William Gill
12bf35caf8
Greenfield Go multi-tenant IPFS Pinning Service wire-compatible with the
IPFS Pinning Services API spec. Paired 1:1 with Kubo over localhost RPC,
clustered via embedded NATS JetStream, Postgres source-of-truth with
RLS-enforced tenancy, Fiber + huma v2 for the HTTP surface, Authentik
OIDC for session login with kid-rotated HS256 JWT API tokens.
Feature-complete against the 22-milestone build plan, including the
ship-it v1.0 gap items:
* admin CLIs: drain/uncordon, maintenance, mint-token, rotate-key,
prune-denylist, rebalance --dry-run, cache-stats, cluster-presences
* TTL leader election via NATS KV, fence tokens, JetStream dedup
* rebalancer (plan/apply split), reconciler, requeue sweeper
* ristretto caches with NATS-backed cross-node invalidation
(placements live-nodes + token denylist)
* maintenance watchdog for stuck cluster-pause flag
* Prometheus /metrics with CIDR ACL, HTTP/pin/scheduler/cache gauges
* rate limiting: session (10/min) + anonymous global (120/min)
* integration tests: rebalance, refcount multi-org, RLS belt
* goreleaser (tar + deb/rpm/apk + Alpine Docker) targeting Gitea
Stack: Cobra/Viper, Fiber v2 + huma v2, embedded NATS JetStream,
pgx/sqlc/golang-migrate, ristretto, TypeID, prometheus/client_golang,
testcontainers-go.
32 lines
894 B
SQL
32 lines
894 B
SQL
-- name: CreateAPIToken :one
|
|
INSERT INTO api_tokens (jti, org_id, user_id, label, scopes, expires_at)
|
|
VALUES ($1, $2, $3, $4, $5, $6)
|
|
RETURNING *;
|
|
|
|
-- name: GetAPITokenByJTI :one
|
|
SELECT * FROM api_tokens WHERE jti = $1;
|
|
|
|
-- name: ListAPITokensForUser :many
|
|
SELECT * FROM api_tokens
|
|
WHERE org_id = $1 AND user_id = $2 AND revoked_at IS NULL
|
|
ORDER BY created_at DESC;
|
|
|
|
-- name: RevokeAPIToken :exec
|
|
UPDATE api_tokens SET revoked_at = now() WHERE jti = $1;
|
|
|
|
-- name: TouchAPITokenLastUsed :exec
|
|
UPDATE api_tokens SET last_used_at = now() WHERE jti = $1;
|
|
|
|
-- name: AddTokenDenylist :exec
|
|
INSERT INTO token_denylist (jti, expires_at, reason)
|
|
VALUES ($1, $2, $3)
|
|
ON CONFLICT (jti) DO NOTHING;
|
|
|
|
-- name: IsTokenDenied :one
|
|
SELECT EXISTS(
|
|
SELECT 1 FROM token_denylist WHERE jti = $1 AND expires_at > now()
|
|
);
|
|
|
|
-- name: PruneTokenDenylist :exec
|
|
DELETE FROM token_denylist WHERE expires_at <= now();
|