feat(auth): enhance security with token hashing and sync integration

- Add token hash fields to Master and Key models for indexed lookups - Implement SyncService integration in admin and master handlers - Update master key validation with backward-compatible digest lookup - Hash child keys in database and store token digests for Redis sync - Add master metadata sync to Redis for balancer validation - Ensure backward compatibility with legacy rows during migration
2026-01-13 17:47:51 +00:00 · 2025-12-05 00:17:22 +08:00
parent 8645b22b83
commit 25e5e105b3
7 changed files with 123 additions and 41 deletions
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -77,8 +77,8 @@ func main() {
 	healthService := service.NewHealthCheckService(db, rdb)
 	handler := api.NewHandler(db, syncService, logWriter)
-	adminHandler := api.NewAdminHandler(masterService)
+	adminHandler := api.NewAdminHandler(masterService, syncService)
-	masterHandler := api.NewMasterHandler(masterService)
+	masterHandler := api.NewMasterHandler(masterService, syncService)
 	// 4.1 Prime Redis snapshots so DP can start with data
 	if err := syncService.SyncAll(db); err != nil {
--- a/internal/api/admin_handler.go
+++ b/internal/api/admin_handler.go
@@ -9,10 +9,11 @@ import (
 type AdminHandler struct {
 	masterService *service.MasterService
 	syncService   *service.SyncService
 }
-func NewAdminHandler(masterService *service.MasterService) *AdminHandler {
+func NewAdminHandler(masterService *service.MasterService, syncService *service.SyncService) *AdminHandler {
-	return &AdminHandler{masterService: masterService}
+	return &AdminHandler{masterService: masterService, syncService: syncService}
 }
 type CreateMasterRequest struct {
@@ -43,6 +44,11 @@ func (h *AdminHandler) CreateMaster(c *gin.Context) {
 		return
 	}
 	if err := h.syncService.SyncMaster(master); err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to sync master key", "details": err.Error()})
 		return
 	}
 	c.JSON(http.StatusCreated, gin.H{
 		"id":             master.ID,
 		"name":           master.Name,
--- a/internal/api/master_handler.go
+++ b/internal/api/master_handler.go
@@ -11,10 +11,11 @@ import (
 type MasterHandler struct {
 	masterService *service.MasterService
 	syncService   *service.SyncService
 }
-func NewMasterHandler(masterService *service.MasterService) *MasterHandler {
+func NewMasterHandler(masterService *service.MasterService, syncService *service.SyncService) *MasterHandler {
-	return &MasterHandler{masterService: masterService}
+	return &MasterHandler{masterService: masterService, syncService: syncService}
 }
 type IssueChildKeyRequest struct {
@@ -55,6 +56,11 @@ func (h *MasterHandler) IssueChildKey(c *gin.Context) {
 		return
 	}
 	if err := h.syncService.SyncKey(key); err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to sync child key", "details": err.Error()})
 		return
 	}
 	c.JSON(http.StatusCreated, gin.H{
 		"id":         key.ID,
 		"key_secret": rawChildKey,
--- a/internal/model/models.go
+++ b/internal/model/models.go
@@ -9,24 +9,26 @@ import (
 // Master represents a tenant account.
 type Master struct {
 	gorm.Model
-	Name         string `gorm:"size:255" json:"name"`
+	Name            string `gorm:"size:255" json:"name"`
-	MasterKey    string `gorm:"size:255;uniqueIndex" json:"-"` // Hashed master key
+	MasterKey       string `gorm:"size:255" json:"-"`                       // bcrypt hash of master key
-	Group        string `gorm:"size:100;default:'default'" json:"group"`
+	MasterKeyDigest string `gorm:"size:64;uniqueIndex" json:"-"`            // sha256 digest for lookup
-	Epoch        int64  `gorm:"default:1" json:"epoch"`
+	Group           string `gorm:"size:100;default:'default'" json:"group"` // routing group
-	Status       string `gorm:"size:50;default:'active'" json:"status"` // active, suspended
+	Epoch           int64  `gorm:"default:1" json:"epoch"`                  // used for revocation/rotation
-	MaxChildKeys int    `gorm:"default:5" json:"max_child_keys"`
+	Status          string `gorm:"size:50;default:'active'" json:"status"`  // active, suspended
-	GlobalQPS    int    `gorm:"default:3" json:"global_qps"`
+	MaxChildKeys    int    `gorm:"default:5" json:"max_child_keys"`
 	GlobalQPS       int    `gorm:"default:3" json:"global_qps"`
 }
 // Key represents a child access token issued by a Master.
