kindred/silo
1
1
Fork 0
Code Issues 30 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3adc155b14785e026a2191128775c0aef8119829
silo/internal/auth/token.go
Forbes 4f0107f1b2 feat(auth): add authentication, RBAC, API tokens, and default admin 
Add a complete authentication and authorization system to Silo with
three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak),
session management, API token support, and role-based access control.

Authentication backends:
- Local: bcrypt (cost 12) password verification against users table
- LDAP: FreeIPA simple bind with group-to-role mapping
- OIDC: Keycloak redirect flow with realm role mapping
- Backends are tried in order; users upserted to DB on first login

Session and token management:
- PostgreSQL-backed sessions via alexedwards/scs + pgxstore
- Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once)
- 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies

Role-based access control (admin > editor > viewer):
- RequireAuth middleware: Bearer token -> session -> redirect/401
- RequireRole middleware: per-route-group minimum role enforcement
- CSRF protection via justinas/nosurf on web forms, API exempt
- CORS locked to configured origins when auth enabled

Route restructuring:
- Public: /health, /ready, /login, /auth/oidc, /auth/callback
- Web (auth + CSRF): /, /projects, /schemas, /settings
- API read (viewer): GET /api/**
- API write (editor): POST/PUT/PATCH/DELETE /api/**

User context wiring:
- created_by/updated_by columns on items, projects, relationships
- All create/update handlers populate tracking fields from context
- CSV and BOM import handlers pass authenticated username
- Revision creation tracks user across all code paths

Default admin account:
- Configurable via auth.local.default_admin_username/password
- Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD
- Idempotent: created on first startup, skipped if exists

CLI and FreeCAD plugin:
- silo token create/list/revoke subcommands (HTTP API client)
- FreeCAD SiloClient sends Bearer token on all requests
- Token read from ApiToken preference or SILO_API_TOKEN env var

Web UI:
- Login page (Catppuccin Mocha themed, OIDC button conditional)
- Settings page with account info and API token management
- User display name, role badge, and logout button in header
- One-time token display banner with copy-to-clipboard

Database (migration 009):
- users table with role, auth_source, oidc_subject, password_hash
- api_tokens table with SHA-256 hash, prefix, expiry, scopes
- sessions table (scs pgxstore schema)
- audit_log table (schema ready for future use)
- created_by/updated_by ALTER on items, relationships, projects

New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3,
justinas/nosurf, golang.org/x/oauth2
2026-01-31 11:20:12 -06:00

52 lines
1.4 KiB
Go
Raw Blame History

package auth
import (
"context"
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"fmt"
"time"
"github.com/kindredsystems/silo/internal/db"
)
const (
tokenPrefixStr = "silo_"
tokenRawBytes = 32 // 32 random bytes = 64 hex chars
)
// GenerateToken creates a new API token. Returns the raw token string
// (shown once to the user) and the persisted token info.
func (s *Service) GenerateToken(ctx context.Context, userID, name string, scopes []string, expiresAt *time.Time) (string, *db.TokenInfo, error) {
rawBytes := make([]byte, tokenRawBytes)
if _, err := rand.Read(rawBytes); err != nil {
return "", nil, fmt.Errorf("generating random bytes: %w", err)
}
rawToken := tokenPrefixStr + hex.EncodeToString(rawBytes)
hash := sha256.Sum256([]byte(rawToken))
tokenHash := hex.EncodeToString(hash[:])
// Prefix for display: "silo_" + first 8 hex chars
displayPrefix := rawToken[:len(tokenPrefixStr)+8]
info, err := s.tokens.Create(ctx, userID, name, tokenHash, displayPrefix, scopes, expiresAt)
if err != nil {
return "", nil, err
}
return rawToken, info, nil
}
// ListTokens returns all tokens for a user.
func (s *Service) ListTokens(ctx context.Context, userID string) ([]*db.TokenInfo, error) {
return s.tokens.ListByUser(ctx, userID)
}
// RevokeToken deletes a token by ID, ensuring it belongs to the given user.
func (s *Service) RevokeToken(ctx context.Context, userID, tokenID string) error {
return s.tokens.Delete(ctx, userID, tokenID)
}
Reference in New Issue View Git Blame Copy Permalink