feat: add IAuthenticator interface and TokenAuthenticator with constant-time comparison

2026-02-22 22:24:53 -05:00
parent 0cce771907
commit 562f89744d
4 changed files with 113 additions and 0 deletions
--- a/src/NATS.Server/Auth/AuthResult.cs
+++ b/src/NATS.Server/Auth/AuthResult.cs
@@ -0,0 +1,9 @@
+namespace NATS.Server.Auth;
+
+public sealed class AuthResult
+{
+    public required string Identity { get; init; }
+    public string? AccountName { get; init; }
+    public Permissions? Permissions { get; init; }
+    public DateTimeOffset? Expiry { get; init; }
+}
--- a/src/NATS.Server/Auth/IAuthenticator.cs
+++ b/src/NATS.Server/Auth/IAuthenticator.cs
@@ -0,0 +1,14 @@
+using NATS.Server.Protocol;
+
+namespace NATS.Server.Auth;
+
+public interface IAuthenticator
+{
+    AuthResult? Authenticate(ClientAuthContext context);
+}
+
+public sealed class ClientAuthContext
+{
+    public required ClientOptions Opts { get; init; }
+    public required byte[] Nonce { get; init; }
+}
--- a/src/NATS.Server/Auth/TokenAuthenticator.cs
+++ b/src/NATS.Server/Auth/TokenAuthenticator.cs
@@ -0,0 +1,28 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace NATS.Server.Auth;
+
+public sealed class TokenAuthenticator : IAuthenticator
+{
+    private readonly byte[] _expectedToken;
+
+    public TokenAuthenticator(string token)
+    {
+        _expectedToken = Encoding.UTF8.GetBytes(token);
+    }
+
+    public AuthResult? Authenticate(ClientAuthContext context)
+    {
+        var clientToken = context.Opts.Token;
+        if (string.IsNullOrEmpty(clientToken))
+            return null;
+
+        var clientBytes = Encoding.UTF8.GetBytes(clientToken);
+
+        if (!CryptographicOperations.FixedTimeEquals(clientBytes, _expectedToken))
+            return null;
+
+        return new AuthResult { Identity = "token" };
+    }
+}