durable_streams-rails 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f4756bb48c61889c0f2ed552d9dfb96d37e15566a7b2c67d38ee3e48a3d2048
-  data.tar.gz: 12c21fd8ff0842f3d121898fe6fe52da2914aa45b25dd1feb9752e232e40f3ca
+  metadata.gz: 29432e07eb91417e49d52901bc6edce8b6b7a706ed219c31c5b2880c40435e61
+  data.tar.gz: 0c7c63e0ffa19cad00031672cd9549270e28564d55925365ee0ff7dcaa6c4922
 SHA512:
-  metadata.gz: be4dfd3ea33bfc0a1f641d05ce0a05a725e6d2f57a1f88da6145d4dbb2632b874128da7a4aeb682ad422ad1869bff3d984ae6707d6f68e05d52f5778fe770ff6
-  data.tar.gz: 06a91cc06ff3b1d00314632e6f64e7db4ffbe505844ae31c12c75c644f142f703dbe833fec559279f4f6e05a286c4fbe2476121706320b7d55fc88920113e976
+  metadata.gz: 938bffc33ac915645afba73a59a02581414b874817983001b56f4ade9e2d9207c651e98e8cb9de9c47c31879c4a51a2ae3192b858f44a927e0ec0e5596797ddf
+  data.tar.gz: 501936e24acf94fb01a7712d4e3c30cad277e2f6de84879e490dc285d47013aa4b87ebc84d2dd21db5af476d2cf2c9169d5c07100c896a066af51979a3175810

data/README.md

@@ -43,42 +43,50 @@ This creates:
 bin/rails generate durable_streams:install --version=0.1.0
 ```
 
-### Disable route auto-mounting
+## Configuration
+
+### JWT signing
 
-The gem auto-mounts the auth verification endpoint at `/durable_streams/auth/verify`.
-To disable:
+The gem uses asymmetric ES256 JWTs. Rails signs tokens with a private key, Caddy verifies
+with the public key via `ggicci/caddy-jwt` — no callback to Rails.
 
 ```ruby
 # config/initializers/durable_streams.rb
-Rails.application.config.durable_streams.draw_routes = false
+Rails.application.config.durable_streams.signing_key  = Rails.application.credentials.dig(:durable_streams, :signing_key)
+Rails.application.config.durable_streams.signing_kid  = Rails.application.credentials.dig(:durable_streams, :signing_kid)
+Rails.application.config.durable_streams.token_issuer = "https://your-app.com"
 ```
 
-## Configuration
+Generate a key pair:
+
+```bash
+bin/rails durable_streams:generate_keys
+```
+
+### Server config
 
 The server reads `config/durable_streams.yml`:
 
 ```yaml
 default: &default
   port: 4437
-  # route: /v1/streams/*
   auth:
-    url: http://localhost:3000
-    path: /durable_streams/auth/verify
-    copy_headers:
-      - Cookie
+    verify_key: config/caddy/verify_key.pem
+    issuer: https://localhost:3000
+    audience: https://localhost:4437/v1/streams
 
 development:
   <<: *default
 
 production:
-  <<: *default
   domain: streams.example.com
+  tls:
+    cert: /etc/caddy/certs/cert.pem
+    key: /etc/caddy/certs/key.pem
   auth:
-    url: https://app.example.com
-    path: /durable_streams/auth/verify
-    copy_headers:
-      - Cookie
-      - Authorization
+    verify_key: /etc/durable_streams/verify_key.pem
+    issuer: https://your-app.com
+    audience: https://streams.example.com/v1/streams
   storage:
     data_dir: /var/data/durable-streams
 ```
@@ -98,25 +106,17 @@ production:
     key: /etc/caddy/certs/key.pem
   internal:
     port: 4437
-    bind: 10.0.0.5              # Only listen on the private interface.
-    allowed_ips:                 # Caddy remote_ip matcher — 403 for everyone else.
+    bind: 10.0.0.5
+    allowed_ips:
       - 10.0.0.4
   auth:
-    url: https://10.0.0.4       # Connect to Rails over private VNET.
-    host: app.example.com       # Host header + TLS SNI for the Kamal proxy.
