Merge pull request #117 from hyp3rd/feat/dist-mem-cache

feat(server): add GET /v1/me identity introspection endpoint

Author: hyp3rd

CHANGELOG.md

@@ -8,6 +8,20 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Added
 
+- **`GET /v1/me` — resolved caller identity.** New scope-protected
+  (`read`) route that reads the resolved `httpauth.Identity` from
+  `c.Locals(httpauth.IdentityKey)` and returns
+  `{ id, scopes }` JSON. Mirrors the new schema documented at
+  [`/v1/me`](cmd/hypercache-server/openapi.yaml). Unblocks the
+  HyperCache Monitor's Phase C2 swap from the legacy
+  `/v1/owners/__probe__` probe to a real introspection of the
+  bound bearer token's grants. Anonymous mode (`AllowAnonymous: true`)
+  returns `id: "anonymous"` with all three scopes — same identity
+  the policy emits internally. Drift test
+  ([`openapi_test.go`](cmd/hypercache-server/openapi_test.go))
+  and auth-coverage table
+  ([`auth_test.go`](cmd/hypercache-server/auth_test.go)) updated
+  in lockstep.
 - **Client API auth v2: multi-token, scoped, mTLS-capable.** New
   [`pkg/httpauth/`](pkg/httpauth/) package with `Policy`,
   `TokenIdentity`, `CertIdentity`, `Scope` types and a

cmd/hypercache-server/auth_test.go

@@ -232,6 +232,7 @@ func TestBearerAuth_AllProtectedRoutes(t *testing.T) {
 		{http.MethodHead, pathCacheKey},
 		{http.MethodDelete, pathCacheKey},
 		{http.MethodGet, "/v1/owners/k"},
+		{http.MethodGet, "/v1/me"},
 		{http.MethodPost, "/v1/cache/batch/get"},
 		{http.MethodPost, "/v1/cache/batch/put"},
 		{http.MethodPost, "/v1/cache/batch/delete"},
@@ -275,6 +276,7 @@ func TestScope_ReadOnlyToken(t *testing.T) {
 	}{
 		// Read scope: 200.
 		{http.MethodGet, "/v1/owners/k", http.StatusOK},
+		{http.MethodGet, "/v1/me", http.StatusOK},
 		// Write scope: 403 (token has Read only).
 		{http.MethodPut, pathCacheKey, http.StatusForbidden},
 		{http.MethodDelete, pathCacheKey, http.StatusForbidden},

cmd/hypercache-server/main.go

@@ -352,6 +352,7 @@ func registerClientRoutes(app *fiber.App, policy httpauth.Policy, nodeCtx *nodeC
 	app.Head("/v1/cache/:key", read, func(c fiber.Ctx) error { return handleHead(c, nodeCtx) })
 	app.Delete("/v1/cache/:key", write, func(c fiber.Ctx) error { return handleDelete(c, nodeCtx) })
 	app.Get("/v1/owners/:key", read, func(c fiber.Ctx) error { return handleOwners(c, nodeCtx) })
+	app.Get("/v1/me", read, handleMe)
 
 	app.Post("/v1/cache/batch/get", read, func(c fiber.Ctx) error { return handleBatchGet(c, nodeCtx) })
 	app.Post("/v1/cache/batch/put", write, func(c fiber.Ctx) error { return handleBatchPut(c, nodeCtx) })
@@ -1175,6 +1176,44 @@ func handleOwners(c fiber.Ctx, nodeCtx *nodeContext) error {
 	})
 }
 
