Initial commit - SOGOMS v1.0.0

- sogoctl: supervisor avec health checks et restart auto - sogoway: gateway HTTP, auth JWT, routing par hostname - sogoms-db: microservice MariaDB avec pool par application - Protocol IPC Unix socket JSON length-prefixed - Config YAML multi-application (prokov) - Deploy script pour container Alpine gw3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-15 19:09:00 +01:00
commit 7e27f87d6f
64 changed files with 7951 additions and 0 deletions
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -0,0 +1,136 @@
+// Package auth gère l'authentification JWT et les mots de passe.
+package auth
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+)
+
+var (
+	ErrInvalidToken = errors.New("invalid token")
+	ErrExpiredToken = errors.New("token expired")
+)
+
+// Claims représente les claims du JWT.
+type Claims struct {
+	Sub   int64  `json:"sub"`            // User ID
+	Email string `json:"email"`          // Email
+	Name  string `json:"name"`           // Nom
+	App   string `json:"app"`            // Application ID
+	Exp   int64  `json:"exp"`            // Expiration (Unix timestamp)
+	Iat   int64  `json:"iat"`            // Issued at
+}
+
+// JWT gère la génération et validation des tokens.
+type JWT struct {
+	secret     []byte
+	expiration time.Duration
+}
+
+// NewJWT crée un nouveau gestionnaire JWT.
+func NewJWT(secret string, expiration time.Duration) *JWT {
+	return &JWT{
+		secret:     []byte(secret),
+		expiration: expiration,
+	}
+}
+
+// Generate génère un nouveau token JWT.
+func (j *JWT) Generate(userID int64, email, name, appID string) (string, error) {
+	now := time.Now()
+
+	claims := Claims{
+		Sub:   userID,
+		Email: email,
+		Name:  name,
+		App:   appID,
+		Iat:   now.Unix(),
+		Exp:   now.Add(j.expiration).Unix(),
+	}
+
+	return j.encode(claims)
+}
+
+// Validate valide un token et retourne les claims.
+func (j *JWT) Validate(token string) (*Claims, error) {
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return nil, ErrInvalidToken
+	}
+
+	// Vérifier la signature
+	signatureInput := parts[0] + "." + parts[1]
+	expectedSig := j.sign(signatureInput)
+	if parts[2] != expectedSig {
+		return nil, ErrInvalidToken
+	}
+
+	// Décoder les claims
+	claimsJSON, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, ErrInvalidToken
+	}
+
+	var claims Claims
+	if err := json.Unmarshal(claimsJSON, &claims); err != nil {
+		return nil, ErrInvalidToken
+	}
+
+	// Vérifier l'expiration
+	if time.Now().Unix() > claims.Exp {
+		return nil, ErrExpiredToken
+	}
+
+	return &claims, nil
+}
+
+// encode encode les claims en JWT.
+func (j *JWT) encode(claims Claims) (string, error) {
+	// Header
+	header := map[string]string{
+		"alg": "HS256",
+		"typ": "JWT",
+	}
+	headerJSON, _ := json.Marshal(header)
+	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
+
+	// Payload
+	claimsJSON, err := json.Marshal(claims)
+	if err != nil {
+		return "", err
+	}
+	claimsB64 := base64.RawURLEncoding.EncodeToString(claimsJSON)
+
+	// Signature
+	signatureInput := headerB64 + "." + claimsB64
+	signature := j.sign(signatureInput)
+
+	return signatureInput + "." + signature, nil
+}
+
+// sign signe les données avec HMAC-SHA256.
+func (j *JWT) sign(data string) string {
+	h := hmac.New(sha256.New, j.secret)
+	h.Write([]byte(data))
+	return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
+}
+
+// ExtractToken extrait le token du header Authorization.
+func ExtractToken(authHeader string) (string, error) {
+	if authHeader == "" {
+		return "", fmt.Errorf("missing authorization header")
+	}
+
+	parts := strings.SplitN(authHeader, " ", 2)
+	if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
+		return "", fmt.Errorf("invalid authorization header format")
+	}
+
+	return parts[1], nil
+}