-    path: /durable_streams/auth/verify
-    copy_headers:
-      - Cookie
-      - Authorization
+    verify_key: /etc/durable_streams/verify_key.pem
+    issuer: https://your-app.com
+    audience: https://streams.example.com/v1/streams
   storage:
     data_dir: /data/streams
 ```
 
-When `auth.host` is set and the URL is HTTPS, the generated Caddyfile adds
-`header_up Host`, `tls_server_name`, and `tls_insecure_skip_verify` to the auth
-reverse proxy — same pattern as the internal listener's loopback connection. Use this
-when the auth URL is an internal IP and the Kamal proxy routes by Host header.
-
 #### Request flow
 
 A server-to-server write (e.g., Rails broadcasting a message) follows this path:
@@ -148,7 +148,7 @@ Rails (10.0.0.4)
   ▼
 streams.example.com :443 listener (same Caddy process)
   │
-  │  reverse_proxy → app.example.com (validates Bearer token) - this is "forward_auth" expanded
+  │  jwtauth (verifies ES256 JWT locally using public key — no callback to Rails)
   │  durable_streams → writes to bbolt store
   │
   ▼
@@ -376,7 +376,8 @@ the gem doesn't need to know which mode the client will use.
 ### Access control
 
 Only the server may create streams. The server authenticates with the Durable Streams server
-via API key; clients authenticate via signed, expiring tokens generated by this gem.
+via short-lived ES256 JWT Bearer tokens; clients authenticate via signed, expiring tokens
+generated by this gem.
 
 | | Create | Append | Read | Close | Delete | Metadata |
 |---|---|---|---|---|---|---|
@@ -389,9 +390,9 @@ via API key; clients authenticate via signed, expiring tokens generated by this
 
 Client append (planned) enables use cases like live cursors and typing indicators where
 the write payload goes directly to the stream server rather than through a Rails controller.
-The Durable Streams server still performs forward_auth to Rails on every write to verify
+The Durable Streams server verifies ES256 JWTs locally via Caddy's jwtauth on every write to verify
 the signed token, but this is lightweight — pure HMAC verification with no database or
-session loading. For reads (SSE), forward_auth happens once at connection time.
+session loading. For reads (SSE), JWT verification happens once at connection time.
 
 ### Stream provisioning
 
@@ -419,7 +420,7 @@ The gem separates client-facing and server-to-server communication:
 DurableStreams.client_url = ENV.fetch("DURABLE_STREAMS_CLIENT_URL", "http://localhost:4437/v1/streams")
 
 # Server-to-server — used by Rails to POST broadcasts and PUT stream creation.
-# Paired with server_api_key for authentication.
+# Authenticated via short-lived ES256 JWTs (callable Authorization header).
 DurableStreams.server_url = ENV.fetch("DURABLE_STREAMS_SERVER_URL", "http://localhost:4437/v1/streams")
 ```
 
@@ -430,25 +431,24 @@ network address.
 `server_url` is never exposed to clients. `client_url` is never used for server-to-server
 communication.
 
-### Client authentication — signed URLs
+### Client authentication — ES256 JWT signed URLs
 
 Browsers receive signed, expiring URLs via Inertia props (or any server-rendered response).
-The token is generated by `MessageVerifier` and encodes the stream name, permissions
-(`read`/`write`), and an expiration timestamp.
+The token is an ES256 JWT encoding the stream name, permissions (`read`/`write`), issuer,
+and an expiration timestamp.
 
-When a client connects, the Durable Streams server's `forward_auth` sends the request to
-`AuthController#verify`, which validates the token's signature and expiration.
+Caddy's `jwtauth` middleware (via `ggicci/caddy-jwt`) verifies the JWT signature against
+the public key PEM file. No callback to Rails — verification is entirely local.
 
 **The token is domain-agnostic.** It validates *what* (stream name + permissions + expiry),
 not *where* (which host the request is hitting). Network-level controls (firewall/NSG rules)
 must prevent clients from reaching `server_url` directly.
 
-### Server authentication — API key
+### Server authentication — ES256 JWT Bearer tokens
 
-Rails authenticates to the Durable Streams server with a Bearer token (`server_api_key`)
-sent in the `Authorization` header. The key is auto-derived from
-`Rails.application.key_generator` — consistent across all instances of the same app
-without manual configuration.