+// meResponse is the body of GET /v1/me — the resolved caller identity
+// after auth middleware ran. Mirrors httpauth.Identity but written as
+// a wire type so the JSON tags are owned by the API surface, not the
+// internal auth package.
+type meResponse struct {
+	ID     string   `json:"id"`
+	Scopes []string `json:"scopes"`
+}
+
+// handleMe implements GET /v1/me — returns the calling principal's
+// identity and granted scopes. Used by the monitor to introspect a
+// bound bearer token without making a no-op probe against another
+// route. The middleware has already populated IdentityKey on every
+// request that reached this handler (anonymous mode included), so
+// the type assertion is safe; a missing or wrong-typed Locals entry
+// is a wiring bug and surfaces as a 500 rather than a silent default.
+func handleMe(c fiber.Ctx) error {
+	identity, ok := c.Locals(httpauth.IdentityKey).(httpauth.Identity)
+	if !ok {
+		return jsonErr(
+			c,
+			fiber.StatusInternalServerError,
+			codeInternal,
+			"identity not resolved by middleware (wiring bug)",
+		)
+	}
+
+	scopes := make([]string, len(identity.Scopes))
+	for i, s := range identity.Scopes {
+		scopes[i] = string(s)
+	}
+
+	return c.JSON(meResponse{
+		ID:     identity.ID,
+		Scopes: scopes,
+	})
+}
+
 func main() { os.Exit(run()) }
 
 // run is the testable main body — separated so deferred cleanup

cmd/hypercache-server/me_test.go

@@ -0,0 +1,152 @@
+package main
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/goccy/go-json"
+	fiber "github.com/gofiber/fiber/v3"
+
+	"github.com/hyp3rd/hypercache/pkg/httpauth"
+)
+
+// TestHandleMe_BodyShape pins the wire shape of GET /v1/me. We mount
+// the handler behind a tiny inline middleware that stuffs a known
+// Identity into Locals — the same shape httpauth.Policy.Middleware
+// installs after a successful auth match — so the assertion is purely
+// about the response body, not the auth resolver. auth_test.go covers
+// the authentication contract; this test covers the rendering one.
+func TestHandleMe_BodyShape(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name     string
+		identity httpauth.Identity
+		want     meResponse
+	}{
+		{
+			name: "read-only operator",
+			identity: httpauth.Identity{
+				ID:     "ops-readonly",
+				Scopes: []httpauth.Scope{httpauth.ScopeRead},
+			},
+			want: meResponse{ID: "ops-readonly", Scopes: []string{"read"}},
+		},
+		{
+			name: "rw operator",
+			identity: httpauth.Identity{
+				ID:     "ops-rw",
+				Scopes: []httpauth.Scope{httpauth.ScopeRead, httpauth.ScopeWrite},
+			},
+			want: meResponse{ID: "ops-rw", Scopes: []string{"read", "write"}},
+		},
+		{
+			name: "anonymous (AllowAnonymous=true on the policy)",
+			identity: httpauth.Identity{
+				ID:     "anonymous",
+				Scopes: []httpauth.Scope{httpauth.ScopeRead, httpauth.ScopeWrite, httpauth.ScopeAdmin},
+			},
+			want: meResponse{ID: "anonymous", Scopes: []string{"read", "write", "admin"}},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := callMeWithIdentity(t, tc.identity)
+			assertMeBody(t, got, tc.want)
+		})
+	}
+}
+
+// callMeWithIdentity drives /v1/me through a fiber app with a single
+// middleware that pre-populates IdentityKey. Returns the decoded
+// response body. Failed status / decode trips the test fatally.
+func callMeWithIdentity(t *testing.T, identity httpauth.Identity) meResponse {
+	t.Helper()
+
+	app := fiber.New()
+	// Stand-in for httpauth.Policy.Middleware — installs the
+	// Locals entry handleMe reads. Test owns the identity it
+	// asserts against.
+	app.Use(func(c fiber.Ctx) error {
+		c.Locals(httpauth.IdentityKey, identity)
+
+		return c.Next()
+	})
+	app.Get("/v1/me", handleMe)
+
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/v1/me", strings.NewReader(""))
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("app.Test: %v", err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status: got %d, want 200", resp.StatusCode)
+	}
+
+	var got meResponse
+
+	err = json.NewDecoder(resp.Body).Decode(&got)
+	if err != nil {
+		t.Fatalf("decode body: %v", err)
+	}
+
+	return got
+}
+
+// assertMeBody compares a decoded meResponse against the expected
+// shape. ID is a single string compare; scopes are ordered slices
+// (handleMe preserves the Identity.Scopes order, so order is part
+// of the contract).
+func assertMeBody(t *testing.T, got, want meResponse) {
+	t.Helper()
+
+	if got.ID != want.ID {
+		t.Errorf("id: got %q, want %q", got.ID, want.ID)
+	}
+
+	if len(got.Scopes) != len(want.Scopes) {
+		t.Fatalf("scopes length: got %d, want %d (got=%v)", len(got.Scopes), len(want.Scopes), got.Scopes)
+	}
+
+	for i, s := range want.Scopes {
+		if got.Scopes[i] != s {
+			t.Errorf("scopes[%d]: got %q, want %q", i, got.Scopes[i], s)
+		}
+	}
+}
+
+// TestHandleMe_MissingLocals covers the wiring-bug path. If a future
+// refactor mounts handleMe without the auth middleware, the type
+// assertion in handleMe falls through to a 500 with codeInternal —
+// not a silent default identity. This test pins that fail-loud
+// behavior so a misconfiguration cannot silently degrade to
+// "everyone is anonymous, with all scopes.".
+func TestHandleMe_MissingLocals(t *testing.T) {
+	t.Parallel()
+
+	app := fiber.New()
+	// No middleware installs IdentityKey — handleMe should 500.
+	app.Get("/v1/me", handleMe)
+
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/v1/me", strings.NewReader(""))
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("app.Test: %v", err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusInternalServerError {
+		t.Fatalf("status: got %d, want 500", resp.StatusCode)
+	}
+}

