feat(auth): enhance security with token hashing and sync integration

- Add token hash fields to Master and Key models for indexed lookups - Implement SyncService integration in admin and master handlers - Update master key validation with backward-compatible digest lookup - Hash child keys in database and store token digests for Redis sync - Add master metadata sync to Redis for balancer validation - Ensure backward compatibility with legacy rows during migration
2026-01-13 17:47:51 +00:00 · 2025-12-05 00:17:22 +08:00
parent 8645b22b83
commit 25e5e105b3
7 changed files with 123 additions and 41 deletions
--- a/internal/service/token.go
+++ b/internal/service/token.go
@@ -49,11 +49,18 @@ func (s *TokenService) ValidateToken(ctx context.Context, token string) (*TokenI

 	// 2. Get master metadata from Redis
 	masterKey := fmt.Sprintf("auth:master:%d", masterID)
-	masterEpochStr, err := s.rdb.HGet(ctx, masterKey, "epoch").Result()
+	masterData, err := s.rdb.HGetAll(ctx, masterKey).Result()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get master epoch: %w", err)
+		return nil, fmt.Errorf("failed to get master metadata: %w", err)
 	}
-	masterEpoch, _ := strconv.ParseInt(masterEpochStr, 10, 64)
+	if len(masterData) == 0 {
+		return nil, errors.New("master metadata not found")
+	}
+	masterStatus := masterData["status"]
+	if masterStatus != "" && masterStatus != "active" {
+		return nil, errors.New("master is not active")
+	}
+	masterEpoch, _ := strconv.ParseInt(masterData["epoch"], 10, 64)

 	// 3. Core Epoch Validation
 	if issuedAtEpoch < masterEpoch {