+Rails authenticates to the Durable Streams server with short-lived ES256 JWTs sent as
+`Authorization: Bearer <JWT>`. A fresh JWT is minted per-request via a callable lambda in
+the engine initializer. The private key is stored in Rails credentials.
 
 ## Future
 

data/lib/durable_streams/rails/engine.rb

@@ -4,9 +4,9 @@ module DurableStreams
   module Rails
     class Engine < ::Rails::Engine
       isolate_namespace DurableStreams::Rails
+      config.eager_load_namespaces << DurableStreams
       config.durable_streams = ActiveSupport::OrderedOptions.new
       config.autoload_once_paths = %W[
-        #{root}/app/controllers
         #{root}/app/models
         #{root}/app/models/concerns
         #{root}/app/jobs
@@ -28,30 +28,28 @@ module DurableStreams
         end
       end
 
-      initializer "durable_streams_rails.configs" do
-        config.after_initialize do |app|
-          DurableStreams.draw_routes = app.config.durable_streams.draw_routes != false
-        end
-      end
-
-      initializer "durable_streams_rails.signed_stream_verifier_key" do
+      initializer "durable_streams_rails.signing_key" do
         config.after_initialize do
-          DurableStreams.signed_stream_verifier_key =
-            config.durable_streams.signed_stream_verifier_key ||
-            ::Rails.application.key_generator.generate_key("durable_streams/signed_stream_verifier_key")
+          if config.durable_streams.signing_key
+            DurableStreams.signing_key   = config.durable_streams.signing_key
+            DurableStreams.signing_kid   = config.durable_streams.signing_kid
+            DurableStreams.token_issuer  = config.durable_streams.token_issuer
+            DurableStreams.token_expiry  = config.durable_streams.token_expiry if config.durable_streams.token_expiry
+          end
         end
       end
 
-      initializer "durable_streams_rails.server_api_key" do
+      # Configures the base durable_streams gem (Ruby client) for server-to-server
+      # calls (PUT, POST, HEAD) to the stream server. The lambda mints a fresh
+      # server JWT per request (120s expiry by default).
+      initializer "durable_streams_rails.ruby_client" do
         config.after_initialize do
-          DurableStreams.server_api_key =
-            config.durable_streams.server_api_key ||
-            ::Rails.application.key_generator.generate_key("durable_streams/server_api_key").unpack1("H*")
-
           if DurableStreams.server_url.present?
             DurableStreams.configure do |c|
               c.base_url = DurableStreams.server_url
-              c.default_headers = { "Authorization" => "Bearer #{DurableStreams.server_api_key}" }
+              c.default_headers = {
+                "Authorization" => -> { "Bearer #{DurableStreams::Rails::Gatekeeper.encode({ "server" => "rails" })}" }
+              }
             end
           end
         end

data/lib/durable_streams/rails/gatekeeper.rb

@@ -0,0 +1,87 @@
+require "jwt"
+require "openssl"
+
+# ES256 JWT signing for Durable Streams authentication.
+#
+# Replaces the symmetric HMAC approach (ActiveSupport::MessageVerifier) with
+# asymmetric ES256 (ECDSA P-256). Rails holds the private key and signs tokens.
+# Caddy verifies with the public key via ggicci/caddy-jwt — no callback to Rails.
+#
+# Descended from the deleted app-level +Gatekeeper+ model (commit e4f9c53),
+# adapted for the gem.
+#
+# ==== Configuration
+#
+#     DurableStreams.signing_key     = Rails.application.credentials.dig(:durable_streams, :signing_key)
+#     DurableStreams.signing_kid     = "es256-20260330"
+#     DurableStreams.token_issuer    = "https://exchange.tokimonki.com"
+#     DurableStreams.token_expiry    = 120  # seconds
+#
+# ==== Key generation
+#
+#     rake durable_streams:generate_keys
+#
+module DurableStreams::Rails::Gatekeeper
+  ALG = "ES256"
+
+  class << self
+    # Encode a payload as an ES256 JWT.
