mirror of https://github.com/usememos/memos.git
115 lines
3.4 KiB
Protocol Buffer
115 lines
3.4 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package memos.api.v1;
|
|
|
|
import "api/v1/user_service.proto";
|
|
import "google/api/annotations.proto";
|
|
import "google/api/field_behavior.proto";
|
|
import "google/protobuf/empty.proto";
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
option go_package = "gen/api/v1";
|
|
|
|
service AuthService {
|
|
// GetCurrentUser returns the authenticated user's information.
|
|
// Validates the access token and returns user details.
|
|
// Similar to OIDC's /userinfo endpoint.
|
|
rpc GetCurrentUser(GetCurrentUserRequest) returns (GetCurrentUserResponse) {
|
|
option (google.api.http) = {get: "/api/v1/auth/me"};
|
|
}
|
|
|
|
// SignIn authenticates a user with credentials and returns tokens.
|
|
// On success, returns an access token and sets a refresh token cookie.
|
|
// Supports password-based and SSO authentication methods.
|
|
rpc SignIn(SignInRequest) returns (SignInResponse) {
|
|
option (google.api.http) = {
|
|
post: "/api/v1/auth/signin"
|
|
body: "*"
|
|
};
|
|
}
|
|
|
|
// SignOut terminates the user's authentication.
|
|
// Revokes the refresh token and clears the authentication cookie.
|
|
rpc SignOut(SignOutRequest) returns (google.protobuf.Empty) {
|
|
option (google.api.http) = {post: "/api/v1/auth/signout"};
|
|
}
|
|
|
|
// RefreshToken exchanges a valid refresh token for a new access token.
|
|
// The refresh token is read from the HttpOnly cookie.
|
|
// Returns a new short-lived access token.
|
|
rpc RefreshToken(RefreshTokenRequest) returns (RefreshTokenResponse) {
|
|
option (google.api.http) = {
|
|
post: "/api/v1/auth/refresh"
|
|
body: "*"
|
|
};
|
|
}
|
|
}
|
|
|
|
message GetCurrentUserRequest {}
|
|
|
|
message GetCurrentUserResponse {
|
|
// The authenticated user's information.
|
|
User user = 1;
|
|
}
|
|
|
|
message SignInRequest {
|
|
// Nested message for password-based authentication credentials.
|
|
message PasswordCredentials {
|
|
// The username to sign in with.
|
|
string username = 1 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
// The password to sign in with.
|
|
string password = 2 [(google.api.field_behavior) = REQUIRED];
|
|
}
|
|
|
|
// Nested message for SSO authentication credentials.
|
|
message SSOCredentials {
|
|
// The ID of the SSO provider.
|
|
int32 idp_id = 1 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
// The authorization code from the SSO provider.
|
|
string code = 2 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
// The redirect URI used in the SSO flow.
|
|
string redirect_uri = 3 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
// The PKCE code verifier for enhanced security (RFC 7636).
|
|
// Optional - enables PKCE flow protection against authorization code interception.
|
|
string code_verifier = 4 [(google.api.field_behavior) = OPTIONAL];
|
|
}
|
|
|
|
// Authentication credentials. Provide one method.
|
|
oneof credentials {
|
|
// Username and password authentication.
|
|
PasswordCredentials password_credentials = 1;
|
|
|
|
// SSO provider authentication.
|
|
SSOCredentials sso_credentials = 2;
|
|
}
|
|
}
|
|
|
|
message SignInResponse {
|
|
// The authenticated user's information.
|
|
User user = 1;
|
|
|
|
// The short-lived access token for API requests.
|
|
// Store in memory only, not in localStorage.
|
|
string access_token = 2;
|
|
|
|
// When the access token expires.
|
|
// Client should call RefreshToken before this time.
|
|
google.protobuf.Timestamp access_token_expires_at = 3;
|
|
}
|
|
|
|
message SignOutRequest {}
|
|
|
|
message RefreshTokenRequest {}
|
|
|
|
message RefreshTokenResponse {
|
|
// The new short-lived access token.
|
|
string access_token = 1;
|
|
|
|
// When the access token expires.
|
|
google.protobuf.Timestamp expires_at = 2;
|
|
}
|