Add pluggable auth provider contract

Author: durable-workflow-ops

.env.example

@@ -28,6 +28,7 @@ CACHE_STORE=redis
 # WORKFLOW_* / ACTIVITY_* names are still honored but log a deprecation
 # warning at boot via `php artisan env:audit`.
 
+DW_AUTH_PROVIDER=
 DW_AUTH_DRIVER=token
 DW_AUTH_TOKEN=
 DW_WORKER_TOKEN=

README.md

@@ -586,6 +586,20 @@ as the legacy bearer token.
 
 Set `DW_AUTH_DRIVER=none` to disable authentication (development only).
 
+### Custom Auth Providers
+
+Set `DW_AUTH_PROVIDER` to the fully-qualified class name of a Laravel
+container-resolvable implementation of `App\Contracts\AuthProvider` to replace
+the built-in token/signature provider without editing server middleware. The
+provider returns an `App\Auth\Principal` from `authenticate(Request $request)`
+and receives each route authorization decision as
+`authorize(Principal $principal, string $action, array $resource): bool`.
+
+The route resource includes `allowed_roles`, HTTP method/path, route name, and
+the resolved namespace when available. The authenticated principal is also
+recorded in workflow command attribution so signal/update/query history can
+show the subject, roles, tenant, and non-secret claims supplied by the provider.
+
 ## Deployment
 
 ### Docker
@@ -750,6 +764,7 @@ every operator-facing variable the server honors.
 | `DW_SERVER_ID` | `gethostname()` | Unique identifier for this server instance. |
 | `DW_DEFAULT_NAMESPACE` | `default` | Namespace used when a request omits the namespace header. |
 | `DW_TASK_DISPATCH_MODE` | (unset) | Override for `workflows.v2.task_dispatch_mode`. Set to `queue` to dispatch locally in service mode. |
+| `DW_AUTH_PROVIDER` | (unset) | Optional FQCN implementing `App\Contracts\AuthProvider`; unset uses the built-in driver. |
 | `DW_AUTH_DRIVER` | `token` | `none`, `token`, or `signature`. |
 | `DW_AUTH_TOKEN` | (unset) | Single shared bearer token (backward-compat credential). |
 | `DW_SIGNATURE_KEY` | (unset) | HMAC key used when `DW_AUTH_DRIVER=signature` and no role-scoped key is configured. |

app/Auth/AuthException.php

@@ -0,0 +1,36 @@
+<?php
+
+namespace App\Auth;
+
+use RuntimeException;
+
+final class AuthException extends RuntimeException
+{
+    private function __construct(
+        private readonly int $status,
+        private readonly string $reason,
+        string $message,
+    ) {
+        parent::__construct($message);
+    }
+
+    public static function configuration(string $message): self
+    {
+        return new self(500, 'server_error', $message);
+    }
+
+    public static function unauthenticated(string $message): self
+    {
+        return new self(401, 'unauthorized', $message);
+    }
+
+    public function status(): int
+    {
+        return $this->status;
+    }
+
+    public function reason(): string
+    {
+        return $this->reason;
+    }
+}

