Use JWT auth tokens

Author: k0ngk0ng

README.md

@@ -10,7 +10,7 @@ CPA v6.10 removed the legacy `/v0/management/usage/{export,import}` HTTP endpoin
 - Periodically refreshes auth-files and provider catalogs from CPA management API
 - Computes per-model cost from configurable price-per-1M-token settings
 - Serves an API + SPA at `/usage/*` (subpath configurable)
-- Optional cookie-based password login
+- Optional JWT cookie-based password login
 - Daily 03:00 retention sweep (drops events older than 30 days, then `VACUUM`)
 
 ## Quick start (development)
@@ -75,20 +75,20 @@ All configuration is via environment variables (also see `.env.example`):
 | `METADATA_SYNC_INTERVAL` | `30s` | |
 | `AUTH_ENABLED` | `false` | When true, `LOGIN_PASSWORD` is required |
 | `LOGIN_PASSWORD` | — | Required if `AUTH_ENABLED=true` |
-| `AUTH_SESSION_TTL` | `168h` | |
+| `AUTH_SESSION_TTL` | `168h` | JWT cookie lifetime |
 | `LOG_LEVEL` | `info` | |
 | `LOG_FILE_ENABLED` | `true` | |
 | `LOG_DIR` | `./logs` | Resolved against the process working directory |
 | `LOG_RETENTION_DAYS` | `7` | Lumberjack max-age + max-backups |
 
 ## API surface
 
-All endpoints are mounted under `<APP_BASE_PATH>/api/v1`. Protected endpoints require a valid session cookie when `AUTH_ENABLED=true`.
+All endpoints are mounted under `<APP_BASE_PATH>/api/v1`. Protected endpoints require a valid JWT auth cookie when `AUTH_ENABLED=true`.
 
 | Method | Path | Purpose |
 |---|---|---|
 | GET | `/ping` | liveness + version |
-| GET | `/auth/session` | session status |
+| GET | `/auth/session` | auth status |
 | POST | `/auth/login` | `{ "password": "..." }` |
 | POST | `/auth/logout` | clear cookie |
 | GET | `/status` | drain status (last pop, errors, totals) |
@@ -141,7 +141,7 @@ cmd/server/             entrypoint (ldflag-injected version)
 internal/
   api/                  gin router + handlers + embedded SPA
   app/                  composition root + maintenance loop
-  auth/                 in-memory session manager
+  auth/                 password auth + JWT token manager
   config/               env loader
   cpa/                  CPA HTTP client + RESP redis client
   drain/                pop/decode/insert + metadata orchestration

internal/api/auth_handler.go

@@ -11,19 +11,19 @@ import (
 
 // AuthDeps wires together the auth handler/middleware dependencies.
 type AuthDeps struct {
-	Enabled       bool
-	Password      string
-	CookieName    string
-	BasePath      string
-	Sessions      *auth.SessionManager
+	Enabled    bool
+	Password   string
+	CookieName string
+	BasePath   string
+	Tokens     *auth.TokenManager
 }
 
 // loginRequest is the JSON body of POST /auth/login.
 type loginRequest struct {
 	Password string `json:"password"`
 }
 
-// sessionResponse describes the public session shape (no token).
+// sessionResponse describes the public auth state (no token).
 type sessionResponse struct {
 	Authenticated bool `json:"authenticated"`
 	AuthRequired  bool `json:"auth_required"`
@@ -33,8 +33,8 @@ func sessionHandler(deps AuthDeps) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		ok := true
 		if deps.Enabled {
-			token := readSessionToken(c, deps.CookieName)
-			ok = token != "" && deps.Sessions.Validate(token)
+			token := readAuthToken(c, deps.CookieName)
+			ok = token != "" && deps.Tokens.Validate(token)
 		}
 		c.JSON(http.StatusOK, sessionResponse{Authenticated: ok, AuthRequired: deps.Enabled})
 	}
@@ -55,53 +55,49 @@ func loginHandler(deps AuthDeps) gin.HandlerFunc {
 			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid password"})
 			return
 		}
-		token, expires, err := deps.Sessions.Create()
+		token, expires, err := deps.Tokens.Create()
 		if err != nil {
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "session creation failed"})
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "token creation failed"})
 			return
 		}
-		setSessionCookie(c, deps, token, int(deps.Sessions.TTL().Seconds()))
+		setAuthCookie(c, deps, token, int(deps.Tokens.TTL().Seconds()))
 		c.JSON(http.StatusOK, gin.H{"authenticated": true, "expires_at": expires})
 	}
 }
 
 func logoutHandler(deps AuthDeps) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		token := readSessionToken(c, deps.CookieName)
-		if token != "" {
-			deps.Sessions.Delete(token)
-		}
-		setSessionCookie(c, deps, "", -1)
+		setAuthCookie(c, deps, "", -1)
 		c.JSON(http.StatusOK, gin.H{"authenticated": false})
 	}
 }
 
