barrel_server_auth (barrel_server v1.0.0)
View SourceBearer-token auth for the whole REST API.
Two kinds of bearer. Global tokens come from {barrel_server, auth, #{tokens => [Bin]}} (or #{token => Bin}; a LIST makes rotation possible) and open every route. Capability tokens (bsp_..., issued by barrel_caps for one space) authenticate the agent-layer routes (/spaces, /handoffs; the handlers enforce per-route rights via barrel_server_caps) and, scoped to their granted space, the /db/:db surface: the classifier below maps method+path to a required right (pull ops read, writes and push write) and barrel_caps:verify/3 checks the db IS the granted space. Everything unmapped answers 403 (fail closed: new routes must be classified consciously); dead or wrong tokens answer 401. Unconfigured = the middleware is not installed and the server stays open. When installed, every route except /health (probes carry no secrets) requires Authorization: Bearer <token>.
Global-token comparison is constant time: both sides are SHA-256 hashed (fixed length, no length oracle) and compared with crypto:hash_equals/2.
Summary
Functions
The configured token hashes (undefined = open server). The MCP auth provider checks server bearers against the same set.
Middleware state from the app env; undefined = no auth.