app/Auth/ConfiguredAuthProvider.php

@@ -0,0 +1,164 @@
+<?php
+
+namespace App\Auth;
+
+use App\Contracts\AuthProvider;
+use Illuminate\Http\Request;
+
+final class ConfiguredAuthProvider implements AuthProvider
+{
+    private const ROLE_WORKER = 'worker';
+
+    private const ROLE_OPERATOR = 'operator';
+
+    private const ROLE_ADMIN = 'admin';
+
+    private const ROLES = [
+        self::ROLE_WORKER,
+        self::ROLE_OPERATOR,
+        self::ROLE_ADMIN,
+    ];
+
+    public function authenticate(Request $request): Principal
+    {
+        $driver = (string) config('server.auth.driver', 'none');
+
+        return match ($driver) {
+            'none' => Principal::role(self::ROLE_ADMIN, 'none', legacyFullAccess: true, subject: 'anonymous'),
+            'token' => $this->authenticateToken($request),
+            'signature' => $this->authenticateSignature($request),
+            default => throw AuthException::configuration("Unknown auth driver: {$driver}"),
+        };
+    }
+
+    public function authorize(Principal $principal, string $action, array $resource = []): bool
+    {
+        if ($principal->legacyFullAccess()) {
+            return true;
+        }
+
+        $allowedRoles = $resource['allowed_roles'] ?? [];
+
+        if (! is_array($allowedRoles) || $allowedRoles === []) {
+            return false;
+        }
+
+        foreach ($allowedRoles as $role) {
+            if (is_string($role) && $principal->hasRole($role)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private function authenticateToken(Request $request): Principal
+    {
+        $token = config('server.auth.token');
+        $roleTokens = $this->configuredRoleSecrets('server.auth.role_tokens');
+        $hasRoleTokens = $roleTokens !== [];
+        $hasLegacyToken = is_string($token) && $token !== '';
+        $backwardCompatible = (bool) config('server.auth.backward_compatible', true);
+
+        if (! $hasRoleTokens && (! $backwardCompatible || ! $hasLegacyToken)) {
+            throw AuthException::configuration('Auth driver is set to "token" but DW_AUTH_TOKEN is not configured.');
+        }
+
+        $provided = $request->bearerToken();
+
+        if (! $provided) {
+            throw AuthException::unauthenticated('Invalid or missing authentication token.');
+        }
+
+        foreach ($roleTokens as $role => $secret) {
+            if (hash_equals($secret, $provided)) {
+                return Principal::role($role, 'token');
+            }
+        }
+
+        if ($backwardCompatible && $hasLegacyToken && hash_equals($token, $provided)) {
+            return Principal::role(
+                self::ROLE_ADMIN,
+                'token',
+                legacyFullAccess: ! $hasRoleTokens,
+                subject: 'legacy-token',
+                claims: [
+                    'legacy_credential' => true,
+                ],
+            );
+        }
+
+        throw AuthException::unauthenticated('Invalid or missing authentication token.');
+    }
+
+    private function authenticateSignature(Request $request): Principal
+    {
+        $key = config('server.auth.signature_key');
+        $roleKeys = $this->configuredRoleSecrets('server.auth.role_signature_keys');
+        $hasRoleKeys = $roleKeys !== [];
+        $hasLegacyKey = is_string($key) && $key !== '';
+        $backwardCompatible = (bool) config('server.auth.backward_compatible', true);
+
+        if (! $hasRoleKeys && (! $backwardCompatible || ! $hasLegacyKey)) {
+            throw AuthException::configuration('Auth driver is set to "signature" but DW_SIGNATURE_KEY is not configured.');
+        }
+
+        $signature = $request->header('X-Signature');
+
+        if (! $signature) {
+            throw AuthException::unauthenticated('Missing request signature.');
+        }
+
+        $body = $request->getContent();
+
+        foreach ($roleKeys as $role => $secret) {
+            $expected = hash_hmac('sha256', $body, $secret);
+
+            if (hash_equals($expected, $signature)) {
+                return Principal::role($role, 'signature');
+            }
+        }
+
+        if ($backwardCompatible && $hasLegacyKey) {
+            $expected = hash_hmac('sha256', $body, $key);
+
+            if (hash_equals($expected, $signature)) {
+                return Principal::role(
+                    self::ROLE_ADMIN,
+                    'signature',
+                    legacyFullAccess: ! $hasRoleKeys,
+                    subject: 'legacy-signature',
+                    claims: [
+                        'legacy_credential' => true,
+                    ],
+                );
+            }
+        }
+
+        throw AuthException::unauthenticated('Invalid request signature.');
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function configuredRoleSecrets(string $configKey): array
+    {
+        $configured = config($configKey, []);
+
+        if (! is_array($configured)) {
+            return [];
+        }
+
+        $secrets = [];
+
+        foreach (self::ROLES as $role) {
+            $secret = $configured[$role] ?? null;
+
+            if (is_string($secret) && $secret !== '') {
+                $secrets[$role] = $secret;
+            }
+        }
+
+        return $secrets;
+    }
+}

app/Auth/Principal.php

@@ -0,0 +1,126 @@
+<?php
+
+namespace App\Auth;
+
+final class Principal
+{
+    /**
+     * @var array<int, string>
+     */
+    private readonly array $roles;
+
+    /**
+     * @param  array<int, string>  $roles
+     * @param  array<string, mixed>  $claims
+     */
+    public function __construct(
+        private readonly string $subject,
+        array $roles = [],
+        private readonly string $method = 'none',
+        private readonly ?string $tenant = null,
+        private readonly array $claims = [],
+        private readonly bool $legacyFullAccess = false,
+    ) {
+        $this->roles = self::normalizeRoles($roles);
+    }
+
+    /**
+     * @param  array<string, mixed>  $claims
+     */
+    public static function role(
+        string $role,
+        string $method,
+        bool $legacyFullAccess = false,
+        ?string $subject = null,
+        ?string $tenant = null,
+        array $claims = [],
+    ): self {
+        return new self(
+            subject: $subject ?? "role:{$role}",
+            roles: [$role],
+            method: $method,
+            tenant: $tenant,
+            claims: $claims,
+            legacyFullAccess: $legacyFullAccess,
+        );
+    }
+
+    public function subject(): string
+    {
+        return $this->subject;
+    }
+
+    /**
+     * @return array<int, string>
+     */
+    public function roles(): array
+    {
+        return $this->roles;
+    }
+
+    public function primaryRole(): ?string
+    {
+        return $this->roles[0] ?? null;
+    }
+
+    public function hasRole(string $role): bool
+    {
+        return in_array($role, $this->roles, true);
+    }
+
+    public function method(): string
+    {
+        return $this->method;
+    }
+
+    public function tenant(): ?string
+    {
+        return $this->tenant;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function claims(): array
+    {
+        return $this->claims;
+    }
+
+    public function legacyFullAccess(): bool
+    {
+        return $this->legacyFullAccess;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function toAuditContext(): array
+    {
+        return array_filter([
+            'subject' => $this->subject,
+            'roles' => $this->roles,
+            'tenant' => $this->tenant,
+            'claims' => $this->claims,
+            'legacy_full_access' => $this->legacyFullAccess ?: null,
+        ], static fn (mixed $value): bool => $value !== null && $value !== '' && $value !== []);
+    }
+
+    /**
+     * @param  array<int, string>  $roles
+     * @return array<int, string>
+     */
+    private static function normalizeRoles(array $roles): array
+    {
+        $normalized = [];
+
+        foreach ($roles as $role) {
+            $role = trim($role);
+
+            if ($role !== '') {
+                $normalized[] = $role;
+            }
+        }
+
+        return array_values(array_unique($normalized));
+    }
+}

app/Contracts/AuthProvider.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Contracts;
+
+use App\Auth\Principal;
+use Illuminate\Http\Request;
+
+interface AuthProvider
+{
+    public function authenticate(Request $request): Principal;
+
+    /**
+     * @param  array<string, mixed>  $resource
+     */
+    public function authorize(Principal $principal, string $action, array $resource = []): bool;
+}