ref(auth/csvauth): create and adhere to Principle interface for verified credential

2026-03-02 23:57:59 +00:00 · 2026-02-26 16:44:30 -07:00 · 2026-02-26 16:44:30 -07:00 · d756f205b0
commit d756f205b0
parent 737f3b0057
2 changed files with 20 additions and 1 deletions
--- a/auth/csvauth/credential.go
+++ b/auth/csvauth/credential.go
@ -14,6 +14,11 @@ type BasicAuthVerifier interface {
 	Verify(string, string) error
 }

+type Principle interface {
+	ID() string
+	Permissions() []string
+}
+
 const (
 	// deprecated, misspelling of PurposeDefault
 	DefaultPurpose = "login"
@ -52,6 +57,17 @@ type Credential struct {
 	hashID  string
 }

+func (c *Credential) ID() string {
+	if c.Purpose == PurposeToken {
+		return c.Name + hashIDSep + c.hashID
+	}
+	return c.Name
+}
+
+func (c *Credential) Permissions() []string {
+	return c.Roles
+}
+
 func (c Credential) Secret() string {
 	return string(c.plain)
 }
@ -215,3 +231,6 @@ func (c Credential) ToRecord() []string {
 	record := []string{purpose, name, paramList, salt, derived, strings.Join(c.Roles, " "), c.Extra}
 	return record
 }
+
+var _ BasicAuthVerifier = (*Credential)(nil)
+var _ Principle = (*Credential)(nil)
--- a/auth/csvauth/csvauth.go
+++ b/auth/csvauth/csvauth.go
@ -368,7 +368,7 @@ func (a *Auth) gcmDecrypt(aes128key [16]byte, gcmNonce [12]byte, derived []byte)
 //     (because 'pass' is swapped with 'user' when 'pass' is empty)
 //   - the resulting 'user' must match BasicAuthTokenNames ("", "api", and "apikey" are the defaults)
 //   - then the token is (timing-safe) hashed to check if it exists, and then verified by its algorithm
-func (a *Auth) Authenticate(name, secret string) (*Credential, error) {
+func (a *Auth) Authenticate(name, secret string) (Principle, error) {
 	if name == "" && secret == "" {
 		return nil, ErrUnauthorized
 	}