cmd/hypercache-server/openapi.yaml

@@ -248,6 +248,31 @@ paths:
         "400": { $ref: "#/components/responses/BadRequest" }
         "401": { $ref: "#/components/responses/Unauthorized" }
 
+  /v1/me:
+    get:
+      operationId: getIdentity
+      tags: [ meta ]
+      summary: Resolved caller identity.
+      description: |
+        Returns the identity resolved from the request credentials
+        (bearer token, mTLS cert, or `anonymous` when AllowAnonymous
+        is enabled). Includes the granted scopes so callers can
+        introspect their permissions without trial-and-error against
+        scope-protected routes.
+
+        Requires the `read` scope — operators in pure-write or pure-
+        admin token configurations do not need to introspect their
+        own identity for normal cache use; the monitor's login flow
+        is the primary consumer.
+      responses:
+        "200":
+          description: Resolved identity + granted scopes.
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/IdentityResponse"
+        "401": { $ref: "#/components/responses/Unauthorized" }
+
   /v1/cache/batch/get:
     post:
       operationId: batchGet
@@ -468,6 +493,23 @@ components:
           items: { type: string }
         node: { type: string }
 
+    IdentityResponse:
+      type: object
+      required: [ id, scopes ]
+      properties:
+        id:
+          type: string
+          description: |
+            Identity label from the auth config (Tokens[].ID,
+            CertIdentities[].SubjectCN, or `anonymous` when
+            AllowAnonymous is enabled).
+        scopes:
+          type: array
+          description: Permission scopes granted to this identity.
+          items:
+            type: string
+            enum: [ read, write, admin ]
+
     ItemEnvelope:
       type: object
       required: [ key, value, value_encoding, version, node, owners ]

cmd/hypercache-server/openapi_test.go

@@ -96,6 +96,7 @@ func declaredMethodsForPath() map[string]map[string]struct{} {
 		"/v1/openapi.yaml":       {fiber.MethodGet: {}},
 		"/v1/cache/:key":         {fiber.MethodPut: {}, fiber.MethodGet: {}, fiber.MethodHead: {}, fiber.MethodDelete: {}},
 		"/v1/owners/:key":        {fiber.MethodGet: {}},
+		"/v1/me":                 {fiber.MethodGet: {}},
 		"/v1/cache/batch/get":    {fiber.MethodPost: {}},
 		"/v1/cache/batch/put":    {fiber.MethodPost: {}},
 		"/v1/cache/batch/delete": {fiber.MethodPost: {}},

go.mod

@@ -37,8 +37,8 @@ require (
 	github.com/valyala/fasthttp v1.71.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/text v0.37.0 // indirect
 )

go.sum

@@ -85,10 +85,10 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=