diff options
| author | nsfisis <nsfisis@gmail.com> | 2026-02-15 11:12:50 +0900 |
|---|---|---|
| committer | nsfisis <nsfisis@gmail.com> | 2026-02-15 11:14:28 +0900 |
| commit | 96fad1a4e78c7209e5a0f3496e8b59d591fbe500 (patch) | |
| tree | 8e43fb3918cd7401fe68cac933fe943c794b7634 /backend/auth | |
| parent | 2f1a8a1c599300d0964d7fbbfd824e2d74f0bf4a (diff) | |
| download | phperkaigi-2026-albatross-96fad1a4e78c7209e5a0f3496e8b59d591fbe500.tar.gz phperkaigi-2026-albatross-96fad1a4e78c7209e5a0f3496e8b59d591fbe500.tar.zst phperkaigi-2026-albatross-96fad1a4e78c7209e5a0f3496e8b59d591fbe500.zip | |
refactor(auth): replace JWT authentication with server-side sessions
Migrate from stateless JWT tokens to server-side session management
backed by PostgreSQL. Sessions are hashed with SHA-256 before storage,
cleaned up periodically, and invalidated on logout. This removes the
need for JWT_SECRET/COOKIE_SECRET environment variables and the
golang-jwt dependency.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Diffstat (limited to 'backend/auth')
| -rw-r--r-- | backend/auth/jwt.go | 60 | ||||
| -rw-r--r-- | backend/auth/session.go | 21 |
2 files changed, 21 insertions, 60 deletions
diff --git a/backend/auth/jwt.go b/backend/auth/jwt.go deleted file mode 100644 index 217d384..0000000 --- a/backend/auth/jwt.go +++ /dev/null @@ -1,60 +0,0 @@ -package auth - -import ( - "errors" - "os" - "time" - - "github.com/golang-jwt/jwt/v5" - - "albatross-2026-backend/db" -) - -var ( - jwtSecret []byte -) - -func init() { - jwtSecret = []byte(os.Getenv("ALBATROSS_JWT_SECRET")) - if len(jwtSecret) == 0 { - panic("ALBATROSS_JWT_SECRET is not set") - } -} - -type JWTClaims struct { - UserID int `json:"user_id"` - Username string `json:"username"` - DisplayName string `json:"display_name"` - IconPath *string `json:"icon_path"` - IsAdmin bool `json:"is_admin"` - jwt.RegisteredClaims -} - -func NewJWT(user *db.User) (string, error) { - claims := &JWTClaims{ - UserID: int(user.UserID), - Username: user.Username, - DisplayName: user.DisplayName, - IconPath: user.IconPath, - IsAdmin: user.IsAdmin, - RegisteredClaims: jwt.RegisteredClaims{ - ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24)), - }, - } - token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) - return token.SignedString(jwtSecret) -} - -func ParseJWT(token string) (*JWTClaims, error) { - claims := new(JWTClaims) - t, err := jwt.ParseWithClaims(token, claims, func(*jwt.Token) (any, error) { - return jwtSecret, nil - }) - if err != nil { - return nil, err - } - if !t.Valid { - return nil, errors.New("invalid token") - } - return claims, nil -} diff --git a/backend/auth/session.go b/backend/auth/session.go new file mode 100644 index 0000000..a0d5aa4 --- /dev/null +++ b/backend/auth/session.go @@ -0,0 +1,21 @@ +package auth + +import ( + "crypto/rand" + "crypto/sha256" + "encoding/hex" + "fmt" +) + +func GenerateSessionID() (string, error) { + b := make([]byte, 32) + if _, err := rand.Read(b); err != nil { + return "", fmt.Errorf("generate session ID: %w", err) + } + return hex.EncodeToString(b), nil +} + +func HashSessionID(raw string) string { + h := sha256.Sum256([]byte(raw)) + return hex.EncodeToString(h[:]) +} |