developer/scrabble-game
1
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
master
scrabble-game/backend/internal/session/token.go
T
Ilia Denisov eeaad62b10
Tests · Go / test (push) Successful in 11s
Details
Tests · Integration / integration (push) Successful in 8s
Details
Stage 1: backend foundation (Postgres, sessions, accounts, OTel) 
- internal/postgres: pgx-over-database/sql pool (otelsql), embedded goose
  migrations into schema 'backend', committed go-jet code + cmd/jetgen tool.
- internal/account: durable accounts + unified telegram/email identities
  (UUIDv7 keys), find-or-create provisioning with unique-conflict handling.
- internal/session: opaque 256-bit tokens stored as a SHA-256 hash, revoke-only
  (no TTL); write-through cache gating /readyz; store + service.
- internal/telemetry: OTel tracer/meter providers (none/stdout) + request-timing
  middleware; internal/config gains Postgres + OTel env loading.
- internal/server: /api/v1 {public,user,internal,admin} skeleton + X-User-ID
  middleware; /readyz checks DB ping + cache; main wires
  telemetry -> db+migrate -> warm cache -> server.
- Tests: unit + integration (build tag 'integration', testcontainers
  postgres:17) for migrations, accounts, sessions, readyz; new integration.yaml.
- Docs: ARCHITECTURE, TESTING, PLAN refinements, root + backend READMEs.

Session/account REST handlers deferred to Stage 6 (gateway); OTLP + dashboards
to Stage 11.
2026-06-02 13:52:26 +02:00

36 lines
1.2 KiB
Go
Raw Permalink Blame History

// Package session owns opaque server sessions: minting bearer tokens, resolving
// them to accounts through a write-through in-memory cache, and revoking them.
// Only the SHA-256 hash of a token is persisted; the plaintext is returned to
// the caller once and never stored. Sessions are revoke-only (no TTL).
package session
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"fmt"
)
// tokenBytes is the entropy of an opaque session token: 256 bits.
const tokenBytes = 32
// GenerateToken returns a fresh random opaque token (URL-safe base64, 256-bit)
// together with its hex-encoded SHA-256 hash for storage. The plaintext token
// is handed to the caller once and is never persisted.
func GenerateToken() (token, tokenHash string, err error) {
buf := make([]byte, tokenBytes)
if _, err := rand.Read(buf); err != nil {
return "", "", fmt.Errorf("session: read random token: %w", err)
}
token = base64.RawURLEncoding.EncodeToString(buf)
return token, HashToken(token), nil
}
// HashToken returns the hex-encoded SHA-256 of token. Lookups hash the presented
// token and compare against the stored hash.
func HashToken(token string) string {
sum := sha256.Sum256([]byte(token))
return hex.EncodeToString(sum[:])
}
Reference in New Issue View Git Blame Copy Permalink