🧑‍💻 Add the server side Hyper SDK

.idea/dataSources.local.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
-  <component name="dataSourceStorageLocal" created-in="GO-241.17890.21">
+  <component name="dataSourceStorageLocal" created-in="GO-241.18034.61">
     <data-source name="hy_passport@localhost" uuid="74bcf3ef-a2b9-435b-b9e5-f32902a33b25">
       <database-info product="PostgreSQL" version="16.2 (Homebrew)" jdbc-version="4.2" driver-name="PostgreSQL JDBC Driver" driver-version="42.6.0" dbms="POSTGRES" exact-version="16.2" exact-driver-version="42.6">
         <identifier-quote-string>&quot;</identifier-quote-string>

.idea/workspace.xml

@@ -4,16 +4,13 @@
     <option name="autoReloadType" value="ALL" />
   </component>
   <component name="ChangeListManager">
-    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":wastebasket: Remove HTTP provision to consul">
+    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Drop direct connection and uses consul">
+      <change afterPath="$PROJECT_DIR$/pkg/hyper/auth.go" afterDir="false" />
+      <change afterPath="$PROJECT_DIR$/pkg/hyper/auth_adaptor.go" afterDir="false" />
+      <change afterPath="$PROJECT_DIR$/pkg/hyper/conn.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/.idea/dataSources.local.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources.local.xml" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/go.mod" beforeDir="false" afterPath="$PROJECT_DIR$/go.mod" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/go.sum" beforeDir="false" afterPath="$PROJECT_DIR$/go.sum" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/pkg/internal/gap/server.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/gap/server.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/grpc/client.go" beforeDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/grpc/server.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/grpc/server.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/server/avatar_api.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/avatar_api.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/main.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/main.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/settings.toml" beforeDir="false" afterPath="$PROJECT_DIR$/settings.toml" afterDir="false" />
     </list>
     <option name="SHOW_DIALOG" value="false" />
     <option name="HIGHLIGHT_CONFLICTS" value="true" />
@@ -117,8 +114,8 @@
   <component name="SharedIndexes">
     <attachedChunks>
       <set>
-        <option value="bundled-gosdk-33c477a475b1-e0158606a674-org.jetbrains.plugins.go.sharedIndexes.bundled-GO-241.17890.21" />
+        <option value="bundled-gosdk-33c477a475b1-e0158606a674-org.jetbrains.plugins.go.sharedIndexes.bundled-GO-241.18034.61" />
-        <option value="bundled-js-predefined-1d06a55b98c1-0b3e54e931b4-JavaScript-GO-241.17890.21" />
+        <option value="bundled-js-predefined-1d06a55b98c1-0b3e54e931b4-JavaScript-GO-241.18034.61" />
       </set>
     </attachedChunks>
   </component>
@@ -150,7 +147,6 @@
     </option>
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value=":zap: Use map to improve message delivery time" />
     <MESSAGE value=":recycle: Improved the notification subscriber API" />
     <MESSAGE value=":sparkles: E2EE Key Exchange" />
     <MESSAGE value=":bug: Bug fixes on E2EE" />
@@ -175,7 +171,8 @@
     <MESSAGE value=":sparkles: Able to read current user's realm profile" />
     <MESSAGE value=":sparkles: Consul registration" />
     <MESSAGE value=":wastebasket: Remove HTTP provision to consul" />
-    <option name="LAST_COMMIT_MESSAGE" value=":wastebasket: Remove HTTP provision to consul" />
+    <MESSAGE value=":sparkles: Drop direct connection and uses consul" />
+    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Drop direct connection and uses consul" />
   </component>
   <component name="VgoProject">
     <settings-migrated>true</settings-migrated>

pkg/hyper/auth.go

@@ -0,0 +1,63 @@
+package hyper
+
+import (
+	"context"
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/proto"
+	"google.golang.org/grpc"
+	"time"
+)
+
+func (v *HyperConn) DoAuthenticate(atk, rtk string) (acc *proto.Userinfo, accessTk string, refreshTk string, err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	var in *grpc.ClientConn
+	in, err = v.DiscoverServiceGRPC("Hydrogen.Passport")
+	if err != nil {
+		return
+	}
+
+	var reply *proto.AuthReply
+	reply, err = proto.NewAuthClient(in).Authenticate(ctx, &proto.AuthRequest{
+		AccessToken:  atk,
+		RefreshToken: &rtk,
+	})
+	if err != nil {
+		return
+	}
+	if reply != nil {
+		acc = reply.GetUserinfo()
+		accessTk = reply.GetAccessToken()
+		refreshTk = reply.GetRefreshToken()
+		if !reply.IsValid {
+			err = fmt.Errorf("invalid authorization context")
+			return
+		}
+	}
+
+	return
+}
+
+func (v *HyperConn) DoCheckPerm(atk string, key string, val []byte) error {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	in, err := v.DiscoverServiceGRPC("Hydrogen.Passport")
+	if err != nil {
+		return err
+	}
+
+	reply, err := proto.NewAuthClient(in).CheckPerm(ctx, &proto.CheckPermRequest{
+		Token: atk,
+		Key:   key,
+		Value: val,
+	})
+	if err != nil {
+		return err
+	} else if !reply.GetIsValid() {
+		return fmt.Errorf("missing permission: %s", key)
+	}
+
+	return nil
+}

