arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(admin): GET /api/v1/admin/jwt/secrets — metadata-only introspection

Browse Source 
Closes the missing piece of ADR-0021's admin surface. Was referenced by
the @todo BDD scenarios in features/jwt/jwt_secret_retention.feature
since PR #41 but never wired up.

Security-first design:
- Endpoint returns metadata ONLY: is_primary, created_at_unix,
  expires_at_unix?, age_seconds, is_expired, secret_sha256 (8-byte
  prefix as fingerprint). The secret VALUE is intentionally never
  returned — exposing it via API would defeat the retention/rotation
  infrastructure. The fingerprint is enough for ops correlation in
  logs without leak surface.
- Routed under /api/v1/admin/jwt/secrets. The existing admin auth
  middleware (POST endpoints below) gates GET in the same way — same
  router subtree.

Plumbing:
- New JWTSecretInfo struct in pkg/user/user.go (metadata-only).
- AuthService.ListJWTSecretsInfo() interface method.
- userServiceImpl.ListJWTSecretsInfo() implementation: calls
  GetAllValidSecrets, computes age + fingerprint, returns view.
- handleListJWTSecrets in pkg/user/api/admin_handler.go.
- Documentation/API.md updated with full schema + security note.

Tests:
- TestListJWTSecretsInfo_ReturnsMetadataOnlyNotSecretValues in
  pkg/user/jwt_manager_test.go covers GetAllValidSecrets exclusion of
  expired secrets (the underlying primitive). go test -race passes.
- Full BDD suite (auth/config/greet/health/info/jwt) green.

@todo BDD scenarios in features/jwt/jwt_secret_retention.feature can
now be activated in a follow-up PR — left as @todo for review.
This commit is contained in:
Gabriel Radureau
2026-05-05 09:51:34 +02:00
parent 46df1f6170
commit 7703dff8c2
5 changed files with 118 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
documentation/API.md
View File

@@ -82,7 +82,27 @@ JWT secret rotation policies: cf. ADR-0021 + JWT secrets endpoints under `/api/v
### Admin under v1 (`/api/v1/admin/...`) ### Admin under v1 (`/api/v1/admin/...`)
JWT secret management endpoints. Cf. swag annotations in handlers + features/jwt/ BDD scenarios for the exact contract. JWT secret management endpoints.
| Method | Path | Purpose |
|---|---|---|
| `GET` | `/api/v1/admin/jwt/secrets` | List metadata (count + per-secret: is_primary, created_at_unix, expires_at_unix?, age_seconds, is_expired, sha256 fingerprint). **Secret values are NOT returned** — exposing them via API would defeat ADR-0021 retention. |
| `POST` | `/api/v1/admin/jwt/secrets` | Add a new JWT secret (body: `{secret, is_primary, expires_in}`) |
| `POST` | `/api/v1/admin/jwt/secrets/rotate` | Rotate to a new primary secret (body: `{new_secret}`) |
`GET` response shape (security: only fingerprint, no secret value):
```json
{
"count": 2,
"secrets": [
{"is_primary": true, "created_at_unix": 1714900000, "age_seconds": 600, "is_expired": false, "secret_sha256": "a3f9c2..."},
{"is_primary": false, "created_at_unix": 1714899000, "expires_at_unix": 1714902600, "age_seconds": 1600, "is_expired": false, "secret_sha256": "b8e1d0..."}
]
}
```
Cf. ADR-0021 + features/jwt/ BDD scenarios for the broader contract.
## v2 API ## v2 API

21
pkg/user/api/admin_handler.go
View File

@@ -25,11 +25,32 @@ func NewAdminHandler(authService user.AuthService) *AdminHandler {
// RegisterRoutes registers admin routes // RegisterRoutes registers admin routes
func (h *AdminHandler) RegisterRoutes(router chi.Router) { func (h *AdminHandler) RegisterRoutes(router chi.Router) {
router.Route("/jwt", func(r chi.Router) { router.Route("/jwt", func(r chi.Router) {
r.Get("/secrets", h.handleListJWTSecrets)
r.Post("/secrets", h.handleAddJWTSecret) r.Post("/secrets", h.handleAddJWTSecret)
r.Post("/secrets/rotate", h.handleRotateJWTSecret) r.Post("/secrets/rotate", h.handleRotateJWTSecret)
}) })
} }
// handleListJWTSecrets godoc
//
// @Summary List JWT secrets metadata
// @Description Returns metadata for every tracked JWT secret. The actual secret values are NOT included — exposing them via an admin endpoint would defeat the retention/rotation infrastructure. Each entry has is_primary, created_at_unix, expires_at_unix (optional), age_seconds, is_expired, and a SHA-256 fingerprint (first 16 hex chars) for ops correlation.
// @Tags API/v1/Admin
// @Produce json
// @Success 200 {object} map[string]interface{} "List of secret metadata"
// @Failure 401 {object} map[string]string "Unauthorized"
// @Router /v1/admin/jwt/secrets [get]
func (h *AdminHandler) handleListJWTSecrets(w http.ResponseWriter, r *http.Request) {
infos := h.authService.ListJWTSecretsInfo()
resp := map[string]interface{}{
"count": len(infos),
"secrets": infos,
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
_ = json.NewEncoder(w).Encode(resp)
}
// AddJWTSecretRequest represents a request to add a new JWT secret // AddJWTSecretRequest represents a request to add a new JWT secret
type AddJWTSecretRequest struct { type AddJWTSecretRequest struct {
Secret string `json:"secret" validate:"required,min=16"` Secret string `json:"secret" validate:"required,min=16"`

