update
This commit is contained in:
+20
-4
@@ -243,12 +243,28 @@ func main() {
|
||||
|
||||
// UCP Customer REST adapter
|
||||
auditLogPath := filepath.Join(profileDir, "audit.log")
|
||||
customerUCP := ucp.CustomerHandler(pool, auditLogPath,
|
||||
// Session signer is shared by the auth server (HMAC verifier for the
|
||||
// "sid" cookie); NewSigner is stateless once built so a single
|
||||
// instance can be reused across the auth server's NewServer call.
|
||||
sessionSigner := customerauth.NewSigner(authSecret())
|
||||
|
||||
// Cluster-aware ProfileApplier: routes Get/Apply to the replica that
|
||||
// currently owns the grain. With a remote owner we forward there so
|
||||
// the request reads the authoritative in-memory state; with no owner
|
||||
// we let pool.Get / pool.Apply spawn the grain locally from the
|
||||
// disk-backed event log and broadcast ownership. Centralising this
|
||||
// choice in the applicr (rather than HTTP middleware) prevents the
|
||||
// split-brain hazard where a non-owner pod reads a stale or empty
|
||||
// grain from disk and caches it under its own (conflicting)
|
||||
// ownership.
|
||||
applier := &clusterAwareApplier{pool: pool}
|
||||
|
||||
customerUCP := ucp.CustomerHandler(applier, auditLogPath,
|
||||
ucp.WithEmailIndex(emailIndex),
|
||||
ucp.WithCredentialDeleter(credStore),
|
||||
)
|
||||
if signer := loadUCPProfileSigner(); signer != nil {
|
||||
customerUCP = ucp.WithSigning(customerUCP, signer)
|
||||
if ucpSigner := loadUCPProfileSigner(); ucpSigner != nil {
|
||||
customerUCP = ucp.WithSigning(customerUCP, ucpSigner)
|
||||
log.Print("ucp customer signing enabled")
|
||||
}
|
||||
// StripPrefix is required because the sub-mux (CustomerHandler) registers
|
||||
@@ -258,7 +274,7 @@ func main() {
|
||||
|
||||
// Customer auth: password signup/login + session cookies + identity linking.
|
||||
authNotifier := selectAuthNotifier()
|
||||
authHandler := customerauth.NewServer(credStore, pool, customerauth.NewSigner(authSecret()), 0, customerauth.Options{
|
||||
authHandler := customerauth.NewServer(credStore, applier, sessionSigner, 0, customerauth.Options{
|
||||
Notifier: authNotifier,
|
||||
Limiter: limiter,
|
||||
BaseURL: os.Getenv("CUSTOMER_AUTH_BASE_URL"),
|
||||
|
||||
Reference in New Issue
Block a user