+    #
+    # Standard claims (+iss+, +iat+, +exp+) are merged automatically.
+    # Pass +expires_in+ to override the default expiry.
+    #
+    #     DurableStreams::Rails::Gatekeeper.encode("stream" => "rooms/1/messages", "permissions" => ["read"])
+    #     DurableStreams::Rails::Gatekeeper.encode({ "server" => true }, expires_in: 120)
+    #
+    def encode(payload, expires_in: DurableStreams.token_expiry)
+      now = Time.now.to_i
+
+      claims = payload.merge(
+        "iss" => DurableStreams.token_issuer,
+        "aud" => DurableStreams.client_url,
+        "iat" => now,
+        "exp" => now + expires_in.to_i
+      )
+
+      headers = {}
+      headers["kid"] = DurableStreams.signing_kid if DurableStreams.signing_kid
+
+      ::JWT.encode(claims, signing_key, ALG, headers)
+    end
+
+    # Decode and verify a JWT. Used in testing — production verification happens in Caddy.
+    # The algorithm is hardcoded to ES256 to prevent algorithm confusion attacks.
+    # Issuer is verified to prevent cross-environment token reuse.
+    def decode(token)
+      options = {
+        algorithm: ALG,
+        verify_iss: true,
+        iss: DurableStreams.token_issuer
+      }
+      ::JWT.decode(token, verify_key, true, options).first
+    end
+
+    # Generate an ES256 key pair. Returns [private_pem, public_pem].
+    #
+    #     private_pem, public_pem = DurableStreams::Rails::Gatekeeper.generate_key_pair
+    #
+    def generate_key_pair
+      key = OpenSSL::PKey::EC.generate("prime256v1")
+      [ key.to_pem, key.public_to_pem ]
+    end
+
+    def reset_signing_key
+      @signing_key = nil
+      @verify_key = nil
+    end
+
+    private
+      def signing_key
+        @signing_key ||= OpenSSL::PKey.read(DurableStreams.signing_key)
+      end
+
+      def verify_key
+        @verify_key ||= OpenSSL::PKey.read(signing_key.public_to_pem)
+      end
+  end
+end

data/lib/durable_streams/rails/server_config.rb

@@ -11,6 +11,8 @@ module DurableStreams
       TEMPLATE = ERB.new(<<~'CADDYFILE', trim_mode: "-")
         {
         	admin off
+        	order jwtauth before basicauth
+        	order durable_streams_authorisation after jwtauth
         <%- unless auto_https? -%>
         	auto_https off
         <%- end -%>
@@ -26,6 +28,10 @@ module DurableStreams
         		level <%= log_level %>
         	}
 
+        	@options {
+        		method OPTIONS
+        	}
+
         <%= route_block %>
         }
         <%- if internal -%>
@@ -66,10 +72,19 @@ module DurableStreams
 
       private
         def validate!
+          validate_auth!
           validate_internal!
           validate_log!
         end
 
+        def validate_auth!
+          %w[verify_key issuer audience].each do |field|
+            if (val = auth[field]) && (val.include?("\n") || val.include?("}"))
+              raise ArgumentError, "auth.#{field} contains invalid characters for Caddyfile interpolation"
+            end
+          end
+        end
+
         def validate_internal!
           if internal && !internal_allowed_ips
             raise ArgumentError, "internal.allowed_ips is required when internal is configured"
@@ -118,28 +133,24 @@ module DurableStreams
           t = "\t" * indent
           lines = []
           lines << "#{t}route #{route_path} {"
-          lines << "#{t}\t# Forward auth — verify request with Rails before reaching durable_streams"
-          lines << "#{t}\treverse_proxy #{auth["url"]} {"
-          lines << "#{t}\t\tmethod GET"
-          lines << "#{t}\t\trewrite #{auth["path"]}"
-          lines << "#{t}\t\theader_up Host #{auth_host}" if auth_host
-          lines << "#{t}\t\theader_up X-Forwarded-Method {method}"
-          lines << "#{t}\t\theader_up X-Forwarded-Uri {uri}"
-          if auth_tls_transport?
