From d756f205b04f10f8d5dcfade12a86ea33c736409 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 26 Feb 2026 16:44:30 -0700 Subject: [PATCH] ref(auth/csvauth): create and adhere to Principle interface for verified credential --- auth/csvauth/credential.go | 19 +++++++++++++++++++ auth/csvauth/csvauth.go | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/auth/csvauth/credential.go b/auth/csvauth/credential.go index d30cd29..e96281b 100644 --- a/auth/csvauth/credential.go +++ b/auth/csvauth/credential.go @@ -14,6 +14,11 @@ type BasicAuthVerifier interface { Verify(string, string) error } +type Principle interface { + ID() string + Permissions() []string +} + const ( // deprecated, misspelling of PurposeDefault DefaultPurpose = "login" @@ -52,6 +57,17 @@ type Credential struct { hashID string } +func (c *Credential) ID() string { + if c.Purpose == PurposeToken { + return c.Name + hashIDSep + c.hashID + } + return c.Name +} + +func (c *Credential) Permissions() []string { + return c.Roles +} + func (c Credential) Secret() string { return string(c.plain) } @@ -215,3 +231,6 @@ func (c Credential) ToRecord() []string { record := []string{purpose, name, paramList, salt, derived, strings.Join(c.Roles, " "), c.Extra} return record } + +var _ BasicAuthVerifier = (*Credential)(nil) +var _ Principle = (*Credential)(nil) diff --git a/auth/csvauth/csvauth.go b/auth/csvauth/csvauth.go index d42584e..fe7ccb4 100644 --- a/auth/csvauth/csvauth.go +++ b/auth/csvauth/csvauth.go @@ -368,7 +368,7 @@ func (a *Auth) gcmDecrypt(aes128key [16]byte, gcmNonce [12]byte, derived []byte) // (because 'pass' is swapped with 'user' when 'pass' is empty) // - the resulting 'user' must match BasicAuthTokenNames ("", "api", and "apikey" are the defaults) // - then the token is (timing-safe) hashed to check if it exists, and then verified by its algorithm -func (a *Auth) Authenticate(name, secret string) (*Credential, error) { +func (a *Auth) Authenticate(name, secret string) (Principle, error) { if name == "" && secret == "" { return nil, ErrUnauthorized }