✨ Check permissions GRPC method

2024-05-17 20:14:20 +08:00
parent 73b57164ab
commit 1e2d5e9f9d
7 changed files with 266 additions and 45 deletions
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -4,12 +4,14 @@
    <option name="autoReloadType" value="ALL" />
  </component>
  <component name="ChangeListManager">
-    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":zap: In memory auth context cache">
-      <change beforePath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25/storage_v2/_src_/database/hy_passport.gNOKQQ/schema/public.abK9xQ.meta" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25/storage_v2/_src_/database/hy_passport.gNOKQQ/schema/public.abK9xQ.meta" afterDir="false" />
+    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Bug fixes of permission check">
      <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/grpc/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/auth.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/server/auth_middleware.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/server/auth_middleware.go" afterDir="false" />
      <change beforePath="$PROJECT_DIR$/pkg/services/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/auth.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/services/perms.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/perms.go" afterDir="false" />
    </list>
    <option name="SHOW_DIALOG" value="false" />
    <option name="HIGHLIGHT_CONFLICTS" value="true" />
@@ -47,7 +49,7 @@
  <component name="PropertiesComponent"><![CDATA[{
  "keyToString": {
    "DefaultGoTemplateProperty": "Go File",
-    "Go 构建.Backend.executor": "Debug",
+    "Go 构建.Backend.executor": "Run",
    "RunOnceActivity.ShowReadmeOnStart": "true",
    "RunOnceActivity.go.formatter.settings.were.checked": "true",
    "RunOnceActivity.go.migrated.go.modules.settings": "true",
@@ -142,7 +144,6 @@
    </option>
  </component>
  <component name="VcsManagerConfiguration">
-    <MESSAGE value=":sparkles: OAuth" />
    <MESSAGE value=":truck: Update well known" />
    <MESSAGE value=":sparkles: Others userinfo" />
    <MESSAGE value=":lipstick: Fix ui design" />
@@ -167,20 +168,10 @@
    <MESSAGE value=":sparkles: Basis perm nodes feature" />
    <MESSAGE value=":sparkles: Permission check" />
    <MESSAGE value=":zap: In memory auth context cache" />
-    <option name="LAST_COMMIT_MESSAGE" value=":zap: In memory auth context cache" />
+    <MESSAGE value=":sparkles: Bug fixes of permission check" />
+    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Bug fixes of permission check" />
  </component>
  <component name="VgoProject">
    <settings-migrated>true</settings-migrated>
  </component>
-  <component name="XDebuggerManager">
-    <breakpoint-manager>
-      <breakpoints>
-        <line-breakpoint enabled="true" type="DlvLineBreakpoint">
-          <url>file://$PROJECT_DIR$/pkg/services/perms.go</url>
-          <line>49</line>
-          <option name="timeStamp" value="5" />
-        </line-breakpoint>
-      </breakpoints>
-    </breakpoint-manager>
-  </component>
 </project>
--- a/pkg/grpc/auth.go
+++ b/pkg/grpc/auth.go
@@ -3,26 +3,28 @@ package grpc
 import (
 	"context"
 	"fmt"
-	jsoniter "github.com/json-iterator/go"
-
 	"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
 	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/samber/lo"
 	"github.com/spf13/viper"
 )