-            lines << "#{t}\t\ttransport http {"
-            lines << "#{t}\t\t\ttls_server_name #{auth_host}"
-            lines << "#{t}\t\t\ttls_insecure_skip_verify"
-            lines << "#{t}\t\t}"
-          end
-          lines << ""
-          lines << "#{t}\t\t@ok status 200"
-          lines << "#{t}\t\thandle_response @ok {"
-          copy_headers.each { |h| lines << "#{t}\t\t\trequest_header #{h} {rp.header.#{h}}" }
-          lines << "#{t}\t\t}"
-          lines << "#{t}\t\thandle_response {"
-          lines << "#{t}\t\t\trespond 401"
-          lines << "#{t}\t\t}"
+          lines << "#{t}\theader {"
+          lines << "#{t}\t\tAccess-Control-Allow-Origin *"
+          lines << "#{t}\t\tAccess-Control-Allow-Methods \"GET, POST, PUT, DELETE, HEAD, OPTIONS\""
+          lines << "#{t}\t\tAccess-Control-Allow-Headers \"Content-Type, Stream-Seq, Stream-TTL, Stream-Expires-At, Stream-Closed, If-None-Match, Producer-Id, Producer-Epoch, Producer-Seq\""
+          lines << "#{t}\t\tAccess-Control-Expose-Headers \"Stream-Next-Offset, Stream-Cursor, Stream-Up-To-Date, Stream-Closed, ETag, Location, Producer-Epoch, Producer-Seq, Producer-Expected-Seq, Producer-Received-Seq\""
+          lines << "#{t}\t}"
+          lines << "#{t}\trespond @options 204"
+          lines << "#{t}\tjwtauth {"
+          lines << "#{t}\t\tsign_alg ES256"
+          lines << "#{t}\t\tsign_key {file.#{auth["verify_key"]}}"
+          lines << "#{t}\t\tfrom_query token"
+          lines << "#{t}\t\tuser_claims stream server"
+          lines << "#{t}\t\tmeta_claims \"permissions -> permissions\" \"server -> server\" \"identity -> identity\""
+          lines << "#{t}\t\tissuer_whitelist #{auth["issuer"]}" if auth["issuer"]
+          lines << "#{t}\t\taudience_whitelist #{auth["audience"]}" if auth["audience"]
           lines << "#{t}\t}"
+          lines << "#{t}\theader Referrer-Policy no-referrer"
+          lines << "#{t}\tdurable_streams_authorisation"
 
           directives = storage_directives
           if directives.any?
@@ -162,18 +173,6 @@ module DurableStreams
           @config.fetch("auth")
         end
 
-        def copy_headers
-          auth.fetch("copy_headers", [ "Cookie" ])
-        end
-
-        def auth_host
-          auth["host"]
-        end
-
-        def auth_tls_transport?
-          auth_host && auth["url"].start_with?("https://")
-        end
-
         def storage_directives
           storage = @config.fetch("storage", {})
           STORAGE_DIRECTIVES.filter_map { |key| "#{key} #{storage[key]}" if storage[key] }

data/lib/durable_streams/rails/stream_name.rb

@@ -1,34 +1,13 @@
-# Stream names are how we identify which updates should go to which subscribers. Since stream names
-# are exposed directly to the client via signed URL tokens, we need to ensure that the name isn't
-# tampered with, so the names are signed upon generation and verified upon receipt. All verification
-# happens through the <tt>DurableStreams.signed_stream_verifier</tt>.
+# Stream names identify which updates go to which subscribers. They are derived
+# from Active Record models (via +to_gid_param+) or plain strings (via +to_param+),
+# joined with +/+ for compound stream identifiers.
+#
+#     DurableStreams.stream_name_from([:rooms, room, :messages])
+#     # => "rooms/gid://app/Room/1/messages"
 #
-# Tokens embed a permissions array (<tt>["read"]</tt>, <tt>["write"]</tt>, or
-# <tt>["read", "write"]</tt>) that determines what operations the client can perform.
-# The auth controller checks the permissions against the HTTP method of the incoming request.
 module DurableStreams::Rails::StreamName
   PERMISSIONS = %w[ read write ].freeze
 
-  # Verifies a signed token and returns the payload hash.
