feat(auth): implement master key authentication system with child key issuance

Add admin and master authentication layers with JWT support. Replace direct key creation with hierarchical master/child key system. Update database schema to support master accounts with configurable limits and epoch-based key revocation. Add health check endpoint with system status monitoring. BREAKING CHANGE: Removed direct POST /keys endpoint in favor of master-based key issuance through /v1/tokens. Database migration requires dropping old User table and creating Master table with new relationships.
2026-01-13 17:47:51 +00:00 · 2025-12-05 00:16:47 +08:00
parent 5360cc6f1a
commit 8645b22b83
16 changed files with 618 additions and 229 deletions
--- a/internal/api/master_handler.go
+++ b/internal/api/master_handler.go
@@ -0,0 +1,64 @@
+package api
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/ez-api/ez-api/internal/model"
+	"github.com/ez-api/ez-api/internal/service"
+	"github.com/gin-gonic/gin"
+)
+
+type MasterHandler struct {
+	masterService *service.MasterService
+}
+
+func NewMasterHandler(masterService *service.MasterService) *MasterHandler {
+	return &MasterHandler{masterService: masterService}
+}
+
+type IssueChildKeyRequest struct {
+	Group  string `json:"group"`
+	Scopes string `json:"scopes"`
+}
+
+func (h *MasterHandler) IssueChildKey(c *gin.Context) {
+	master, exists := c.Get("master")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "master key not found in context"})
+		return
+	}
+	masterModel := master.(*model.Master)
+
+	var req IssueChildKeyRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// If group is not specified, inherit from master
+	group := req.Group
+	if strings.TrimSpace(group) == "" {
+		group = masterModel.Group
+	}
+
+	// Security: Ensure the requested group is allowed for this master.
+	// For now, we'll just enforce it's the same group.
+	if group != masterModel.Group {
+		c.JSON(http.StatusForbidden, gin.H{"error": "cannot issue key for a different group"})
+		return
+	}
+
+	key, rawChildKey, err := h.masterService.IssueChildKey(masterModel.ID, group, req.Scopes)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to issue child key", "details": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"id":         key.ID,
+		"key_secret": rawChildKey,
+		"group":      key.Group,
+		"scopes":     key.Scopes,
+	})
+}