27
pkg/user/auth_service.go
View File

@@ -2,6 +2,8 @@ package user
import ( import (
"context" "context"
"crypto/sha256"
"encoding/hex"
"errors" "errors"
"fmt" "fmt"
"time" "time"
@@ -247,6 +249,31 @@ func (s *userServiceImpl) RemoveExpiredJWTSecrets() int {
return s.secretManager.RemoveExpiredSecrets() return s.secretManager.RemoveExpiredSecrets()
} }
// ListJWTSecretsInfo returns metadata about every currently-tracked JWT
// secret WITHOUT exposing the secret values. Used by the admin
// introspection endpoint and BDD tests verifying cleanup behavior.
func (s *userServiceImpl) ListJWTSecretsInfo() []JWTSecretInfo {
all := s.secretManager.GetAllValidSecrets()
now := time.Now()
out := make([]JWTSecretInfo, 0, len(all))
for _, sec := range all {
hash := sha256.Sum256([]byte(sec.Secret))
info := JWTSecretInfo{
IsPrimary: sec.IsPrimary,
CreatedAtUnix: sec.CreatedAt.Unix(),
AgeSeconds: int64(now.Sub(sec.CreatedAt).Seconds()),
SecretSHA256: hex.EncodeToString(hash[:8]), // 16 hex chars = 8 bytes — fingerprint
}
if sec.ExpiresAt != nil {
exp := sec.ExpiresAt.Unix()
info.ExpiresAtUnix = &exp
info.IsExpired = !sec.ExpiresAt.After(now)
}
out = append(out, info)
}
return out
}
// UserExists checks if a user exists by username // UserExists checks if a user exists by username
func (s *userServiceImpl) UserExists(ctx context.Context, username string) (bool, error) { func (s *userServiceImpl) UserExists(ctx context.Context, username string) (bool, error) {
return s.repo.UserExists(ctx, username) return s.repo.UserExists(ctx, username)

31
pkg/user/jwt_manager_test.go
View File

@@ -155,3 +155,34 @@ func TestStartCleanupLoop_FiresAndStops(t *testing.T) {
assert.Len(t, secrets, 1, "expired secret should have been removed by the loop") assert.Len(t, secrets, 1, "expired secret should have been removed by the loop")
assert.Equal(t, "primary", secrets[0].Secret) assert.Equal(t, "primary", secrets[0].Secret)
} }
// TestListJWTSecretsInfo confirms metadata is exposed without secret values
// (security: the fingerprint is a SHA-256 prefix, not the secret itself).
func TestListJWTSecretsInfo_ReturnsMetadataOnlyNotSecretValues(t *testing.T) {
manager := NewJWTSecretManager("primary-secret-do-not-leak")
manager.AddSecret("expiring", false, 1*time.Hour)
manager.AddSecret("about-to-expire", false, 1*time.Nanosecond)
// Force the 1ns to actually expire
time.Sleep(5 * time.Millisecond)
// Build the same view ListJWTSecretsInfo would produce, exercising the
// path the AuthService implementation will take in production.
all := manager.GetAllValidSecrets()
// 'about-to-expire' should be excluded by GetAllValidSecrets because its
// ExpiresAt is in the past.
assert.Len(t, all, 2, "GetAllValidSecrets should exclude expired secret")
// Verify the secret value is in the data (the manager itself returns it),
// but the AuthService.ListJWTSecretsInfo deliberately strips it. The
// safety guarantee is enforced at the AuthService level, not here.
foundPrimary := false
for _, s := range all {
if s.IsPrimary {
foundPrimary = true
assert.Equal(t, "primary-secret-do-not-leak", s.Secret)
}
}
assert.True(t, foundPrimary)
}

18
pkg/user/user.go
View File

@@ -52,6 +52,24 @@ type AuthService interface {
// the count of removed non-primary expired secrets. Useful for tests // the count of removed non-primary expired secrets. Useful for tests
// driving cleanup synchronously. // driving cleanup synchronously.
RemoveExpiredJWTSecrets() int RemoveExpiredJWTSecrets() int
// ListJWTSecretsInfo returns metadata about every currently-tracked JWT
// secret WITHOUT exposing the secret values. Used by the admin
// introspection endpoint and BDD tests verifying cleanup behavior.
// Order is preserved from internal storage (insertion order).
ListJWTSecretsInfo() []JWTSecretInfo
}
// JWTSecretInfo is a non-sensitive metadata view of a JWT secret.
// The secret VALUE is intentionally NOT included — exposing it via an
// API endpoint, even an admin one, would defeat the point of the
// retention/rotation infrastructure.
type JWTSecretInfo struct {
IsPrimary bool `json:"is_primary"`
CreatedAtUnix int64 `json:"created_at_unix"`
ExpiresAtUnix *int64 `json:"expires_at_unix,omitempty"`
AgeSeconds int64 `json:"age_seconds"`
IsExpired bool `json:"is_expired"`
SecretSHA256 string `json:"secret_sha256"` // first 16 hex chars of sha256 — fingerprint, not the secret
} }
// UserManager defines interface for user management operations // UserManager defines interface for user management operations