-  # Returns +nil+ if the token is invalid or expired.
-  #
-  #     DurableStreams.verified_stream_name(token)
-  #     # => { "stream" => "gid://app/Room/1/messages", "permissions" => ["read"] }
-  def verified_stream_name(signed_stream_name)
-    DurableStreams.signed_stream_verifier.verified signed_stream_name
-  end
-
-  # Generates a signed token embedding the stream name and permissions.
-  #
-  # Tokens generated without +expires_in+ never expire. Prefer
-  # <tt>DurableStreams.signed_stream_url</tt> for client-facing URLs.
-  def signed_stream_name(streamables, permissions: [ "read" ], expires_in: nil)
-    DurableStreams.signed_stream_verifier.generate(
-      { "stream" => stream_name_from(streamables), "permissions" => permissions.map(&:to_s) },
-      expires_in: expires_in
-    )
-  end
-
   private
     def stream_name_from(streamables)
       if streamables.is_a?(Array)
@@ -37,4 +16,11 @@ module DurableStreams::Rails::StreamName
         streamables.then { |streamable| streamable.try(:to_gid_param) || streamable.to_param }
       end
     end
+
+    def ensure_known_permissions!(permissions)
+      unknown = permissions.map(&:to_s) - PERMISSIONS
+      if unknown.any?
+        raise ArgumentError, "Unknown permissions: #{unknown.join(", ")}. Known: #{PERMISSIONS.join(", ")}"
+      end
+    end
 end

data/lib/durable_streams/rails/version.rb

@@ -1,5 +1,5 @@
 module DurableStreams
   module Rails
-    VERSION = "0.7.0"
+    VERSION = "0.8.0"
   end
 end

data/lib/durable_streams-rails.rb

@@ -4,6 +4,7 @@ require "durable_streams/rails/stream_name"
 require "durable_streams/rails/stream_provisioner"
 require "durable_streams/rails/broadcasts"
 require "durable_streams/rails/feeds"
+require "durable_streams/rails/gatekeeper"
 require "durable_streams/rails/testing"
 require "active_support/core_ext/module/attribute_accessors_per_thread"
 
@@ -16,27 +17,23 @@ module DurableStreams
 
   mattr_accessor :client_url
   mattr_accessor :server_url
-  mattr_accessor :draw_routes, default: true
-  mattr_accessor :signed_stream_url_expires_in, default: 24.hours
+  mattr_accessor :signed_stream_url_expires_in, default: 15.minutes
 
-  class << self
-    attr_writer :signed_stream_verifier_key, :server_api_key
-
-    def signed_stream_verifier
-      @signed_stream_verifier ||= ActiveSupport::MessageVerifier.new(signed_stream_verifier_key, digest: "SHA256", serializer: JSON)
-    end
+  # JWT signing configuration
+  mattr_accessor :signing_kid
+  mattr_accessor :token_issuer
+  mattr_accessor :token_expiry, default: 120
 
-    def signed_stream_verifier_key
-      @signed_stream_verifier_key or raise ArgumentError, "DurableStreams requires a signed_stream_verifier_key"
-    end
+  class << self
+    attr_writer :signing_key
 
-    def server_api_key
-      @server_api_key or raise ArgumentError, "DurableStreams requires a server_api_key"
+    def signing_key
+      @signing_key or raise ArgumentError, "DurableStreams requires a signing_key (ES256 private key PEM)"
     end
 
     # Generates a signed URL that grants a client read (or read/write) access to a
-    # Durable Stream identified by the given +streamables+. The URL embeds a signed
-    # token with the stream name, permissions, and expiry.
+    # Durable Stream identified by the given +streamables+. The URL embeds an ES256
+    # JWT with the stream name, permissions, and expiry.
     #
     # Calls <tt>ensure_stream_exists</tt> to guarantee the stream has been created on
     # the server (PUT, cached after the first call per stream per process — see
@@ -45,14 +42,36 @@ module DurableStreams
     #     DurableStreams.signed_stream_url(room, :messages)
     #     # => "http://localhost:4437/v1/streams/gid://app/Room/1/messages?token=..."
     #
-    def signed_stream_url(*streamables, permissions: [ :read ], expires_in: DurableStreams.signed_stream_url_expires_in)
+    def signed_stream_url(*streamables, permissions: [ :read ], identity: nil, expires_in: DurableStreams.signed_stream_url_expires_in)
+      url, token = signed_stream_primitives(*streamables, permissions: permissions, identity: identity, expires_in: expires_in)
+      "#{url}?token=#{token}"
+    end
+
+    # Returns the stream URL and JWT token as separate values.