 func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.AuthReply, error) {
-	user, perms, atk, rtk, err := services.Authenticate(in.GetAccessToken(), in.GetRefreshToken(), 0)
+	ctx, perms, atk, rtk, err := services.Authenticate(in.GetAccessToken(), in.GetRefreshToken(), 0)
 	if err != nil {
 		return &proto.AuthReply{
 			IsValid: false,
 		}, nil
 	} else {
+		user := ctx.Account
 		rawPerms, _ := jsoniter.Marshal(perms)
 		return &proto.AuthReply{
 			IsValid:      true,
 			AccessToken:  &atk,
 			RefreshToken: &rtk,
 			Permissions:  rawPerms,
+			TicketId:     lo.ToPtr(uint64(ctx.Ticket.ID)),
 			Userinfo: &proto.Userinfo{
 				Id:          uint64(user.ID),
 				Name:        user.Name,
@@ -35,3 +37,23 @@ func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.
 		}, nil
 	}
 }
+
+func (v *Server) CheckPerm(_ context.Context, in *proto.CheckPermRequest) (*proto.CheckPermReply, error) {
+	claims, err := services.DecodeJwt(in.GetToken())
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := services.GetAuthContext(claims.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	var value any
+	_ = jsoniter.Unmarshal(in.GetValue(), &value)
+	perms := services.FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
+	valid := services.HasPermNode(perms, in.GetKey(), value)
+
+	return &proto.CheckPermReply{
+		IsValid: valid,
+	}, nil
+}
--- a/pkg/grpc/proto/auth.pb.go
+++ b/pkg/grpc/proto/auth.pb.go
@@ -180,6 +180,7 @@ type AuthReply struct {
 	RefreshToken *string   `protobuf:"bytes,3,opt,name=refresh_token,json=refreshToken,proto3,oneof" json:"refresh_token,omitempty"`
 	Userinfo     *Userinfo `protobuf:"bytes,4,opt,name=userinfo,proto3,oneof" json:"userinfo,omitempty"`
 	Permissions  []byte    `protobuf:"bytes,5,opt,name=permissions,proto3,oneof" json:"permissions,omitempty"`
+	TicketId     *uint64   `protobuf:"varint,6,opt,name=ticket_id,json=ticketId,proto3,oneof" json:"ticket_id,omitempty"`
 }

 func (x *AuthReply) Reset() {
@@ -249,6 +250,123 @@ func (x *AuthReply) GetPermissions() []byte {
 	return nil
 }

+func (x *AuthReply) GetTicketId() uint64 {
+	if x != nil && x.TicketId != nil {
+		return *x.TicketId
+	}
+	return 0
+}
+
+type CheckPermRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+	Key   string `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
+	Value []byte `protobuf:"bytes,3,opt,name=value,proto3" json:"value,omitempty"`
+}
+
+func (x *CheckPermRequest) Reset() {
+	*x = CheckPermRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_auth_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *CheckPermRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CheckPermRequest) ProtoMessage() {}
+
+func (x *CheckPermRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_auth_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CheckPermRequest.ProtoReflect.Descriptor instead.
+func (*CheckPermRequest) Descriptor() ([]byte, []int) {
+	return file_auth_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *CheckPermRequest) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
+func (x *CheckPermRequest) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (x *CheckPermRequest) GetValue() []byte {
+	if x != nil {
+		return x.Value
+	}
+	return nil
+}
+
+type CheckPermReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	IsValid bool `protobuf:"varint,1,opt,name=is_valid,json=isValid,proto3" json:"is_valid,omitempty"`
+}
+
+func (x *CheckPermReply) Reset() {
+	*x = CheckPermReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_auth_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *CheckPermReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CheckPermReply) ProtoMessage() {}
+
+func (x *CheckPermReply) ProtoReflect() protoreflect.Message {
+	mi := &file_auth_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CheckPermReply.ProtoReflect.Descriptor instead.
+func (*CheckPermReply) Descriptor() ([]byte, []int) {
+	return file_auth_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *CheckPermReply) GetIsValid() bool {
+	if x != nil {
+		return x.IsValid
+	}
+	return false
+}
+
 var File_auth_proto protoreflect.FileDescriptor

