修复 credentials_saved 状态无法恢复、配对与激活并发冲突,以及 SSF 和身份 Secret 生命周期不完整的问题。新增持久化协调器、取消与清理状态机、事务级并发门禁、受控 SSF 凭据交接、禁用后的延迟 Secret 清理,并对生产环境统一认证及 Discovery 端点强制 HTTPS。 验证:go test ./...;go test -race ./internal/auth ./internal/identity ./internal/identityruntime ./internal/securityevents ./internal/httpapi ./internal/store -count=1;go vet ./...;真实 PostgreSQL 并发及清理成功/冲突回滚测试;pnpm openapi。
31 lines
1.1 KiB
Go
31 lines
1.1 KiB
Go
package httpapi
|
|
|
|
import "net/http"
|
|
|
|
// receiveSecurityEvent accepts an RFC 8417 Security Event Token over RFC 8935 Push.
|
|
//
|
|
// @Summary Receive an SSF Security Event Token
|
|
// @Description Optional endpoint. It validates a stream-specific Bearer before parsing and verifying an ES256 SET. A committed event and a duplicate jti both return an empty 202 response.
|
|
// @Tags Security Events
|
|
// @Accept application/secevent+jwt
|
|
// @Produce json
|
|
// @Param Authorization header string true "Bearer stream-specific-secret"
|
|
// @Param set body string true "Compact signed Security Event Token"
|
|
// @Success 202
|
|
// @Failure 400 {object} map[string]string
|
|
// @Failure 401 {object} map[string]string
|
|
// @Failure 403 {object} map[string]string
|
|
// @Failure 503 {object} map[string]string
|
|
// @Router /api/v1/security-events/ssf [post]
|
|
func (s *Server) receiveSecurityEvent(w http.ResponseWriter, r *http.Request) {
|
|
receiver := s.securityEventReceiver
|
|
if s.identityRuntime != nil {
|
|
receiver = s.identityRuntime.SecurityEventReceiver()
|
|
}
|
|
if receiver == nil {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
receiver.ServeHTTP(w, r)
|
|
}
|