nodedb 0.3.0-beta.1

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

// SPDX-License-Identifier: BUSL-1.1

//! Opaque session handle HTTP endpoint.
//!
//! ```text
//! POST /v1/auth/session
//! Authorization: Bearer <jwt-or-api-key>
//!
//! Response: { "session_id": "nds_...", "expires_in": 3600 }
//! ```
//!
//! The returned `session_id` can be used with pgwire connection poolers:
//! ```text
//! SET LOCAL nodedb.auth_session = 'nds_...';
//! SELECT * FROM orders;  -- Uses the cached AuthContext from the session handle
//! ```

use std::net::SocketAddr;

use axum::extract::{ConnectInfo, State};
use axum::http::HeaderMap;
use axum::response::IntoResponse;

use crate::control::security::session_handle::ClientFingerprint;

use super::super::auth::{ApiError, AppState, resolve_auth};
use super::super::types::{HttpSessionResponse, HttpStatusOk};

/// `POST /v1/auth/session` — Create an opaque session handle.
///
/// Validates the bearer token (JWT or API key), creates a server-side
/// cached `AuthContext`, and returns a UUID handle the client can use
/// with `SET LOCAL nodedb.auth_session = '<handle>'` on pgwire connections.
///
/// The caller's `(tenant_id, peer IP)` is captured as a `ClientFingerprint`
/// and bound to the handle; subsequent resolves from a different origin are
/// rejected per the configured `FingerprintMode`.
pub async fn create_session(
    ConnectInfo(peer): ConnectInfo<SocketAddr>,
    headers: HeaderMap,
    State(state): State<AppState>,
) -> Result<impl IntoResponse, ApiError> {
    let (identity, auth_ctx) = resolve_auth(&headers, &state, "http")?;

    let fingerprint = ClientFingerprint::from_peer(identity.tenant_id, &peer);
    let handle = state.shared.session_handles.create(auth_ctx, fingerprint);

    Ok(axum::Json(HttpSessionResponse {
        session_id: handle,
        expires_in: 3600,
    }))
}

/// `DELETE /v1/auth/session` — Invalidate a session handle.
///
/// ```text
/// DELETE /v1/auth/session
/// Authorization: Bearer <jwt-or-api-key>
/// X-Session-Id: nds_...
/// ```
///
/// The caller must present a valid bearer token. A session handle may only be
/// invalidated by the authenticated caller — the identity is verified before
/// any session state is read or mutated.
pub async fn delete_session(
    ConnectInfo(peer): ConnectInfo<SocketAddr>,
    headers: HeaderMap,
    State(state): State<AppState>,
) -> Result<impl IntoResponse, ApiError> {
    // Auth check must come first — return 401/403 before touching session state.
    let _identity = {
        let peer_str = peer.to_string();
        crate::control::server::http::auth::resolve_identity(&headers, &state, &peer_str)?
    };

    let handle = headers
        .get("x-session-id")
        .and_then(|v| v.to_str().ok())
        .ok_or_else(|| ApiError::BadRequest("missing X-Session-Id header".into()))?;

    let found = state.shared.session_handles.invalidate(handle);
    if !found {
        return Err(ApiError::BadRequest("session handle not found".into()));
    }

    Ok(axum::Json(HttpStatusOk::ok()))
}