✨ feat(auth): magic-link request + consume HTTP handlers (ADR-0028 Phase A.4)

Adds the two passwordless-auth endpoints behind /api/v1/auth/: POST /magic-link/request — body {email}; always 200 (no enumeration leak) GET /magic-link/consume — ?token=...; signs in (signup-on-first-link) Sign-up flow: first consume for an unknown email creates the user with a random unguessable bcrypt-hashed password — keeps the schema NOT NULL constraint while permanently locking the password endpoints out. Failure modes (missing/expired/already-consumed) collapse to a single 401 to prevent attackers distinguishing them. DB persist failures on request silently degrade to the generic 200 to avoid leaking internal state. Config: auth.magic_link.ttl (default 15m, env DLC_AUTH_MAGIC_LINK_TTL) auth.magic_link.base_url (default http://localhost:8080) Tests: 11 unit tests against fakes (repo, user service, sender) cover happy path (new + existing user), normalization, bad JSON, persist failure, missing/unknown/expired/consumed token, URL builder.
2026-05-05 11:31:48 +02:00
parent c9ab876dfe
commit cbd2ae7c0e
4 changed files with 701 additions and 4 deletions
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -104,10 +104,17 @@ type APIConfig struct {

 // AuthConfig holds authentication configuration
 type AuthConfig struct {
-	JWTSecret           string      `mapstructure:"jwt_secret"`
-	AdminMasterPassword string      `mapstructure:"admin_master_password"`
-	JWT                 JWTConfig   `mapstructure:"jwt"`
-	Email               EmailConfig `mapstructure:"email"`
+	JWTSecret           string          `mapstructure:"jwt_secret"`
+	AdminMasterPassword string          `mapstructure:"admin_master_password"`
+	JWT                 JWTConfig       `mapstructure:"jwt"`
+	Email               EmailConfig     `mapstructure:"email"`
+	MagicLink           MagicLinkConfig `mapstructure:"magic_link"`
+}
+
+// MagicLinkConfig holds passwordless-auth magic-link parameters (ADR-0028 Phase A).
+type MagicLinkConfig struct {
+	TTL     time.Duration `mapstructure:"ttl"`
+	BaseURL string        `mapstructure:"base_url"`
 }

 // EmailConfig holds outgoing email transport configuration.
@@ -276,6 +283,10 @@ func LoadConfig() (*Config, error) {
 	v.SetDefault("auth.email.smtp_use_tls", false)
 	v.SetDefault("auth.email.timeout", 10*time.Second)

+	// Magic-link defaults (ADR-0028 Phase A).
+	v.SetDefault("auth.magic_link.ttl", 15*time.Minute)
+	v.SetDefault("auth.magic_link.base_url", "http://localhost:8080")
+
 	// Check for custom config file path via environment variable
 	if configFile := os.Getenv("DLC_CONFIG_FILE"); configFile != "" {
 		v.SetConfigFile(configFile)
@@ -328,6 +339,10 @@ func LoadConfig() (*Config, error) {
 	v.BindEnv("auth.email.smtp_password", "DLC_AUTH_EMAIL_SMTP_PASSWORD")
 	v.BindEnv("auth.email.smtp_use_tls", "DLC_AUTH_EMAIL_SMTP_USE_TLS")
 	v.BindEnv("auth.email.timeout", "DLC_AUTH_EMAIL_TIMEOUT")
+
+	// Magic-link environment variables (ADR-0028 Phase A).
+	v.BindEnv("auth.magic_link.ttl", "DLC_AUTH_MAGIC_LINK_TTL")
+	v.BindEnv("auth.magic_link.base_url", "DLC_AUTH_MAGIC_LINK_BASE_URL")
 	v.BindEnv("telemetry.sampler.type", "DLC_TELEMETRY_SAMPLER_TYPE")
 	v.BindEnv("telemetry.sampler.ratio", "DLC_TELEMETRY_SAMPLER_RATIO")

@@ -466,6 +481,19 @@ func (c *Config) GetEmailConfig() EmailConfig {
 	return c.Auth.Email
 }

+// GetMagicLinkConfig returns the passwordless-auth magic-link parameters
+// (ADR-0028 Phase A). TTL defaults to 15m, BaseURL to http://localhost:8080.
+func (c *Config) GetMagicLinkConfig() MagicLinkConfig {
+	out := c.Auth.MagicLink
+	if out.TTL <= 0 {
+		out.TTL = 15 * time.Minute
+	}
+	if out.BaseURL == "" {
+		out.BaseURL = "http://localhost:8080"
+	}
+	return out
+}
+
 // GetJWTTTL returns the JWT TTL
 func (c *Config) GetJWTTTL() time.Duration {
 	if c.Auth.JWT.TTL == 0 {