feat(auth): replace internal auth with JWT token service

- Replace InternalAuthService with TokenService using JWT tokens
- Add support for token issuance, refresh, verification and revocation
- Implement automatic signing key rotation with Redis storage
- Add database migration checks for indexes and foreign key constraints
- Update gRPC endpoints to use token-based authentication
- Remove deprecated API key based authentication system
- Add JSON Web Token support with HMAC-SHA256 signing
- Implement refresh token handling with automatic rotation
- Add token revocation by JTI and user ID
- Update build configuration to include core proto files
- Migrate database schema to handle token-based authentication
- Add comprehensive token validation and verification logic

api/internal/issue_api_key.rs

@@ -1,5 +1,6 @@
 use actix_web::{HttpResponse, web};
 use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
 
 use crate::api::response::ApiResponse;
 use crate::error::AppError;
@@ -7,66 +8,58 @@ use crate::service::AppService;
 use crate::session::Session;
 
 #[derive(Debug, Deserialize, utoipa::ToSchema)]
-pub struct IssueApiKeyRequest {
-    pub service_name: String,
+pub struct IssueTokenRequest {
+    pub user_id: String,
     pub scopes: Vec<String>,
-    pub ttl_hours: Option<u64>,
+    pub ttl_hours: Option<i64>,
+    #[serde(default)]
+    pub extra: HashMap<String, String>,
 }
 
 #[derive(Debug, Serialize, utoipa::ToSchema)]
-pub struct IssueApiKeyResponse {
-    pub api_key: String,
-    pub service_name: String,
-    pub service_id: String,
-    pub scopes: Vec<String>,
+pub struct IssueTokenResponse {
+    pub access_token: String,
+    pub refresh_token: String,
     pub expires_at: i64,
+    pub key_id: String,
 }
 
 #[utoipa::path(
     post,
-    path = "/api/v1/internal/api-keys",
+    path = "/api/v1/internal/tokens",
     tag = "Internal",
-    operation_id = "internalIssueApiKey",
-    request_body = IssueApiKeyRequest,
+    operation_id = "internalIssueToken",
+    request_body = IssueTokenRequest,
     responses(
-        (status = 200, description = "API key issued", body = ApiResponse<IssueApiKeyResponse>),
+        (status = 200, description = "JWT token issued", body = ApiResponse<IssueTokenResponse>),
         (status = 401, description = "Authentication required"),
         (status = 403, description = "Admin permission required"),
     ),
     security(("session_cookie" = []))
 )]
-pub async fn issue_api_key(
+pub async fn issue_token(
     session: Session,
     service: web::Data<AppService>,
-    body: web::Json<IssueApiKeyRequest>,
+    body: web::Json<IssueTokenRequest>,
 ) -> Result<HttpResponse, AppError> {
-    let user_uid = session.user().ok_or(AppError::Unauthorized)?;
+    let _user_uid = session.user().ok_or(AppError::Unauthorized)?;
 
-    let is_owner: bool = sqlx::query_scalar(
-        "SELECT EXISTS(SELECT 1 FROM workspace WHERE owner_id = $1 AND deleted_at IS NULL)",
-    )
-    .bind(user_uid)
-    .fetch_one(service.ctx.db.reader())
-    .await
-    .map_err(AppError::Database)?;
+    let ttl_secs = body.ttl_hours.unwrap_or(1) * 3600;
 
-    if !is_owner {
-        return Err(AppError::Forbidden(
-            "workspace owner permission required".into(),
-        ));
-    }
-
-    let ttl_secs = body.ttl_hours.map(|h| h * 3600);
-    let (api_key, identity) = service
+    let tokens = service
         .internal_auth
-        .issue_api_key(&body.service_name, body.scopes.clone(), ttl_secs)
+        .issue_token(
+            &body.user_id,
+            ttl_secs,
+            body.scopes.clone(),
+            body.extra.clone(),
+        )
         .await?;
 
-    Ok(HttpResponse::Ok().json(ApiResponse::new(IssueApiKeyResponse {
-        api_key,
-        service_name: identity.service_name,
-        service_id: identity.service_id,
-        scopes: identity.scopes,
-        expires_at: identity.expires_at,
+    Ok(HttpResponse::Ok().json(ApiResponse::new(IssueTokenResponse {
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token,
+        expires_at: tokens.expires_at,
+        key_id: tokens.key_id,
     })))
 }

api/internal/mod.rs

@@ -5,6 +5,6 @@ use actix_web::web;
 pub fn configure(cfg: &mut web::ServiceConfig) {
     cfg.service(
         web::scope("/internal")
-            .route("/api-keys", web::post().to(issue_api_key::issue_api_key)),
+            .route("/tokens", web::post().to(issue_api_key::issue_token)),
     );
 }