-// authMiddleware returns a gin middleware enforcing session presence when auth
+// authMiddleware returns a gin middleware enforcing token presence when auth
 // is enabled. When auth is disabled the middleware is a no-op.
 func authMiddleware(deps AuthDeps) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if !deps.Enabled {
 			c.Next()
 			return
 		}
-		token := readSessionToken(c, deps.CookieName)
-		if token == "" || !deps.Sessions.Validate(token) {
+		token := readAuthToken(c, deps.CookieName)
+		if token == "" || !deps.Tokens.Validate(token) {
 			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "authentication required"})
 			return
 		}
 		c.Next()
 	}
 }
 
-func readSessionToken(c *gin.Context, cookieName string) string {
+func readAuthToken(c *gin.Context, cookieName string) string {
 	v, err := c.Cookie(cookieName)
 	if err != nil {
 		return ""
 	}
 	return strings.TrimSpace(v)
 }
 
-func setSessionCookie(c *gin.Context, deps AuthDeps, token string, maxAge int) {
+func setAuthCookie(c *gin.Context, deps AuthDeps, token string, maxAge int) {
 	cookiePath := deps.BasePath
 	if cookiePath == "" {
 		cookiePath = "/"

internal/app/app.go

@@ -89,7 +89,7 @@ func New(cfg *config.Config, build BuildInfo) (*App, error) {
 		MetadataInterval: cfg.MetadataInterval,
 	})
 
-	sessions := auth.NewSessionManager(cfg.SessionTTL)
+	tokens := auth.NewTokenManager(cfg.AuthTokenTTL, cfg.LoginPassword)
 
 	router := api.New(api.RouterConfig{
 		BasePath: cfg.AppBasePath,
@@ -104,7 +104,7 @@ func New(cfg *config.Config, build BuildInfo) (*App, error) {
 			Password:   cfg.LoginPassword,
 			CookieName: cfg.CookieName,
 			BasePath:   cfg.AppBasePath,
-			Sessions:   sessions,
+			Tokens:     tokens,
 		},
 		Usage: api.UsageDeps{
 			Service: usageSvc,

internal/auth/session.go

@@ -1,87 +1,99 @@
-// Package auth implements an in-memory session manager for the optional password
-// login flow. Sessions are opaque random tokens kept in process memory; the
-// process restarting invalidates everyone (acceptable for v1).
+// Package auth implements the optional password login flow. Successful logins
+// receive stateless JWTs signed from the configured login password, so process
+// restarts do not invalidate existing browser cookies.
 package auth
 
 import (
-	"crypto/rand"
+	"crypto/hmac"
+	"crypto/sha256"
 	"crypto/subtle"
-	"encoding/hex"
-	"sync"
+	"encoding/base64"
+	"encoding/json"
+	"strings"
 	"time"
 )
 
-// SessionManager tracks live sessions and their expiry.
-type SessionManager struct {
-	ttl      time.Duration
-	now      func() time.Time
-	generate func() (string, error)
+// TokenManager issues and validates stateless JWTs.
+type TokenManager struct {
+	ttl time.Duration
+	key []byte
+	now func() time.Time
+}
 
-	mu       sync.RWMutex
-	sessions map[string]time.Time
+type jwtClaims struct {
+	Subject   string `json:"sub"`
+	IssuedAt  int64  `json:"iat"`
+	ExpiresAt int64  `json:"exp"`
 }
 
-// NewSessionManager builds a SessionManager with the supplied TTL.
-func NewSessionManager(ttl time.Duration) *SessionManager {
-	return &SessionManager{
-		ttl:      ttl,
-		now:      time.Now,
-		generate: generateToken,
-		sessions: make(map[string]time.Time),
+// NewTokenManager builds a TokenManager with the supplied TTL and signing
+// secret. Tokens remain valid across process restarts as long as the secret
+// (currently the login password) is unchanged.
+func NewTokenManager(ttl time.Duration, secret string) *TokenManager {
+	key := sha256.Sum256([]byte("cpa-usage jwt signing key\x00" + secret))
+	return &TokenManager{
+		ttl: ttl,
+		key: key[:],
+		now: time.Now,
 	}
 }
 
-// Create issues a new session and returns the token + absolute expiry.
-func (m *SessionManager) Create() (string, time.Time, error) {
-	token, err := m.generate()
+// Create issues a new JWT and returns the token + absolute expiry.
+func (m *TokenManager) Create() (string, time.Time, error) {
+	now := m.now()
+	expires := now.Add(m.ttl)
+
+	header, err := json.Marshal(map[string]string{
+		"alg": "HS256",
+		"typ": "JWT",
+	})
+	if err != nil {
+		return "", time.Time{}, err
+	}
+	claims, err := json.Marshal(jwtClaims{
+		Subject:   "cpa-usage",
+		IssuedAt:  now.Unix(),
+		ExpiresAt: expires.Unix(),
+	})
 	if err != nil {
 		return "", time.Time{}, err
 	}
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.cleanupLocked()
-	expires := m.now().Add(m.ttl)
-	m.sessions[token] = expires
-	return token, expires, nil
+
+	unsigned := base64.RawURLEncoding.EncodeToString(header) + "." + base64.RawURLEncoding.EncodeToString(claims)
+	return unsigned + "." + m.sign(unsigned), expires, nil
 }
 
