feat(auth): implement auth layer - identity resolution #28

Merged

addison merged 4 commits from exe-dev-bot/kiosk:feat/auth-layer into main 2026-02-21 08:01:01 -05:00

Conversation 0 Commits 4 Files changed 3 +826 -23

exe-dev-bot commented 2026-02-21 07:11:42 -05:00

Contributor

Copy link

Implements the Auth Layer section of spec 002 (22 tasks). Adds auth.go with API key validation, root login, OTP claim, and bearer token extraction. All functions are testable independently of HTTP.

Implements the Auth Layer section of spec 002 (22 tasks). Adds `auth.go` with API key validation, root login, OTP claim, and bearer token extraction. All functions are testable independently of HTTP.

exe-dev-bot added 4 commits 2026-02-21 07:11:42 -05:00

feat(auth): implement identity resolution layer ... 3e3fc4a89f

Add auth.go with:
- AuthUser type for resolved identity
- GenerateAPIKey: 32 random bytes, base64url, bcrypt hash
- ValidateAPIKey: iterate keys, bcrypt compare, check revoked/expired,
  update last_used_at. Sentinel errors: ErrInvalidKey, ErrRevokedKey,
  ErrExpiredKey
- ExtractBearerToken: parse Bearer token from Authorization header
- LoginRoot: validate root credentials, generate 24h key, enforce max 3
  concurrent keys (revoke oldest on overflow)
- ClaimOTP: validate OTP via bcrypt scan, burn code, create non-expiring
  key in atomic transaction. Sentinel errors: ErrInvalidOTP, ErrExpiredOTP,
  ErrClaimedOTP

Co-authored-by: Shelley <shelley@exe.dev>

test(auth): add 21 tests for auth layer ... 5a37f2f9ef

Cover all spec tasks:
- API key validation (valid, revoked, missing, malformed, expired,
  non-expired, null expires_at, last_used_at update)
- Bearer token extraction (valid, missing, malformed)
- Root login (correct creds, wrong password, non-existent user,
  max 3 keys revoke oldest)
- OTP claim (valid code burns OTP, expired, already claimed,
  non-existent, atomic concurrent claims)

Co-authored-by: Shelley <shelley@exe.dev>

docs: mark 22 auth layer spec tasks as complete ... c7a6531849

Co-authored-by: Shelley <shelley@exe.dev>

fix(auth): remove lint suppression and unused goroutine parameter ... cf6f660bf7

Co-authored-by: Shelley <shelley@exe.dev>

addison merged commit 846a5bda22 into main 2026-02-21 08:01:01 -05:00

addison referenced this pull request from a commit 2026-02-21 08:01:02 -05:00

feat(auth): implement auth layer - identity resolution (#28)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

kwila/kiosk!28

No description provided.