Commit be4cbf0
committed
feat(backend/dist): add bearer-token auth, TLS, and lifecycle context cancellation
Introduces three security and reliability improvements to the distributed
HTTP transport layer:
1. Bearer-token authentication (DistHTTPAuth): constant-time token
validation on the server, automatic request signing on the auto-created
HTTP client. ServerVerify and ClientSign escape hatches support JWT,
HMAC, and mTLS-derived identity. Applied to all dist endpoints
including /health.
2. TLS support via DistHTTPLimits.TLSConfig: wraps TCP listeners with
tls.NewListener and configures the auto-created client with a matching
*tls.Config. Forces HTTP/1.1 via ALPN to avoid h2/fasthttp mismatch;
resolver advertises https:// when TLS is configured.
3. Deterministic lifecycle context cancellation: DistMemory and
ManagementHTTPServer derive a lifeCtx/lifeCancel pair from the
constructor context. Stop() cancels lifeCtx before channel tear-down,
so in-flight handlers and background goroutines observe Done()
independently of the (usually non-canceling) constructor context.
Additional changes:
- LastServeError() surfaces background serve-goroutine failures instead
of silently swallowing them
- LifecycleContext() accessor and WithDistHTTPAuth() option added to
DistMemory; ErrUnauthorized sentinel added
- makePeerURLResolver extracted and shared between tryStartHTTP and
EnableHTTPForTest
- Integration tests: dist_http_auth_test.go, dist_http_tls_test.go,
dist_http_lifecycle_test.go1 parent 501a0da commit be4cbf0
21 files changed
Lines changed: 1031 additions & 4550 deletions
File tree
- internal/sentinel
- pkg
- backend
- stats
- tests
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
0 commit comments