mirror of
https://github.com/DeBrosOfficial/network.git
synced 2025-10-06 10:19:07 +00:00
anonpenguin
917b0e5acd
- Require API key or JWT by default for client connections - Auto-derive namespace from JWT claim or API key format `ak_<rand>:<namespace>` - Deny calls if per-call namespace override mismatches resolved namespace - Guard Storage, PubSub, Database, and NetworkInfo operations with access checks - Add context helpers for consistent namespace override handling - Update docs and add end-to-end and unit tests for authentication logic
45 lines
1.0 KiB
Go
45 lines
1.0 KiB
Go
package gateway
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestJWTGenerateAndParse(t *testing.T) {
|
|
gw := &Gateway{}
|
|
key, _ := rsa.GenerateKey(rand.Reader, 2048)
|
|
gw.signingKey = key
|
|
gw.keyID = "kid"
|
|
|
|
tok, exp, err := gw.generateJWT("ns1", "subj", time.Minute)
|
|
if err != nil || exp <= 0 {
|
|
t.Fatalf("gen err=%v exp=%d", err, exp)
|
|
}
|
|
|
|
claims, err := gw.parseAndVerifyJWT(tok)
|
|
if err != nil {
|
|
t.Fatalf("verify err: %v", err)
|
|
}
|
|
if claims.Namespace != "ns1" || claims.Sub != "subj" || claims.Aud != "gateway" || claims.Iss != "debros-gateway" {
|
|
t.Fatalf("unexpected claims: %+v", claims)
|
|
}
|
|
}
|
|
|
|
func TestJWTExpired(t *testing.T) {
|
|
gw := &Gateway{}
|
|
key, _ := rsa.GenerateKey(rand.Reader, 2048)
|
|
gw.signingKey = key
|
|
gw.keyID = "kid"
|
|
|
|
// Use sufficiently negative TTL to bypass allowed clock skew
|
|
tok, _, err := gw.generateJWT("ns1", "subj", -2*time.Minute)
|
|
if err != nil {
|
|
t.Fatalf("gen err=%v", err)
|
|
}
|
|
if _, err := gw.parseAndVerifyJWT(tok); err == nil {
|
|
t.Fatalf("expected expired error")
|
|
}
|
|
}
|