~sircmpwn/gql.sr.ht

ref: 1fd9e352177eb4f56583e66123eba997931321dc gql.sr.ht/auth/middleware.go -rw-r--r-- 13.6 KiB
s/Scopes/Grants/g
Implement OAuth 2.0 bearer token w/scopes
OAuth 2.0 Bearer: check revocation status
auth: implement OAuth 2.0 bearer tokens
Be tolerant of hosts without port in RemoteAddr
Improve error message for internal auth
Update InternalAuth structure

This allows us to include information about the client and node which is
making internal requests.
auth: add conservative default internal IP subnet
auth: limit source IPs for internal authentication
auth: add internal authentication

This works similarly to cookie authentication, but with a 30-second
expiration on the encrypted payload. A sr.ht service wishing to make API
calls on behalf of a user, or to access restricted paths, can encrypt a
payload including the username they're working on behalf of, and if the
signature is valid and the token was created recently enough, the
request is accepted and granted these additional permissions.
auth: add field to indicate authentication method
Add middleware for database context
Initial commit