mirror of
https://github.com/EZ-Api/ez-api.git
synced 2026-01-13 17:47:51 +00:00
feat(auth): implement master key authentication system with child key issuance
Add admin and master authentication layers with JWT support. Replace direct key creation with hierarchical master/child key system. Update database schema to support master accounts with configurable limits and epoch-based key revocation. Add health check endpoint with system status monitoring. BREAKING CHANGE: Removed direct POST /keys endpoint in favor of master-based key issuance through /v1/tokens. Database migration requires dropping old User table and creating Master table with new relationships.
This commit is contained in:
zenfun
@@ -2,13 +2,12 @@ package service
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/ez-api/ez-api/internal/model"
|
||||
"github.com/ez-api/ez-api/internal/util"
|
||||
"github.com/redis/go-redis/v9"
|
||||
"gorm.io/gorm"
|
||||
)
|
||||
@@ -24,26 +23,16 @@ func NewSyncService(rdb *redis.Client) *SyncService {
|
||||
// SyncKey writes a single key into Redis without rebuilding the entire snapshot.
|
||||
func (s *SyncService) SyncKey(key *model.Key) error {
|
||||
ctx := context.Background()
|
||||
snap := keySnapshot{
|
||||
ID: key.ID,
|
||||
TokenHash: hashToken(key.KeySecret),
|
||||
Group: normalizeGroup(key.Group),
|
||||
Status: key.Status,
|
||||
Weight: key.Weight,
|
||||
Balance: key.Balance,
|
||||
}
|
||||
|
||||
if err := s.hsetJSON(ctx, "config:keys", snap.TokenHash, snap); err != nil {
|
||||
return err
|
||||
}
|
||||
tokenHash := util.HashToken(key.KeySecret)
|
||||
|
||||
fields := map[string]interface{}{
|
||||
"status": snap.Status,
|
||||
"group": snap.Group,
|
||||
"weight": snap.Weight,
|
||||
"balance": snap.Balance,
|
||||
"master_id": key.MasterID,
|
||||
"issued_at_epoch": key.IssuedAtEpoch,
|
||||
"status": key.Status,
|
||||
"group": key.Group,
|
||||
"scopes": key.Scopes,
|
||||
}
|
||||
if err := s.rdb.HSet(ctx, fmt.Sprintf("auth:token:%s", snap.TokenHash), fields).Err(); err != nil {
|
||||
if err := s.rdb.HSet(ctx, fmt.Sprintf("auth:token:%s", tokenHash), fields).Err(); err != nil {
|
||||
return fmt.Errorf("write auth token: %w", err)
|
||||
}
|
||||
return nil
|
||||
@@ -111,14 +100,7 @@ type providerSnapshot struct {
|
||||
Models []string `json:"models"`
|
||||
}
|
||||
|
||||
type keySnapshot struct {
|
||||
ID uint `json:"id"`
|
||||
TokenHash string `json:"token_hash"`
|
||||
Group string `json:"group"`
|
||||
Status string `json:"status"`
|
||||
Weight int `json:"weight"`
|
||||
Balance float64 `json:"balance"`
|
||||
}
|
||||
// keySnapshot is no longer needed as we write directly to auth:token:*
|
||||
|
||||
type modelSnapshot struct {
|
||||
Name string `json:"name"`
|
||||
@@ -145,6 +127,11 @@ func (s *SyncService) SyncAll(db *gorm.DB) error {
|
||||
return fmt.Errorf("load keys: %w", err)
|
||||
}
|
||||
|
||||
var masters []model.Master
|
||||
if err := db.Find(&masters).Error; err != nil {
|
||||
return fmt.Errorf("load masters: %w", err)
|
||||
}
|
||||
|
||||
var models []model.Model
|
||||
if err := db.Find(&models).Error; err != nil {
|
||||
return fmt.Errorf("load models: %w", err)
|
||||
@@ -152,6 +139,18 @@ func (s *SyncService) SyncAll(db *gorm.DB) error {
|
||||
|
||||
pipe := s.rdb.TxPipeline()
|
||||
pipe.Del(ctx, "config:providers", "config:keys", "meta:models")
|
||||
// Also clear master keys
|
||||
var masterKeys []string
|
||||
iter := s.rdb.Scan(ctx, 0, "auth:master:*", 0).Iterator()
|
||||
for iter.Next(ctx) {
|
||||
masterKeys = append(masterKeys, iter.Val())
|
||||
}
|
||||
if err := iter.Err(); err != nil {
|
||||
return fmt.Errorf("scan master keys: %w", err)
|
||||
}
|
||||
if len(masterKeys) > 0 {
|
||||
pipe.Del(ctx, masterKeys...)
|
||||
}
|
||||
|
||||
// Clear old routing tables (pattern scan would be better in prod, but keys are predictable if we knew them)
|
||||
// For MVP, we rely on the fact that we are rebuilding.
|
||||
@@ -188,24 +187,21 @@ func (s *SyncService) SyncAll(db *gorm.DB) error {
|
||||
}
|
||||
|
||||
for _, k := range keys {
|
||||
snap := keySnapshot{
|
||||
ID: k.ID,
|
||||
TokenHash: hashToken(k.KeySecret),
|
||||
Group: normalizeGroup(k.Group),
|
||||
Status: k.Status,
|
||||
Weight: k.Weight,
|
||||
Balance: k.Balance,
|
||||
}
|
||||
payload, err := json.Marshal(snap)
|
||||
if err != nil {
|
||||
return fmt.Errorf("marshal key %d: %w", k.ID, err)
|
||||
}
|
||||
pipe.HSet(ctx, "config:keys", snap.TokenHash, payload)
|
||||
pipe.HSet(ctx, fmt.Sprintf("auth:token:%s", snap.TokenHash), map[string]interface{}{
|
||||
"status": snap.Status,
|
||||
"group": snap.Group,
|
||||
"weight": snap.Weight,
|
||||
"balance": snap.Balance,
|
||||
tokenHash := util.HashToken(k.KeySecret)
|
||||
pipe.HSet(ctx, fmt.Sprintf("auth:token:%s", tokenHash), map[string]interface{}{
|
||||
"master_id": k.MasterID,
|
||||
"issued_at_epoch": k.IssuedAtEpoch,
|
||||
"status": k.Status,
|
||||
"group": k.Group,
|
||||
"scopes": k.Scopes,
|
||||
})
|
||||
}
|
||||
|
||||
for _, m := range masters {
|
||||
pipe.HSet(ctx, fmt.Sprintf("auth:master:%d", m.ID), map[string]interface{}{
|
||||
"epoch": m.Epoch,
|
||||
"status": m.Status,
|
||||
"global_qps": m.GlobalQPS,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -245,12 +241,6 @@ func (s *SyncService) hsetJSON(ctx context.Context, key, field string, val inter
|
||||
return nil
|
||||
}
|
||||
|
||||
func hashToken(token string) string {
|
||||
hasher := sha256.New()
|
||||
hasher.Write([]byte(token))
|
||||
return hex.EncodeToString(hasher.Sum(nil))
|
||||
}
|
||||
|
||||
func normalizeGroup(group string) string {
|
||||
if strings.TrimSpace(group) == "" {
|
||||
return "default"
|
||||
|
||||
Reference in New Issue
Block a user