barrel_server_auth (barrel_server v1.0.1)

View Source

Bearer-token auth for the whole REST API.

Two kinds of bearer. Global tokens come from {barrel_server, auth, #{tokens => [Bin]}} (or #{token => Bin}; a LIST makes rotation possible) and open every route. Capability tokens (bsp_..., issued by barrel_caps for one space) authenticate the agent-layer routes (/spaces, /handoffs; the handlers enforce per-route rights via barrel_server_caps) and, scoped to their granted space, the /db/:db surface: the classifier below maps method+path to a required right (pull ops read, writes and push write) and barrel_caps:verify/3 checks the db IS the granted space. Everything unmapped answers 403 (fail closed: new routes must be classified consciously); dead or wrong tokens answer 401. Unconfigured = the middleware is not installed and the server stays open. When installed, every route except /health (probes carry no secrets) requires Authorization: Bearer <token>.

Global-token comparison is constant time: both sides are SHA-256 hashed (fixed length, no length oracle) and compared with crypto:hash_equals/2.

Summary

Functions

The configured token hashes (undefined = open server). The MCP auth provider checks server bearers against the same set.

Middleware state from the app env; undefined = no auth.

Functions

call(Req, Next, _)

hashes()

-spec hashes() -> [binary()] | undefined.

The configured token hashes (undefined = open server). The MCP auth provider checks server bearers against the same set.

state_from_env()

-spec state_from_env() -> map() | undefined.

Middleware state from the app env; undefined = no auth.