Skip to content

Define alpha public authentication status API#64

Merged
snamber merged 5 commits into
mainfrom
feat/authentication-status-api
Jul 18, 2026
Merged

Define alpha public authentication status API#64
snamber merged 5 commits into
mainfrom
feat/authentication-status-api

Conversation

@snamber

@snamber snamber commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a new alpha public authentication.v1alpha1.AuthenticationService
  • define server-resolved GetAuthenticationStatus with required User and Organization identities
  • include APIKey only when API-key authentication was used
  • keep secrets and CLI-local endpoint/profile/credential-source details out of the schema

This deliberately does not extend Core's private auth.v1.AuthService. Using authentication rather than Core's private auth protobuf package keeps their fully qualified message names distinct, allowing Core to register the new public service alongside its existing private AuthService. The v1alpha1 suffix separately marks the public contract as unstable so this draft can merge without committing to a stable v1 contract.

Public alpha contract

package authentication.v1alpha1;

service AuthenticationService {
  rpc GetAuthenticationStatus(GetAuthenticationStatusRequest) returns (AuthenticationStatus) {}
}

message GetAuthenticationStatusRequest {}

message AuthenticationStatus {
  User user = 1;                  // required
  Organization organization = 2; // required
  APIKey api_key = 3;             // absent for JWT/session auth
}

Leaf messages are authentication.v1alpha1.User, authentication.v1alpha1.Organization, and authentication.v1alpha1.APIKey. Entity IDs use the repository-standard tilebox.v1.ID. APIKey exposes only id, identifier, and description; there is no secret field to accidentally populate.

Requests without valid authentication are expected to return UNAUTHENTICATED at runtime. Runtime implementation is intentionally out of scope here.

Generated-client impact

This repository tracks protobuf sources rather than generated clients. Existing generation produces the new OpenAPI operation at:

POST /authentication.v1alpha1.AuthenticationService/GetAuthenticationStatus

Downstream tilebox-go generation adds:

  • protogen/authentication/v1alpha1/authentication.pb.go
  • protogen/authentication/v1alpha1/authentication_grpc.pb.go
  • protogen/authentication/v1alpha1/authenticationv1alpha1connect/authentication.connect.go

Core and CLI should consume authentication.v1alpha1.AuthenticationService/GetAuthenticationStatus, not the Core-draft auth.v1.AuthService method or the earlier stable-package version from this draft. Core must map its UUID strings/values to tilebox.v1.ID.

Alpha compatibility and promotion

The repository's WIRE_JSON breaking checks remain enabled so accidental incompatibilities stay visible during alpha. If a deliberate breaking alpha revision is needed, publish authentication.v1alpha2. Once the contract matures, promote by adding authentication.v1beta1 or authentication.v1 as a new package and route rather than renaming the live alpha in place. If v1alpha1 has consumers by then, serve both versions during migration before removing alpha.

Validation

Passed locally:

  • buf format --diff --exit-code .
  • buf build .
  • buf lint .
  • buf breaking . --against '.git#branch=main'
  • repository OpenAPI code generation with buf generate
  • downstream tilebox-go-equivalent protobuf, gRPC, and Connect Go generation
  • stale authentication.v1beta1 and authentication.v1 identifier/path check
  • git diff --check

Buf 1.71 exposed a pre-existing formatter issue in apis/tilebox/v1/id.proto: its inline // Nil UUID comment caused the formatter to place ] inside the comment. The second commit moves that explanation to its own line and applies the formatter's one-line list form. Validation semantics are unchanged; this mechanical fix is included only so the repository-wide format check can pass.

During this PR, the unpinned GitHub action advanced from Buf 1.71 to 1.72 and exposed two additional repository-wide formatting changes plus five unused imports on main. The final mechanical commit applies those formatter results and removes only the imports identified by Buf; protobuf descriptors and wire behavior are unchanged. All checks were rerun with Buf 1.72.

Co-authored-by: Stefan Amberger <stefan.amberger@tilebox.com>
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown

The latest Buf updates on your PR. Results from workflow Lint Protobuf / buf (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed✅ passed✅ passed✅ passedJul 18, 2026, 10:04 AM

Co-authored-by: Stefan Amberger <stefan.amberger@tilebox.com>
Co-authored-by: Stefan Amberger <stefan.amberger@tilebox.com>
@snamber snamber changed the title Define public authentication status API Define beta public authentication status API Jul 18, 2026
Co-authored-by: Stefan Amberger <stefan.amberger@tilebox.com>
@snamber
snamber marked this pull request as ready for review July 18, 2026 10:02
Co-authored-by: Stefan Amberger <stefan.amberger@tilebox.com>
@snamber snamber changed the title Define beta public authentication status API Define alpha public authentication status API Jul 18, 2026
@snamber
snamber marked this pull request as draft July 18, 2026 10:04
@snamber
snamber marked this pull request as ready for review July 18, 2026 10:07
@snamber
snamber merged commit b3a1f6d into main Jul 18, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants