Phase 1.5 — auth layer (Redis sessions, allowlist, requireAuth)
Some checks failed
Docker Build / build-and-push-image (push) Failing after 18s
Some checks failed
Docker Build / build-and-push-image (push) Failing after 18s
Adds an authentication layer in front of the bot handlers : - Auth handler on the principal bot (@arcodange_factory_bot, slug factory) parses /start, /auth <code>, /whoami, /logout. On a successful /auth, the message containing the code is best-effort deleted from the user's chat (replay defense). - Redis-backed sessions (key tg-gw:auth:<from.id>, TTL 24h, configurable via AUTH_SESSION_TTL). Constant-time secret compare via crypto/subtle. - ALLOWED_USERS env (CSV of Telegram user IDs) — silent-drops anyone not in the list before the auth gate runs. - New per-bot field 'requireAuth' (pointer-bool). Default = true (secure by default). Auto-forced to false for handler=auth (chicken-and-egg). - Server gates: allowlist first, then requireAuth before handler dispatch. - Fail-at-startup if a bot is configured with handler=auth or requireAuth: true while AUTH_SECRET is unset. Design: factory/docs/adr/20260509-telegram-gateway-auth.md (in factory PR). User docs: AUTH.md (new), HOWTO_ADD_BOT.md (Cas 2 updated for default true and gated flow). New deps: github.com/redis/go-redis/v9. Refs ~/.claude/plans/pour-les-notifications-on-inherited-seal.md § Phase 1.5.
This commit is contained in:
37
main.go
37
main.go
@@ -44,14 +44,47 @@ func runServer() {
|
||||
log.Fatalf("load config: %v", err)
|
||||
}
|
||||
|
||||
registry, err := NewRegistry(cfg)
|
||||
tg := NewTelegramClient()
|
||||
|
||||
// Phase 1.5 — auth layer (Redis-backed sessions). See
|
||||
// factory/docs/adr/20260509-telegram-gateway-auth.md.
|
||||
authSecret := os.Getenv("AUTH_SECRET")
|
||||
redisURL := envOr("REDIS_URL", "redis://redis.tools.svc.cluster.local:6379/0")
|
||||
ttl := 24 * time.Hour
|
||||
if raw := os.Getenv("AUTH_SESSION_TTL"); raw != "" {
|
||||
if d, err := time.ParseDuration(raw); err == nil && d > 0 {
|
||||
ttl = d
|
||||
} else {
|
||||
log.Printf("AUTH_SESSION_TTL=%q invalid, defaulting to 24h", raw)
|
||||
}
|
||||
}
|
||||
var auth *Auth
|
||||
if authSecret != "" {
|
||||
var aerr error
|
||||
auth, aerr = NewAuth(redisURL, authSecret, ttl)
|
||||
if aerr != nil {
|
||||
log.Fatalf("init auth: %v", aerr)
|
||||
}
|
||||
log.Printf("auth layer initialized (TTL=%s, redis=%s)", ttl, redisURL)
|
||||
} else {
|
||||
log.Print("AUTH_SECRET unset → auth layer disabled (no bot may have handler=auth or requireAuth: true)")
|
||||
}
|
||||
|
||||
allowlist := NewAllowlist(os.Getenv("ALLOWED_USERS"))
|
||||
if allowlist.Open() {
|
||||
log.Print("ALLOWED_USERS empty → allowlist open to all")
|
||||
} else {
|
||||
log.Printf("allowlist active (%d user(s) allowed)", allowlist.Size())
|
||||
}
|
||||
|
||||
registry, err := NewRegistry(cfg, tg, auth)
|
||||
if err != nil {
|
||||
log.Fatalf("build registry: %v", err)
|
||||
}
|
||||
|
||||
srv := &http.Server{
|
||||
Addr: *addr,
|
||||
Handler: NewServer(registry).Routes(),
|
||||
Handler: NewServer(registry, auth, allowlist, tg).Routes(),
|
||||
ReadHeaderTimeout: 5 * time.Second,
|
||||
ReadTimeout: 30 * time.Second,
|
||||
WriteTimeout: 30 * time.Second,
|
||||
|
||||
Reference in New Issue
Block a user