first commit

proto/api/v1/auth_service.proto

@@ -0,0 +1,114 @@
+syntax = "proto3";
+
+package memos.api.v1;
+
+import "api/v1/user_service.proto";
+import "google/api/annotations.proto";
+import "google/api/field_behavior.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "gen/api/v1";
+
+service AuthService {
+  // GetCurrentUser returns the authenticated user's information.
+  // Validates the access token and returns user details.
+  // Similar to OIDC's /userinfo endpoint.
+  rpc GetCurrentUser(GetCurrentUserRequest) returns (GetCurrentUserResponse) {
+    option (google.api.http) = {get: "/api/v1/auth/me"};
+  }
+
+  // SignIn authenticates a user with credentials and returns tokens.
+  // On success, returns an access token and sets a refresh token cookie.
+  // Supports password-based and SSO authentication methods.
+  rpc SignIn(SignInRequest) returns (SignInResponse) {
+    option (google.api.http) = {
+      post: "/api/v1/auth/signin"
+      body: "*"
+    };
+  }
+
+  // SignOut terminates the user's authentication.
+  // Revokes the refresh token and clears the authentication cookie.
+  rpc SignOut(SignOutRequest) returns (google.protobuf.Empty) {
+    option (google.api.http) = {post: "/api/v1/auth/signout"};
+  }
+
+  // RefreshToken exchanges a valid refresh token for a new access token.
+  // The refresh token is read from the HttpOnly cookie.
+  // Returns a new short-lived access token.
+  rpc RefreshToken(RefreshTokenRequest) returns (RefreshTokenResponse) {
+    option (google.api.http) = {
+      post: "/api/v1/auth/refresh"
+      body: "*"
+    };
+  }
+}
+
+message GetCurrentUserRequest {}
+
+message GetCurrentUserResponse {
+  // The authenticated user's information.
+  User user = 1;
+}
+
+message SignInRequest {
+  // Nested message for password-based authentication credentials.
+  message PasswordCredentials {
+    // The username to sign in with.
+    string username = 1 [(google.api.field_behavior) = REQUIRED];
+
+    // The password to sign in with.
+    string password = 2 [(google.api.field_behavior) = REQUIRED];
+  }
+
+  // Nested message for SSO authentication credentials.
+  message SSOCredentials {
+    // The ID of the SSO provider.
+    int32 idp_id = 1 [(google.api.field_behavior) = REQUIRED];
+
+    // The authorization code from the SSO provider.
+    string code = 2 [(google.api.field_behavior) = REQUIRED];
+
+    // The redirect URI used in the SSO flow.
+    string redirect_uri = 3 [(google.api.field_behavior) = REQUIRED];
+
+    // The PKCE code verifier for enhanced security (RFC 7636).
+    // Optional - enables PKCE flow protection against authorization code interception.
+    string code_verifier = 4 [(google.api.field_behavior) = OPTIONAL];
+  }
+
+  // Authentication credentials. Provide one method.
+  oneof credentials {
+    // Username and password authentication.
+    PasswordCredentials password_credentials = 1;
+
+    // SSO provider authentication.
+    SSOCredentials sso_credentials = 2;
+  }
+}
+
+message SignInResponse {
+  // The authenticated user's information.
+  User user = 1;
+
+  // The short-lived access token for API requests.
+  // Store in memory only, not in localStorage.
+  string access_token = 2;
+
+  // When the access token expires.
+  // Client should call RefreshToken before this time.
+  google.protobuf.Timestamp access_token_expires_at = 3;
+}
+
+message SignOutRequest {}
+
+message RefreshTokenRequest {}
+
+message RefreshTokenResponse {
+  // The new short-lived access token.
+  string access_token = 1;
+
+  // When the access token expires.
+  google.protobuf.Timestamp expires_at = 2;
+}