+    #
+    # The URL is the stable endpoint that never changes. The token is a short-lived
+    # ES256 JWT that must be refreshed before expiry. Returning them separately lets
+    # the frontend pass the token as a function-valued param to the Durable Streams
+    # client, enabling automatic token refresh on reconnect.
+    #
+    #     url, token = DurableStreams.signed_stream_primitives(room, :messages)
+    #     # url   => "http://localhost:4437/v1/streams/gid://app/Room/1/messages"
+    #     # token => "eyJ..."
+    #
+    def signed_stream_primitives(*streamables, permissions: [ :read ], identity: nil, expires_in: DurableStreams.signed_stream_url_expires_in)
+      ensure_known_permissions!(permissions)
+
       path = stream_name_from(streamables)
       ensure_stream_exists(path)
-      token = signed_stream_verifier.generate(
-        { "stream" => path, "permissions" => permissions.map(&:to_s) },
-        expires_in: expires_in
-      )
-      "#{client_url}/#{path}?token=#{token}"
+
+      claims = {
+        "stream" => path,
+        "permissions" => permissions.map(&:to_s),
+        "identity" => identity&.to_s
+      }.compact
+
+      token = DurableStreams::Rails::Gatekeeper.encode(claims, expires_in: expires_in)
+      [ "#{client_url}/#{path}", token ]
     end
 
     # Returns the current tail offset of the stream as an opaque string. The tail offset
@@ -79,22 +98,5 @@ module DurableStreams
       ensure_stream_exists(path)
       feed_head_offset(path)
     end
-
-    # Verifies the signed token embedded in a stream URL. Used by the auth controller
-    # to validate forward_auth requests from the Durable Streams server.
-    #
-    # Returns a hash with <tt>"stream"</tt> and <tt>"permissions"</tt> keys, or +nil+
-    # if the token is invalid or expired.
-    def verify_signed_url(url)
-      if token = extract_token_from_url(url)
-        verified_stream_name(token)
-      end
-    end
-
-    def extract_token_from_url(url)
-      if query = URI(url).query
-        Rack::Utils.parse_query(query)["token"]
-      end
-    end
   end
 end

data/lib/generators/durable_streams/install/templates/durable_streams.yml.tt

@@ -11,10 +11,8 @@ default: &default
   #   format: console               # "console" (human-readable) or "json" (structured). Default: console
   #   level: INFO                   # INFO, WARN, or ERROR. Default: INFO
   auth:
-    url: http://localhost:3000
-    path: /durable_streams/auth/verify
-    copy_headers:
-      - Cookie
+    verify_key: config/caddy/verify_key.pem
+    issuer: https://localhost:3000
 
 development:
   <<: *default
@@ -37,11 +35,8 @@ production:
   #   format: json
   #   level: WARN
   auth:
-    url: https://app.example.com
-    path: /durable_streams/auth/verify
-    copy_headers:
-      - Cookie
-      - Authorization
+    verify_key: /etc/durable_streams/verify_key.pem
+    issuer: https://app.example.com
   storage:
     data_dir: /var/data/durable-streams
     # max_file_handles: 100          # Connection pool for segment files. Default: 100

data/lib/generators/durable_streams/install/templates/initializer.rb.tt

@@ -5,3 +5,9 @@ DurableStreams.client_url = ENV.fetch("DURABLE_STREAMS_CLIENT_URL", "http://loca
 # In single-server setups this matches client_url. In multi-server deployments
 # this should point to the internal address of the Durable Streams server.
 DurableStreams.server_url = ENV.fetch("DURABLE_STREAMS_SERVER_URL", "http://localhost:4437/v1/streams")
+
+# ES256 JWT signing — private key signs tokens, Caddy verifies with public key.