 type Key struct {
 	gorm.Model
 	MasterID      uint   `gorm:"not null;index" json:"master_id"`
-	KeySecret     string `gorm:"size:255;uniqueIndex" json:"key_secret"`
+	KeySecret     string `gorm:"size:255;column:key_secret" json:"-"`     // bcrypt hash of child key
-	Group         string `gorm:"size:100;default:'default'" json:"group"`
+	TokenHash     string `gorm:"size:64;uniqueIndex" json:"token_hash"`   // sha256 digest of child key
-	Scopes        string `gorm:"size:1024" json:"scopes"` // Comma-separated scopes
+	Group         string `gorm:"size:100;default:'default'" json:"group"` // routing group
-	IssuedAtEpoch int64  `gorm:"not null" json:"issued_at_epoch"`
+	Scopes        string `gorm:"size:1024" json:"scopes"`                 // Comma-separated scopes
-	Status        string `gorm:"size:50;default:'active'" json:"status"` // active, suspended
+	IssuedAtEpoch int64  `gorm:"not null" json:"issued_at_epoch"`         // copy of master epoch at issuance
 	Status        string `gorm:"size:50;default:'active'" json:"status"`  // active, suspended
 }
 // Provider remains the same.
--- a/internal/service/master.go
+++ b/internal/service/master.go
@@ -5,8 +5,10 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"strings"
 	"github.com/ez-api/ez-api/internal/model"
 	"github.com/ez-api/ez-api/internal/util"
 	"golang.org/x/crypto/bcrypt"
 	"gorm.io/gorm"
 )
@@ -30,14 +32,17 @@ func (s *MasterService) CreateMaster(name, group string, maxChildKeys, globalQPS
 		return nil, "", fmt.Errorf("failed to hash master key: %w", err)
 	}
 	masterKeyDigest := util.HashToken(rawMasterKey)
 	master := &model.Master{
-		Name:         name,
+		Name:            name,
-		MasterKey:    string(hashedMasterKey),
+		MasterKey:       string(hashedMasterKey),
-		Group:        group,
+		MasterKeyDigest: masterKeyDigest,
-		MaxChildKeys: maxChildKeys,
+		Group:           group,
-		GlobalQPS:    globalQPS,
+		MaxChildKeys:    maxChildKeys,
-		Status:       "active",
+		GlobalQPS:       globalQPS,
-		Epoch:        1,
+		Status:          "active",
 		Epoch:           1,
 	}
 	if err := s.db.Create(master).Error; err != nil {
@@ -48,20 +53,42 @@ func (s *MasterService) CreateMaster(name, group string, maxChildKeys, globalQPS
 }
 func (s *MasterService) ValidateMasterKey(masterKey string) (*model.Master, error) {
-	// This is inefficient. We should query by a hash or an indexed field.
+	digest := util.HashToken(masterKey)
 	// For now, we iterate. In a real system, this needs optimization.
 	var masters []model.Master
 	if err := s.db.Find(&masters).Error; err != nil {
 		return nil, err
 	}
-	for _, master := range masters {
+	var master model.Master
-		if bcrypt.CompareHashAndPassword([]byte(master.MasterKey), []byte(masterKey)) == nil {
+	if err := s.db.Where("master_key_digest = ?", digest).First(&master).Error; err != nil {
-			return &master, nil
+		if !errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, err
 		}
 		// Backward compatibility: look for legacy rows without digest.
 		var masters []model.Master
 		if err := s.db.Where("master_key_digest = '' OR master_key_digest IS NULL").Find(&masters).Error; err != nil {
 			return nil, err
 		}
 		for _, m := range masters {
 			if bcrypt.CompareHashAndPassword([]byte(m.MasterKey), []byte(masterKey)) == nil {
 				master = m
 				// Opportunistically backfill digest for next time.
