auth/daemon_token_middleware.ts

Daemon token rotation, persistence, and middleware.

Manages the lifecycle of filesystem-resident daemon tokens: writing to disk, rotation on an interval, and HTTP middleware for authentication.

Pure token primitives (schema, generation, validation) live in daemon_token.ts. See docs/identity.md for design rationale.

Declarations
#

9 declarations

view source

create_daemon_token_middleware
#

auth/daemon_token_middleware.ts view source

(state: DaemonTokenState, deps: QueryDeps): MiddlewareHandler

Create middleware that authenticates via daemon token.

Checks the X-Daemon-Token header. Behavior: - No header: pass through (don't touch existing context) - Header present + valid: build RequestContext from keeper account, set credential_type: 'daemon_token' (overrides any existing session/bearer context) - Header present + invalid: return 401 (fail-closed, no downgrade) - Header present + valid but keeper_account_id is null: return 503

state

the daemon token runtime state

type DaemonTokenState

deps

query dependencies (pool-level db for middleware)

type QueryDeps

returns

MiddlewareHandler

DaemonTokenRotation
#

DaemonTokenRotationOptions
#

auth/daemon_token_middleware.ts view source

DaemonTokenRotationOptions

Options for daemon token rotation.

app_name

Application name (for ~/.{name}/run/daemon_token).

type string

rotation_interval_ms

Rotation interval in ms. Default: 30000 (30s).

type number

DaemonTokenWriteDeps
#

DEFAULT_ROTATION_INTERVAL_MS
#

get_daemon_token_path
#

auth/daemon_token_middleware.ts view source

(runtime: Pick<EnvDeps, "env_get">, name: string): string | null

Get the daemon token file path (~/.{name}/run/daemon_token).

runtime

runtime with env_get capability

type Pick<EnvDeps, "env_get">

name

application name

type string

returns

string | null

path to daemon_token, or null if $HOME is not set

resolve_keeper_account_id
#

auth/daemon_token_middleware.ts view source

(deps: QueryDeps): Promise<string | null>

Resolve the keeper account ID by querying for the account with an active keeper permit.

There is exactly one keeper account (the bootstrap account). Runs once at server startup — the result is cached in DaemonTokenState.keeper_account_id.

deps

query dependencies

type QueryDeps

returns

Promise<string | null>

the keeper account ID, or null if no keeper exists yet (pre-bootstrap)

start_daemon_token_rotation
#

auth/daemon_token_middleware.ts view source

(runtime: Pick<EnvDeps, "env_get"> & FsWriteDeps & { chmod?: ((path: string, mode: number) => Promise<void>) | undefined; } & FsRemoveDeps, deps: QueryDeps, options: DaemonTokenRotationOptions, log: Logger): Promise<...>

Start daemon token rotation.

Generates an initial token, writes it to disk, resolves the keeper account, and sets up periodic rotation. Returns the mutable state object and a stop function.

runtime

runtime with file, env, and remove capabilities

type Pick<EnvDeps, "env_get"> & FsWriteDeps & { chmod?: ((path: string, mode: number) => Promise<void>) | undefined; } & FsRemoveDeps

deps

query dependencies for resolving keeper account

type QueryDeps

options

rotation configuration

type DaemonTokenRotationOptions

log

the logger instance

type Logger

returns

Promise<DaemonTokenRotation>

rotation state and stop function

write_daemon_token
#

auth/daemon_token_middleware.ts view source

(runtime: DaemonTokenWriteDeps, token_path: string, token: string): Promise<void>

Write the current token to disk atomically.

Uses write_file_atomic (temp file + rename) and optionally sets mode 0600.

runtime

runtime with file write capabilities

type DaemonTokenWriteDeps

token_path

path to write the token

type string

token

the raw token string

type string

returns

Promise<void>

Depends on
#

Imported by
#