feat(auth): enhance security with token hashing and sync integration

- Add token hash fields to Master and Key models for indexed lookups - Implement SyncService integration in admin and master handlers - Update master key validation with backward-compatible digest lookup - Hash child keys in database and store token digests for Redis sync - Add master metadata sync to Redis for balancer validation - Ensure backward compatibility with legacy rows during migration
2026-01-13 17:47:51 +00:00 · 2025-12-05 00:17:22 +08:00
parent 8645b22b83
commit 25e5e105b3
7 changed files with 123 additions and 41 deletions
--- a/internal/model/models.go
+++ b/internal/model/models.go
@@ -9,24 +9,26 @@ import (
 // Master represents a tenant account.
 type Master struct {
 	gorm.Model
-	Name         string `gorm:"size:255" json:"name"`
-	MasterKey    string `gorm:"size:255;uniqueIndex" json:"-"` // Hashed master key
-	Group        string `gorm:"size:100;default:'default'" json:"group"`
-	Epoch        int64  `gorm:"default:1" json:"epoch"`
-	Status       string `gorm:"size:50;default:'active'" json:"status"` // active, suspended
-	MaxChildKeys int    `gorm:"default:5" json:"max_child_keys"`
-	GlobalQPS    int    `gorm:"default:3" json:"global_qps"`
+	Name            string `gorm:"size:255" json:"name"`
+	MasterKey       string `gorm:"size:255" json:"-"`                       // bcrypt hash of master key
+	MasterKeyDigest string `gorm:"size:64;uniqueIndex" json:"-"`            // sha256 digest for lookup
+	Group           string `gorm:"size:100;default:'default'" json:"group"` // routing group
+	Epoch           int64  `gorm:"default:1" json:"epoch"`                  // used for revocation/rotation
+	Status          string `gorm:"size:50;default:'active'" json:"status"`  // active, suspended
+	MaxChildKeys    int    `gorm:"default:5" json:"max_child_keys"`
+	GlobalQPS       int    `gorm:"default:3" json:"global_qps"`
 }

 // Key represents a child access token issued by a Master.
 type Key struct {
 	gorm.Model
 	MasterID      uint   `gorm:"not null;index" json:"master_id"`
-	KeySecret     string `gorm:"size:255;uniqueIndex" json:"key_secret"`
-	Group         string `gorm:"size:100;default:'default'" json:"group"`
-	Scopes        string `gorm:"size:1024" json:"scopes"` // Comma-separated scopes
-	IssuedAtEpoch int64  `gorm:"not null" json:"issued_at_epoch"`
-	Status        string `gorm:"size:50;default:'active'" json:"status"` // active, suspended
+	KeySecret     string `gorm:"size:255;column:key_secret" json:"-"`     // bcrypt hash of child key
+	TokenHash     string `gorm:"size:64;uniqueIndex" json:"token_hash"`   // sha256 digest of child key
+	Group         string `gorm:"size:100;default:'default'" json:"group"` // routing group
+	Scopes        string `gorm:"size:1024" json:"scopes"`                 // Comma-separated scopes
+	IssuedAtEpoch int64  `gorm:"not null" json:"issued_at_epoch"`         // copy of master epoch at issuance
+	Status        string `gorm:"size:50;default:'active'" json:"status"`  // active, suspended
 }

 // Provider remains the same.