pkg/hyper/auth_adaptor.go

@@ -0,0 +1,68 @@
+package hyper
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/proto"
+	"github.com/gofiber/fiber/v2"
+	jsoniter "github.com/json-iterator/go"
+	"strings"
+	"time"
+)
+
+const CookieAtk = "__hydrogen_atk"
+const CookieRtk = "__hydrogen_rtk"
+
+func (v *HyperConn) AuthMiddleware(c *fiber.Ctx) error {
+	// Detect token
+	var atk string
+	if cookie := c.Cookies(CookieAtk); len(cookie) > 0 {
+		atk = cookie
+	}
+	if header := c.Get(fiber.HeaderAuthorization); len(header) > 0 {
+		tk := strings.Replace(header, "Bearer", "", 1)
+		atk = strings.TrimSpace(tk)
+	}
+
+	c.Locals("p_token", atk)
+
+	if user, newAtk, newRtk, err := v.DoAuthenticate(atk, c.Cookies(CookieRtk)); err == nil {
+		if newAtk != atk {
+			c.Cookie(&fiber.Cookie{
+				Name:     CookieAtk,
+				Value:    newAtk,
+				SameSite: "Lax",
+				Expires:  time.Now().Add(60 * time.Minute),
+				Path:     "/",
+			})
+			c.Cookie(&fiber.Cookie{
+				Name:     CookieRtk,
+				Value:    newRtk,
+				SameSite: "Lax",
+				Expires:  time.Now().Add(24 * 30 * time.Hour),
+				Path:     "/",
+			})
+		}
+		c.Locals("p_user", user)
+		return nil
+	}
+
+	return c.Next()
+}
+
+func (v *HyperConn) EnsureAuthenticated(c *fiber.Ctx) error {
+	if _, ok := c.Locals("p_user").(*proto.Userinfo); !ok {
+		return fiber.NewError(fiber.StatusUnauthorized)
+	}
+
+	return nil
+}
+
+func (v *HyperConn) EnsureGrantedPerm(c *fiber.Ctx, key string, val any) error {
+	if err := v.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	encodedVal, _ := jsoniter.Marshal(val)
+	if err := v.DoCheckPerm(c.Locals("p_token").(string), key, encodedVal); err != nil {
+		return fiber.NewError(fiber.StatusForbidden, err.Error())
+	}
+	return nil
+}

pkg/hyper/conn.go

@@ -0,0 +1,24 @@
+package hyper
+
+import (
+	"fmt"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+type HyperConn struct {
+	Addr string
+}
+
+func NewHyperConn(addr string) *HyperConn {
+	return &HyperConn{Addr: addr}
+}
+
+func (v *HyperConn) DiscoverServiceGRPC(name string) (*grpc.ClientConn, error) {
+	target := fmt.Sprintf("consul://%s/%s", v.Addr, name)
+	return grpc.NewClient(
+		target,
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithDefaultServiceConfig(`{"loadBalancingPolicy": "round_robin"}`),
+	)
+}

pkg/internal/gap/server.go

@@ -2,18 +2,17 @@ package gap
 
 import (
 	"fmt"
+	"strconv"
+	"strings"
+
 	"github.com/hashicorp/consul/api"
 	"github.com/spf13/viper"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
-	"strconv"
-	"strings"
 
 	_ "github.com/mbobakov/grpc-consul-resolver"
 )
 
-var C *api.Client
-
 func Register() error {
 	cfg := api.DefaultConfig()
 	cfg.Address = viper.GetString("consul.addr")
@@ -41,17 +40,13 @@ func Register() error {
 		DeregisterCriticalServiceAfter: "3m",
 	}
 
-	if err := client.Agent().ServiceRegister(registration); err != nil {
+	return client.Agent().ServiceRegister(registration)
-		return err
-	} else {
-		C = client
-		return nil
-	}
 }
 
 func DiscoverPaperclip() (*grpc.ClientConn, error) {
+	target := fmt.Sprintf("consul://%s/Hydrogen.Paperclip", viper.GetString("consul.addr"))
 	return grpc.NewClient(
-		"consul://127.0.0.1:8500/Hydrogen.Paperclip",
+		target,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithDefaultServiceConfig(`{"loadBalancingPolicy": "round_robin"}`),
 	)