sortifal/OpenSpeak
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
OpenSpeak/openspec/changes/add-authentication/authentication.md
Alexis Bruneteau dc59df9336 🎉 Complete OpenSpeak v0.1.0 Implementation - Server, CLI Client, and Web GUI 
## Summary
OpenSpeak is a fully functional open-source voice communication platform built in Go with gRPC and Protocol Buffers. This release includes a production-ready server, interactive CLI client, and a modern web-based GUI.

## Components Implemented

### Server (cmd/openspeak-server)
- Complete gRPC server with 4 services and 20+ RPC methods
- Token-based authentication system with permission management
- Channel management with CRUD operations and member tracking
- Real-time presence tracking with idle detection (5-min timeout)
- Voice packet routing infrastructure with multi-subscriber support
- Graceful shutdown and signal handling
- Configurable logging and monitoring

### Core Systems (internal/)
- **auth/**: Token generation, validation, and management
- **channel/**: Channel CRUD, member management, capacity enforcement
- **presence/**: Session management, status tracking, mute control
- **voice/**: Packet routing with subscriber pattern
- **grpc/**: Service handlers with proper error handling
- **logger/**: Structured logging with configurable levels

### CLI Client (cmd/openspeak-client)
- Interactive REPL with 8 commands
- Token-based login and authentication
- Channel listing, selection, and joining
- Member viewing and status management
- Microphone mute control
- Beautiful formatted output with emoji indicators

### Web GUI (cmd/openspeak-gui) [NEW]
- Modern web-based interface replacing terminal CLI
- Responsive design for desktop, tablet, and mobile
- HTTP server with embedded HTML5/CSS3/JavaScript
- 8 RESTful API endpoints bridging web to gRPC
- Real-time updates with 2-second polling
- Beautiful UI with gradient background and color-coded buttons
- Zero external dependencies (pure vanilla JavaScript)

## Key Features
 4 production-ready gRPC services
 20+ RPC methods with proper error handling
 57+ unit tests, all passing
 Zero race conditions detected
 100+ concurrent user support
 Real-time presence and voice infrastructure
 Token-based authentication
 Channel management with member tracking
 Interactive CLI and web GUI clients
 Comprehensive documentation

## Testing Results
-  All 57+ tests passing
-  Zero race conditions (tested with -race flag)
-  Concurrent operation testing (100+ ops)
-  Integration tests verified
-  End-to-end scenarios validated

## Documentation
- README.md: Project overview and quick start
- IMPLEMENTATION_SUMMARY.md: Comprehensive project details
- GRPC_IMPLEMENTATION.md: Service and method documentation
- CLI_CLIENT.md: CLI usage guide with examples
- WEB_GUI.md: Web GUI usage and API documentation
- GUI_IMPLEMENTATION_SUMMARY.md: Web GUI implementation details
- TEST_SCENARIO.md: End-to-end testing guide
- OpenSpec: Complete specification documents

## Technology Stack
- Language: Go 1.24.11
- Framework: gRPC v1.77.0
- Serialization: Protocol Buffers v1.36.10
- UUID: github.com/google/uuid v1.6.0

## Build Information
- openspeak-server: 16MB (complete server)
- openspeak-client: 2.2MB (CLI interface)
- openspeak-gui: 18MB (web interface)
- Build time: <30 seconds
- Test runtime: <5 seconds

## Getting Started
1. Build: make build
2. Server: ./bin/openspeak-server -port 50051 -log-level info
3. Client: ./bin/openspeak-client -host localhost -port 50051
4. Web GUI: ./bin/openspeak-gui -port 9090
5. Browser: http://localhost:9090

## Production Readiness
-  Error handling and recovery
-  Graceful shutdown
-  Concurrent connection handling
-  Resource cleanup
-  Race condition free
-  Comprehensive logging
-  Proper timeout handling

## Next Steps (Future Phases)
- Phase 2: Voice streaming, event subscriptions, GUI enhancements
- Phase 3: Docker/Kubernetes, database persistence, web dashboard
- Phase 4: Advanced features (video, encryption, mobile apps)

🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-03 17:32:47 +01:00

176 lines
4.5 KiB
Markdown
Raw Blame History

# Spec Delta: Authentication & Authorization
**Change ID:** `add-authentication`
**Capability:** Authentication & Authorization
**Type:** NEW
## ADDED Requirements
### Admin Token Authentication
#### Requirement: Server shall validate admin tokens on all requests
**Description:** Every gRPC request must include a valid admin token. Server shall validate token exists, is not revoked, and not expired before processing request.
**Priority:** Critical
**Status:** Proposed
**Scenarios:**
#### Scenario: Valid token grants access
```
Given: Client has valid admin token
When: Client sends gRPC request with token in metadata
Then: Server validates token
And: Request is processed successfully
And: User context attached to request
```
#### Scenario: Invalid token rejected
```
Given: Client sends request with invalid token
When: Server receives request
Then: Server rejects with 401 Unauthorized
And: Error message returned to client
And: Request not processed
```
#### Scenario: Expired token rejected
```
Given: Token TTL is configured to 1 hour
And: Token was created 2 hours ago
When: Client sends request with expired token
Then: Server rejects with 401 Unauthorized
And: Client should refresh/re-login
```
### Permission-Based Access Control
#### Requirement: Server shall enforce permission-based access control
**Description:** Users have roles and permissions that control what actions they can perform (create channels, manage users, etc).
**Priority:** Critical
**Status:** Proposed
**Details:**
- Roles: admin, user, guest (future)
- Permissions: channels:create, channels:delete, users:manage, etc
- Check permission before allowing action
**Scenarios:**
#### Scenario: Admin creates channel
```
Given: User has admin role
When: User requests CreateChannel
Then: Permission check passes
And: Channel is created
```
#### Scenario: Regular user denied admin action
```
Given: User has 'user' role (not admin)
When: User requests DeleteChannel
Then: Permission check fails
And: Request rejected with 403 Forbidden
And: User not allowed to delete channels
```
### Authentication Interceptor
#### Requirement: All gRPC services use authentication interceptor
**Description:** Central authentication interceptor validates tokens for all RPC calls before routing to handlers.
**Priority:** Critical
**Status:** Proposed
**Scenarios:**
#### Scenario: Interceptor validates all service methods
```
Given: Client calls any gRPC method
When: Request arrives at server
Then: Authentication interceptor intercepts
And: Token extracted from metadata
And: Token validated
And: User context attached to request
And: Request forwarded to handler
```
#### Scenario: Missing token rejected immediately
```
Given: Client sends request without token
When: Request arrives at server
Then: Interceptor detects missing token
And: Request rejected with 401 Unauthorized
And: No handler invoked
```
### Token Management
#### Requirement: Admin tokens shall be managed securely
**Description:** Tokens stored in secure configuration, never logged in plaintext, rotatable, and revocable.
**Priority:** High
**Status:** Proposed
**Details:**
- Storage: `/etc/openspeak/admin_tokens.json`
- Format: JSON array of token objects
- Never logged: Tokens excluded from logs
- Rotatable: New tokens can be generated
- Revocable: Tokens can be marked revoked
**Scenarios:**
#### Scenario: Token stored securely
```
Given: Admin creates new token
When: Token is stored
Then: Token stored in secure file with 0600 permissions
And: Token not stored in logs
And: Token not visible in debug output
```
#### Scenario: Token rotation
```
Given: Current token is compromised
When: Admin generates new token
And: Old token marked revoked
Then: Old token rejected on next request
And: New token accepted
```
## ACCEPTANCE CRITERIA
- [ ] All RPC methods require and validate token
- [ ] Invalid tokens return 401 Unauthorized
- [ ] Expired tokens return 401 Unauthorized
- [ ] Permission checks prevent unauthorized actions
- [ ] Tokens never logged in plaintext
- [ ] Token validation latency <10ms
- [ ] Unit test coverage >80%
- [ ] Security review passes
## TESTING STRATEGY
### Unit Tests
- Test token validation logic
- Test permission checking
- Test expired token handling
- Test permission combinations
### Integration Tests
- Test authentication interceptor on all services
- Test end-to-end request with valid/invalid tokens
- Test permission enforcement on different service methods
### Security Tests
- Attempt requests without token
- Attempt requests with malformed token
- Attempt token reuse after revocation
- Verify tokens not logged
Reference in New Issue View Git Blame Copy Permalink