feat: Production readiness improvements for WHOOSH council formation
Major security, observability, and configuration improvements:
## Security Hardening
- Implemented configurable CORS (no more wildcards)
- Added comprehensive auth middleware for admin endpoints
- Enhanced webhook HMAC validation
- Added input validation and rate limiting
- Security headers and CSP policies
## Configuration Management
- Made N8N webhook URL configurable (WHOOSH_N8N_BASE_URL)
- Replaced all hardcoded endpoints with environment variables
- Added feature flags for LLM vs heuristic composition
- Gitea fetch hardening with EAGER_FILTER and FULL_RESCAN options
## API Completeness
- Implemented GetCouncilComposition function
- Added GET /api/v1/councils/{id} endpoint
- Council artifacts API (POST/GET /api/v1/councils/{id}/artifacts)
- /admin/health/details endpoint with component status
- Database lookup for repository URLs (no hardcoded fallbacks)
## Observability & Performance
- Added OpenTelemetry distributed tracing with goal/pulse correlation
- Performance optimization database indexes
- Comprehensive health monitoring
- Enhanced logging and error handling
## Infrastructure
- Production-ready P2P discovery (replaces mock implementation)
- Removed unused Redis configuration
- Enhanced Docker Swarm integration
- Added migration files for performance indexes
## Code Quality
- Comprehensive input validation
- Graceful error handling and failsafe fallbacks
- Backwards compatibility maintained
- Following security best practices
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Claude Code
100
vendor/github.com/golang-jwt/jwt/v5/token.go
generated
vendored
Normal file
100
vendor/github.com/golang-jwt/jwt/v5/token.go
generated
vendored
Normal file
@@ -0,0 +1,100 @@
|
||||
package jwt
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
)
|
||||
|
||||
// Keyfunc will be used by the Parse methods as a callback function to supply
|
||||
// the key for verification. The function receives the parsed, but unverified
|
||||
// Token. This allows you to use properties in the Header of the token (such as
|
||||
// `kid`) to identify which key to use.
|
||||
//
|
||||
// The returned any may be a single key or a VerificationKeySet containing
|
||||
// multiple keys.
|
||||
type Keyfunc func(*Token) (any, error)
|
||||
|
||||
// VerificationKey represents a public or secret key for verifying a token's signature.
|
||||
type VerificationKey interface {
|
||||
crypto.PublicKey | []uint8
|
||||
}
|
||||
|
||||
// VerificationKeySet is a set of public or secret keys. It is used by the parser to verify a token.
|
||||
type VerificationKeySet struct {
|
||||
Keys []VerificationKey
|
||||
}
|
||||
|
||||
// Token represents a JWT Token. Different fields will be used depending on
|
||||
// whether you're creating or parsing/verifying a token.
|
||||
type Token struct {
|
||||
Raw string // Raw contains the raw token. Populated when you [Parse] a token
|
||||
Method SigningMethod // Method is the signing method used or to be used
|
||||
Header map[string]any // Header is the first segment of the token in decoded form
|
||||
Claims Claims // Claims is the second segment of the token in decoded form
|
||||
Signature []byte // Signature is the third segment of the token in decoded form. Populated when you Parse a token
|
||||
Valid bool // Valid specifies if the token is valid. Populated when you Parse/Verify a token
|
||||
}
|
||||
|
||||
// New creates a new [Token] with the specified signing method and an empty map
|
||||
// of claims. Additional options can be specified, but are currently unused.
|
||||
func New(method SigningMethod, opts ...TokenOption) *Token {
|
||||
return NewWithClaims(method, MapClaims{}, opts...)
|
||||
}
|
||||
|
||||
// NewWithClaims creates a new [Token] with the specified signing method and
|
||||
// claims. Additional options can be specified, but are currently unused.
|
||||
func NewWithClaims(method SigningMethod, claims Claims, opts ...TokenOption) *Token {
|
||||
return &Token{
|
||||
Header: map[string]any{
|
||||
"typ": "JWT",
|
||||
"alg": method.Alg(),
|
||||
},
|
||||
Claims: claims,
|
||||
Method: method,
|
||||
}
|
||||
}
|
||||
|
||||
// SignedString creates and returns a complete, signed JWT. The token is signed
|
||||
// using the SigningMethod specified in the token. Please refer to
|
||||
// https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types
|
||||
// for an overview of the different signing methods and their respective key
|
||||
// types.
|
||||
func (t *Token) SignedString(key any) (string, error) {
|
||||
sstr, err := t.SigningString()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
sig, err := t.Method.Sign(sstr, key)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return sstr + "." + t.EncodeSegment(sig), nil
|
||||
}
|
||||
|
||||
// SigningString generates the signing string. This is the most expensive part
|
||||
// of the whole deal. Unless you need this for something special, just go
|
||||
// straight for the SignedString.
|
||||
func (t *Token) SigningString() (string, error) {
|
||||
h, err := json.Marshal(t.Header)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
c, err := json.Marshal(t.Claims)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return t.EncodeSegment(h) + "." + t.EncodeSegment(c), nil
|
||||
}
|
||||
|
||||
// EncodeSegment encodes a JWT specific base64url encoding with padding
|
||||
// stripped. In the future, this function might take into account a
|
||||
// [TokenOption]. Therefore, this function exists as a method of [Token], rather
|
||||
// than a global function.
|
||||
func (*Token) EncodeSegment(seg []byte) string {
|
||||
return base64.RawURLEncoding.EncodeToString(seg)
|
||||
}
|
||||
Reference in New Issue
Block a user