 				if strings.TrimSpace(m.MasterKeyDigest) == "" {
 					_ = s.db.Model(&m).Update("master_key_digest", digest).Error
 				}
 				goto verified
 			}
 		}
 		return nil, errors.New("invalid master key")
 	}
-	return nil, errors.New("invalid master key")
+	if bcrypt.CompareHashAndPassword([]byte(master.MasterKey), []byte(masterKey)) != nil {
 		return nil, errors.New("invalid master key")
 	}
 verified:
 	if master.Status != "active" {
 		return nil, fmt.Errorf("master is not active")
 	}
 	return &master, nil
 }
 func (s *MasterService) IssueChildKey(masterID uint, group string, scopes string) (*model.Key, string, error) {
@@ -81,9 +108,17 @@ func (s *MasterService) IssueChildKey(masterID uint, group string, scopes string
 		return nil, "", fmt.Errorf("failed to generate child key: %w", err)
 	}
 	tokenHash := util.HashToken(rawChildKey)
 	hashedChildKey, err := bcrypt.GenerateFromPassword([]byte(rawChildKey), bcrypt.DefaultCost)
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to hash child key: %w", err)
 	}
 	key := &model.Key{
 		MasterID:      masterID,
-		KeySecret:     rawChildKey, // In a real system, this should also be hashed
+		KeySecret:     string(hashedChildKey),
 		TokenHash:     tokenHash,
 		Group:         group,
 		Scopes:        scopes,
 		IssuedAtEpoch: master.Epoch,
--- a/internal/service/sync.go
+++ b/internal/service/sync.go
@@ -23,7 +23,13 @@ func NewSyncService(rdb *redis.Client) *SyncService {
 // SyncKey writes a single key into Redis without rebuilding the entire snapshot.
 func (s *SyncService) SyncKey(key *model.Key) error {
 	ctx := context.Background()
-	tokenHash := util.HashToken(key.KeySecret)
+	tokenHash := key.TokenHash
 	if strings.TrimSpace(tokenHash) == "" {
 		tokenHash = util.HashToken(key.KeySecret) // backward compatibility
 	}
 	if strings.TrimSpace(tokenHash) == "" {
 		return fmt.Errorf("token hash missing for key %d", key.ID)
 	}
 	fields := map[string]interface{}{
 		"master_id":       key.MasterID,
@@ -38,6 +44,20 @@ func (s *SyncService) SyncKey(key *model.Key) error {
 	return nil
 }
 // SyncMaster writes master metadata into Redis used by the balancer for validation.
 func (s *SyncService) SyncMaster(master *model.Master) error {
 	ctx := context.Background()
 	key := fmt.Sprintf("auth:master:%d", master.ID)
 	if err := s.rdb.HSet(ctx, key, map[string]interface{}{
 		"epoch":      master.Epoch,
 		"status":     master.Status,
 		"global_qps": master.GlobalQPS,
 	}).Err(); err != nil {
 		return fmt.Errorf("write master metadata: %w", err)
 	}
 	return nil
 }
 // SyncProvider writes a single provider into Redis hash storage and updates routing tables.
 func (s *SyncService) SyncProvider(provider *model.Provider) error {
 	ctx := context.Background()
@@ -187,7 +207,13 @@ func (s *SyncService) SyncAll(db *gorm.DB) error {
 	}
 	for _, k := range keys {
-		tokenHash := util.HashToken(k.KeySecret)
+		tokenHash := strings.TrimSpace(k.TokenHash)
 		if tokenHash == "" {
 			tokenHash = util.HashToken(k.KeySecret) // fallback for legacy rows
 		}
 		if tokenHash == "" {
 			return fmt.Errorf("token hash missing for key %d", k.ID)
 		}
 		pipe.HSet(ctx, fmt.Sprintf("auth:token:%s", tokenHash), map[string]interface{}{
 			"master_id":       k.MasterID,
 			"issued_at_epoch": k.IssuedAtEpoch,
--- a/internal/service/token.go
+++ b/internal/service/token.go
@@ -49,11 +49,18 @@ func (s *TokenService) ValidateToken(ctx context.Context, token string) (*TokenI
 	// 2. Get master metadata from Redis
 	masterKey := fmt.Sprintf("auth:master:%d", masterID)
-	masterEpochStr, err := s.rdb.HGet(ctx, masterKey, "epoch").Result()
+	masterData, err := s.rdb.HGetAll(ctx, masterKey).Result()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get master epoch: %w", err)
+		return nil, fmt.Errorf("failed to get master metadata: %w", err)
 	}
-	masterEpoch, _ := strconv.ParseInt(masterEpochStr, 10, 64)
+	if len(masterData) == 0 {
 		return nil, errors.New("master metadata not found")
 	}
 	masterStatus := masterData["status"]
 	if masterStatus != "" && masterStatus != "active" {
 		return nil, errors.New("master is not active")
 	}
 	masterEpoch, _ := strconv.ParseInt(masterData["epoch"], 10, 64)
 	// 3. Core Epoch Validation
 	if issuedAtEpoch < masterEpoch {