 var file_auth_proto_rawDesc = []byte{
@@ -272,7 +390,7 @@ var file_auth_proto_rawDesc = []byte{
 	0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
 	0x52, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x88, 0x01,
 	0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f,
-	0x6b, 0x65, 0x6e, 0x22, 0x91, 0x02, 0x0a, 0x09, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x70, 0x6c,
+	0x6b, 0x65, 0x6e, 0x22, 0xc1, 0x02, 0x0a, 0x09, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x70, 0x6c,
 	0x79, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x08, 0x52, 0x07, 0x69, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0c,
 	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01,
@@ -285,16 +403,31 @@ var file_auth_proto_rawDesc = []byte{
 	0x6f, 0x48, 0x02, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x88, 0x01, 0x01,
 	0x12, 0x25, 0x0a, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18,
 	0x05, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x03, 0x52, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x61, 0x63, 0x63, 0x65,
-	0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x66,
-	0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x75,
-	0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x70, 0x65, 0x72, 0x6d,
-	0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x3e, 0x0a, 0x04, 0x41, 0x75, 0x74, 0x68, 0x12,
-	0x36, 0x0a, 0x0c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12,
-	0x12, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68,
-	0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x3b, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x12, 0x20, 0x0a, 0x09, 0x74, 0x69, 0x63, 0x6b, 0x65,
+	0x74, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x04, 0x48, 0x04, 0x52, 0x08, 0x74, 0x69,
+	0x63, 0x6b, 0x65, 0x74, 0x49, 0x64, 0x88, 0x01, 0x01, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x61, 0x63,
+	0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72,
+	0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0b, 0x0a, 0x09,
+	0x5f, 0x75, 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x70, 0x65,
+	0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, 0x74, 0x69,
+	0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x22, 0x50, 0x0a, 0x10, 0x43, 0x68, 0x65, 0x63, 0x6b,
+	0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74,
+	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
+	0x6e, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2b, 0x0a, 0x0e, 0x43, 0x68, 0x65,
+	0x63, 0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x69,
+	0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x69,
+	0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x32, 0x7d, 0x0a, 0x04, 0x41, 0x75, 0x74, 0x68, 0x12, 0x36,
+	0x0a, 0x0c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x12,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x10, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52,
+	0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x09, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50,
+	0x65, 0x72, 0x6d, 0x12, 0x17, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x68, 0x65, 0x63,
+	0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65,
+	0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x3b, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -309,18 +442,22 @@ func file_auth_proto_rawDescGZIP() []byte {
 	return file_auth_proto_rawDescData
 }

-var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
 var file_auth_proto_goTypes = []interface{}{
-	(*Userinfo)(nil),    // 0: proto.Userinfo
-	(*AuthRequest)(nil), // 1: proto.AuthRequest
-	(*AuthReply)(nil),   // 2: proto.AuthReply
+	(*Userinfo)(nil),         // 0: proto.Userinfo
+	(*AuthRequest)(nil),      // 1: proto.AuthRequest
+	(*AuthReply)(nil),        // 2: proto.AuthReply
+	(*CheckPermRequest)(nil), // 3: proto.CheckPermRequest
+	(*CheckPermReply)(nil),   // 4: proto.CheckPermReply
 }
 var file_auth_proto_depIdxs = []int32{
 	0, // 0: proto.AuthReply.userinfo:type_name -> proto.Userinfo
 	1, // 1: proto.Auth.Authenticate:input_type -> proto.AuthRequest
-	2, // 2: proto.Auth.Authenticate:output_type -> proto.AuthReply
-	2, // [2:3] is the sub-list for method output_type
-	1, // [1:2] is the sub-list for method input_type
+	3, // 2: proto.Auth.CheckPerm:input_type -> proto.CheckPermRequest
+	2, // 3: proto.Auth.Authenticate:output_type -> proto.AuthReply
+	4, // 4: proto.Auth.CheckPerm:output_type -> proto.CheckPermReply
+	3, // [3:5] is the sub-list for method output_type
+	1, // [1:3] is the sub-list for method input_type
 	1, // [1:1] is the sub-list for extension type_name
 	1, // [1:1] is the sub-list for extension extendee
 	0, // [0:1] is the sub-list for field type_name
@@ -368,6 +505,30 @@ func file_auth_proto_init() {
 				return nil
 			}
 		}
+		file_auth_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*CheckPermRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*CheckPermReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	file_auth_proto_msgTypes[0].OneofWrappers = []interface{}{}
 	file_auth_proto_msgTypes[1].OneofWrappers = []interface{}{}
@@ -378,7 +539,7 @@ func file_auth_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_auth_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   3,
+			NumMessages:   5,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/pkg/grpc/proto/auth.proto
+++ b/pkg/grpc/proto/auth.proto
@@ -6,6 +6,7 @@ package proto;

 service Auth {
  rpc Authenticate(AuthRequest) returns (AuthReply) {}
+  rpc CheckPerm(CheckPermRequest) returns (CheckPermReply) {}
 }

 message Userinfo {
@@ -29,4 +30,15 @@ message AuthReply {
  optional string refresh_token = 3;
  optional Userinfo userinfo = 4;
  optional bytes permissions = 5;
+  optional uint64 ticket_id = 6;
+}
+
+message CheckPermRequest {
+  string token = 1;
+  string key = 2;
+  bytes value = 3;
+}
+
+message CheckPermReply {
+  bool is_valid = 1;
 }
--- a/pkg/grpc/proto/auth_grpc.pb.go
+++ b/pkg/grpc/proto/auth_grpc.pb.go
@@ -20,6 +20,7 @@ const _ = grpc.SupportPackageIsVersion7

 const (
 	Auth_Authenticate_FullMethodName = "/proto.Auth/Authenticate"
+	Auth_CheckPerm_FullMethodName    = "/proto.Auth/CheckPerm"
 )

