+```sh
 # store service account
 csvauth store --purpose 'postmark_smtp_notifier' 'admin@example.com'
 ```
@@ -44,7 +49,8 @@ auth, err := csvauth.Load(f)
 
 // ...
 
-if err := auth.Verify(username, password); err != nil {
+credential, err := auth.Authenticate(usernameOrEmpty, passwordOrToken)
+if  err != nil {
    return err
 }
 
@@ -54,7 +60,7 @@ account := auth.LoadServiceAccount("account-mailer")
 req.SetBasicAuth(account.Name, account.Secret())
 ```
 
-## Login Credentials
+## Login Credentials: Basic Auth & Bearer Token
 
 1. Use `csvauth store [options] <username>` to create new login credentials.
 
@@ -65,14 +71,17 @@ req.SetBasicAuth(account.Name, account.Secret())
    ```sh
    go run ./cmd/csvauth/ store 'john.doe@example.com'
 
+   # choose your own algorithm
    go run ./cmd/csvauth/ store --algorithm aes-128-gcm 'johndoe'
    go run ./cmd/csvauth/ store --algorithm plain 'johndoe'
    go run ./cmd/csvauth/ store --algorithm 'pbkdf2 1000 16 SHA-256' 'johndoe'
    go run ./cmd/csvauth/ store --algorithm 'bcrypt 12' 'john.doe@example.com'
 
+   # choose your own password
    go run ./cmd/csvauth/ store --ask-password 'john.doe@example.com'
    go run ./cmd/csvauth/ store --password-file ./password.txt  'johndoe'
 
+   # add extra credential data
    go run ./cmd/csvauth/ store --roles 'admin' --extra '{"foo":"bar"}' 'jimbob'
    ```
 
@@ -98,14 +107,30 @@ req.SetBasicAuth(account.Name, account.Secret())
       // ...
    }
 
+   // Example of checking for checking username (or token signifier) and password
+   // (or token) in just about every common way
    func handleRequest(w http.ResponseWriter, r *http.Request) {
-       username, password, ok := r.BasicAuth()
+      name, secret, ok := r.BasicAuth()
-       if !ok || !auth.Verify(username, password) {
+      if !ok {
+         secret, ok = strings.CutPrefix(r.Header.Get("Authorization"), "Bearer ")
+         if !ok {
+            secret = r.Header.Get("X-API-Key")
+            if secret == "" {
+               secret = r.URL.Query().Get("access_token")
+               if secret == "" {
+                  http.Error(w, "Unauthorized", http.StatusUnauthorized)
+                  return
+               }
+            }
+         }
+      }
+
+      credential, err := auth.Authenticate(name, secret);
+      if  err != nil {
          http.Error(w, "Unauthorized", http.StatusUnauthorized)
          return
       }
 
-       credential, err := auth.LoadCredential(username)
       // ...
    }
    ```