Make client use our auth(n/z) scheme.
Our auth(n/z) scheme can be loosely defined as "encrypted tokens that nginx
transforms into headers" and "scopes for bypassing ACL". Our Go client, which is
what we'll be using to have services communicate with each other, follows this
paradigm now by auto-injecting the headers we'll need to identify ourselves.
This will work behind our firewall, but will be useless for the rest of the
world, which will need to go through the nginx bastion that can strip the
headers and replace them with the headers appropriate to the token attached to
the request.
This did involve setting a static client ID as the client for our
email_verification listener. Ideally, this would cause Client registration
(using that ID) when the listener starts up, ignoring ErrClientAlreadyExists. I
don't want to have to write the code that will allow us to bypass the Client ACL
properly right now, though, so we're just going to have to remember to manually
create that Client. Or not. I don't think it will do any harm (outside the OAuth
flow) to be using a Client ID that doesn't actually point to a Client. I just
think it'd be good for record-keeping purposes.
6 "code.secondbit.org/uuid.hg"
10 tokens map[string]Token
11 refreshTokenLookup map[string]string
12 profileTokenLookup map[string][]string
13 tokenLock sync.RWMutex
15 authCodes map[string]AuthorizationCode
16 authCodeLock sync.RWMutex
18 clients map[string]Client
19 profileClientLookup map[string][]uuid.ID
20 clientLock sync.RWMutex
22 endpoints map[string][]Endpoint
23 endpointLock sync.RWMutex
25 profiles map[string]Profile
26 profileLock sync.RWMutex
28 logins map[string]Login
29 profileLoginLookup map[string][]string
30 loginLock sync.RWMutex
32 sessions map[string]Session
33 sessionLock sync.RWMutex
35 scopes map[string]Scope
36 scopeLock sync.RWMutex
39 // NewMemstore returns an in-memory version of our datastores,
40 // which is handy for tests. Though the implementation is concurrency-safe,
41 // if makes no attempt to persist the data, and therefore it is inadvisable
42 // to use it in a production setting.
43 func NewMemstore() *memstore {
45 tokens: map[string]Token{},
46 refreshTokenLookup: map[string]string{},
47 profileTokenLookup: map[string][]string{},
48 authCodes: map[string]AuthorizationCode{},
49 clients: map[string]Client{},
50 profileClientLookup: map[string][]uuid.ID{},
51 endpoints: map[string][]Endpoint{},
52 profiles: map[string]Profile{},
53 logins: map[string]Login{},
54 profileLoginLookup: map[string][]string{},
55 sessions: map[string]Session{},
56 scopes: map[string]Scope{},
60 func (m *memstore) lookupTokenByRefresh(token string) (string, error) {
62 defer m.tokenLock.RUnlock()
63 t, ok := m.refreshTokenLookup[token]
65 return "", ErrTokenNotFound
70 func (m *memstore) lookupTokensByProfileID(id string) ([]string, error) {
72 defer m.tokenLock.RUnlock()
73 return m.profileTokenLookup[id], nil
76 func (m *memstore) lookupClientsByProfileID(id string) []uuid.ID {
78 defer m.clientLock.RUnlock()
79 c, ok := m.profileClientLookup[id]