 // AuthClient is the client API for Auth service.
@@ -27,6 +28,7 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type AuthClient interface {
 	Authenticate(ctx context.Context, in *AuthRequest, opts ...grpc.CallOption) (*AuthReply, error)
+	CheckPerm(ctx context.Context, in *CheckPermRequest, opts ...grpc.CallOption) (*CheckPermReply, error)
 }

 type authClient struct {
@@ -46,11 +48,21 @@ func (c *authClient) Authenticate(ctx context.Context, in *AuthRequest, opts ...
 	return out, nil
 }

+func (c *authClient) CheckPerm(ctx context.Context, in *CheckPermRequest, opts ...grpc.CallOption) (*CheckPermReply, error) {
+	out := new(CheckPermReply)
+	err := c.cc.Invoke(ctx, Auth_CheckPerm_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // AuthServer is the server API for Auth service.
 // All implementations must embed UnimplementedAuthServer
 // for forward compatibility
 type AuthServer interface {
 	Authenticate(context.Context, *AuthRequest) (*AuthReply, error)
+	CheckPerm(context.Context, *CheckPermRequest) (*CheckPermReply, error)
 	mustEmbedUnimplementedAuthServer()
 }

@@ -61,6 +73,9 @@ type UnimplementedAuthServer struct {
 func (UnimplementedAuthServer) Authenticate(context.Context, *AuthRequest) (*AuthReply, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
 }
+func (UnimplementedAuthServer) CheckPerm(context.Context, *CheckPermRequest) (*CheckPermReply, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CheckPerm not implemented")
+}
 func (UnimplementedAuthServer) mustEmbedUnimplementedAuthServer() {}

 // UnsafeAuthServer may be embedded to opt out of forward compatibility for this service.
@@ -92,6 +107,24 @@ func _Auth_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(i
 	return interceptor(ctx, in, info, handler)
 }

+func _Auth_CheckPerm_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CheckPermRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServer).CheckPerm(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Auth_CheckPerm_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServer).CheckPerm(ctx, req.(*CheckPermRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // Auth_ServiceDesc is the grpc.ServiceDesc for Auth service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -103,6 +136,10 @@ var Auth_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Authenticate",
 			Handler:    _Auth_Authenticate_Handler,
 		},
+		{
+			MethodName: "CheckPerm",
+			Handler:    _Auth_CheckPerm_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "auth.proto",
--- a/pkg/server/auth_middleware.go
+++ b/pkg/server/auth_middleware.go
@@ -42,12 +42,12 @@ func authFunc(c *fiber.Ctx, overrides ...string) error {
 	}

 	rtk := c.Cookies(services.CookieRefreshKey)
-	if user, perms, atk, rtk, err := services.Authenticate(token, rtk, 0); err == nil {
+	if ctx, perms, atk, rtk, err := services.Authenticate(token, rtk, 0); err == nil {
 		if atk != token {
 			services.SetJwtCookieSet(c, atk, rtk)
 		}
 		c.Locals("permissions", perms)
-		c.Locals("principal", user)
+		c.Locals("principal", ctx.Account)
 		return nil
 	} else {
 		return err
--- a/pkg/services/auth.go
+++ b/pkg/services/auth.go
@@ -11,7 +11,7 @@ import (

 var authContextCache = make(map[string]models.AuthContext)

-func Authenticate(access, refresh string, depth int) (user models.Account, perms map[string]any, newAccess, newRefresh string, err error) {
+func Authenticate(access, refresh string, depth int) (ctx models.AuthContext, perms map[string]any, newAccess, newRefresh string, err error) {
 	var claims PayloadClaims
 	claims, err = DecodeJwt(access)
 	if err != nil {
@@ -29,10 +29,8 @@ func Authenticate(access, refresh string, depth int) (user models.Account, perms
 	newAccess = access
 	newRefresh = refresh

-	var ctx models.AuthContext
 	if ctx, err = GetAuthContext(claims.ID); err == nil {
 		perms = FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
-		user = ctx.Account
 		return
 	}