4446288bb6
The default transport for IAltchaVerifier / IAltchaChallengeProvider —
calls a self-hosted altcha service over gRPC.
Wire contract
- Protos/altcha.proto defines svrnty.cqrs.altcha.v1.AltchaService with
CreateChallenge + VerifyChallenge RPCs. Shipped in this package as
source-of-truth; Go (and other) implementations vendor a copy.
- Challenge.challenge_hash is named (not "challenge") to avoid a C#
property/class name collision; the MinimalApi widget JSON remaps.
Runtime
- AltchaGrpcVerifier maps RpcException → AltchaVerifyResult.Fail with
a diagnostic reason ("verify-timeout", "service-unavailable", etc.)
so the auth check surfaces a clean Unauthorized without leaking
transport detail.
- AltchaGrpcChallengeProvider lets create-challenge failures bubble
(challenge endpoint should 5xx if altcha is down — clients retry).
- AltchaGrpcOptions.TokenProvider hook for consumer-supplied HMAC
service-token minting (plan-b will plug in ServiceTokenIssuer).
- AddGrpcClient<AltchaServiceClient> registered with HttpClientFactory.
AddSvrntyAltchaGrpcVerifier(Action<...>) and overload binding from
IConfiguration cover both wiring styles.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
32 lines
1.3 KiB
C#
32 lines
1.3 KiB
C#
namespace Svrnty.CQRS.Altcha.Grpc;
|
|
|
|
/// <summary>
|
|
/// Configuration for <see cref="AltchaGrpcVerifier"/> and
|
|
/// <see cref="AltchaGrpcChallengeProvider"/>. Bind from configuration
|
|
/// (e.g. <c>"Altcha"</c> section) or pass via the registration delegate.
|
|
/// </summary>
|
|
public sealed class AltchaGrpcOptions
|
|
{
|
|
/// <summary>
|
|
/// gRPC endpoint of the altcha service. Typically the internal
|
|
/// docker / k8s address — e.g. <c>http://altcha:9090</c> or
|
|
/// <c>https://altcha.planb.svc.cluster.local:9090</c>.
|
|
/// </summary>
|
|
public string Endpoint { get; set; } = string.Empty;
|
|
|
|
/// <summary>
|
|
/// Optional per-call HMAC service-token provider. When set, the
|
|
/// returned string is sent as <c>Authorization: Bearer <token></c>
|
|
/// on every outbound gRPC call. Use this to integrate with whatever
|
|
/// service-auth scheme the rest of the deployment uses (e.g. plan-b's
|
|
/// <c>ServiceTokenIssuer.GetToken("altcha")</c>).
|
|
/// </summary>
|
|
public Func<CancellationToken, Task<string>>? TokenProvider { get; set; }
|
|
|
|
/// <summary>
|
|
/// Per-call timeout for both <c>CreateChallenge</c> and
|
|
/// <c>VerifyChallenge</c>. Defaults to 5s.
|
|
/// </summary>
|
|
public TimeSpan CallTimeout { get; set; } = TimeSpan.FromSeconds(5);
|
|
}
|