-// Validate reports whether token is a known, unexpired session.
-func (m *SessionManager) Validate(token string) bool {
+// Validate reports whether token is a well-formed, signed, unexpired JWT.
+func (m *TokenManager) Validate(token string) bool {
 	if token == "" {
 		return false
 	}
-	m.mu.RLock()
-	expires, ok := m.sessions[token]
-	m.mu.RUnlock()
-	if !ok {
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
 		return false
 	}
-	if !expires.After(m.now()) {
-		m.Delete(token)
+
+	unsigned := parts[0] + "." + parts[1]
+	if !hmac.Equal([]byte(parts[2]), []byte(m.sign(unsigned))) {
 		return false
 	}
-	return true
-}
 
-// Delete removes a session by token. No-op if the token is absent.
-func (m *SessionManager) Delete(token string) {
-	if token == "" {
-		return
+	claimsRaw, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return false
 	}
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	delete(m.sessions, token)
-}
-
-// CleanupExpired drops sessions whose expiry has passed.
-func (m *SessionManager) CleanupExpired() {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.cleanupLocked()
+	var claims jwtClaims
+	if err := json.Unmarshal(claimsRaw, &claims); err != nil {
+		return false
+	}
+	if claims.Subject != "cpa-usage" || claims.ExpiresAt <= 0 {
+		return false
+	}
+	return time.Unix(claims.ExpiresAt, 0).After(m.now())
 }
 
 // TTL returns the configured TTL (used to set cookie max-age).
-func (m *SessionManager) TTL() time.Duration { return m.ttl }
+func (m *TokenManager) TTL() time.Duration { return m.ttl }
 
 // PasswordMatches performs a constant-time compare on the supplied password.
 func PasswordMatches(expected, supplied string) bool {
@@ -91,19 +103,8 @@ func PasswordMatches(expected, supplied string) bool {
 	return subtle.ConstantTimeCompare([]byte(expected), []byte(supplied)) == 1
 }
 
-func (m *SessionManager) cleanupLocked() {
-	now := m.now()
-	for tok, exp := range m.sessions {
-		if !exp.After(now) {
-			delete(m.sessions, tok)
-		}
-	}
-}
-
-func generateToken() (string, error) {
-	buf := make([]byte, 32)
-	if _, err := rand.Read(buf); err != nil {
-		return "", err
-	}
-	return hex.EncodeToString(buf), nil
+func (m *TokenManager) sign(unsigned string) string {
+	mac := hmac.New(sha256.New, m.key)
+	_, _ = mac.Write([]byte(unsigned))
+	return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
 }

internal/auth/session_test.go

@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestTokenManagerValidatesAcrossInstances(t *testing.T) {
+	now := time.Date(2026, 6, 12, 10, 0, 0, 0, time.UTC)
+	m1 := NewTokenManager(time.Hour, "secret")
+	m1.now = func() time.Time { return now }
+
+	token, expires, err := m1.Create()
+	if err != nil {
+		t.Fatalf("Create: %v", err)
+	}
+	if got, want := strings.Count(token, "."), 2; got != want {
+		t.Fatalf("token dot count = %d, want %d", got, want)
+	}
+	if !expires.Equal(now.Add(time.Hour)) {
+		t.Fatalf("expires = %s, want %s", expires, now.Add(time.Hour))
+	}
+
+	m2 := NewTokenManager(time.Hour, "secret")
+	m2.now = func() time.Time { return now.Add(30 * time.Minute) }
+	if !m2.Validate(token) {
+		t.Fatal("Validate returned false for token signed by another manager instance")
+	}
+}
+
+func TestTokenManagerRejectsWrongSecret(t *testing.T) {
+	now := time.Date(2026, 6, 12, 10, 0, 0, 0, time.UTC)
+	m1 := NewTokenManager(time.Hour, "secret")
+	m1.now = func() time.Time { return now }
+	token, _, err := m1.Create()
+	if err != nil {
+		t.Fatalf("Create: %v", err)
+	}
+
+	m2 := NewTokenManager(time.Hour, "other-secret")
+	m2.now = func() time.Time { return now }
+	if m2.Validate(token) {
+		t.Fatal("Validate returned true for token signed with a different secret")
+	}
+}
+
+func TestTokenManagerRejectsExpiredToken(t *testing.T) {
+	now := time.Date(2026, 6, 12, 10, 0, 0, 0, time.UTC)
+	m := NewTokenManager(time.Hour, "secret")
+	m.now = func() time.Time { return now }
+	token, _, err := m.Create()
+	if err != nil {
+		t.Fatalf("Create: %v", err)
+	}
+
+	m.now = func() time.Time { return now.Add(time.Hour + time.Second) }
+	if m.Validate(token) {
+		t.Fatal("Validate returned true for expired token")
+	}
+}