+# Generate a key pair: bin/rails durable_streams:generate_keys
+Rails.application.config.durable_streams.signing_key  = Rails.application.credentials.dig(:durable_streams, :signing_key)
+Rails.application.config.durable_streams.signing_kid  = Rails.application.credentials.dig(:durable_streams, :signing_kid)
+Rails.application.config.durable_streams.token_issuer = "http://localhost:3000"

data/lib/tasks/durable_streams.rake

@@ -12,56 +12,27 @@ namespace :durable_streams do
     puts "Generated #{output_path} (#{environment})"
   end
 
-  desc "Download the Durable Streams server binary for the current platform"
-  task :download do
-    require "net/http"
-    require "json"
-
-    resolve_latest_version = lambda do
-      uri = URI("https://api.github.com/repos/durable-streams/durable-streams/releases/latest")
-      response = Net::HTTP.get(uri)
-      tag = JSON.parse(response).fetch("tag_name")
-      tag.delete_prefix("v")
-    rescue => e
-      abort "Failed to resolve latest version: #{e.message}"
-    end
-
-    version = ENV.fetch("DURABLE_STREAMS_VERSION", "latest")
-    install_dir = Rails.root.join("bin", "dist")
-    bin_path = install_dir.join("durable-streams-server")
-
-    if bin_path.exist?
-      puts "Durable Streams server already installed at #{bin_path}"
-      next
-    end
-
-    os = RbConfig::CONFIG["host_os"].then { |s|
-      if s.match?(/darwin/i) then "darwin"
-      elsif s.match?(/linux/i) then "linux"
-      else abort "Unsupported OS: #{s}"
-      end
-    }
-
-    arch = RbConfig::CONFIG["host_cpu"].then { |s|
-      case s
-      when /x86_64|amd64/ then "amd64"
-      when /aarch64|arm64/ then "arm64"
-      else abort "Unsupported architecture: #{s}"
-      end
-    }
-
-    if version == "latest"
-      version = resolve_latest_version.call
-    end
-
-    FileUtils.mkdir_p(install_dir)
-
-    url = "https://github.com/durable-streams/durable-streams/releases/download/v#{version}/durable-streams-server_#{version}_#{os}_#{arch}.tar.gz"
-
-    puts "Downloading durable-streams-server #{version} (#{os}/#{arch})..."
-    system("curl", "-sfL", url, "-o", "-", out: IO.popen(["tar", "xz", "-C", install_dir.to_s], "w").fileno) ||
-      abort("Download failed — check https://github.com/durable-streams/durable-streams/releases")
-    FileUtils.chmod(0755, bin_path)
-    puts "Installed to #{bin_path}"
+  desc "Generate ES256 key pair for JWT signing"
+  task :generate_keys do
+    require "durable_streams/rails/gatekeeper"
+
+    private_pem, public_pem = DurableStreams::Rails::Gatekeeper.generate_key_pair
+
+    puts "=== Private key ==="
+    puts "Add to Rails credentials (bin/rails credentials:edit):"
+    puts
+    puts "durable_streams:"
+    puts "  signing_key: |"
+    private_pem.each_line { |line| puts "    #{line}" }
+    puts "  signing_kid: \"es256-#{Time.now.strftime("%Y%m%d")}\""
+    puts
+    puts "=== Public key ==="
+    puts "Save to config/caddy/verify_key.pem (safe to commit):"
+    puts
+
+    output_path = ::Rails.root.join("config", "caddy", "verify_key.pem")
+    FileUtils.mkdir_p(output_path.dirname)
+    File.write(output_path, public_pem)
+    puts "Written to #{output_path}"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: durable_streams-rails
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - tokimonki
@@ -23,6 +23,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
@@ -48,15 +62,14 @@ files:
 - MIT-LICENSE
 - README.md
 - Rakefile
-- app/controllers/durable_streams/rails/auth_controller.rb
 - app/jobs/durable_streams/rails/broadcast_job.rb
 - app/models/concerns/durable_streams/rails/broadcastable.rb
-- config/routes.rb
 - lib/durable_streams-rails.rb
 - lib/durable_streams/rails/broadcastable/test_helper.rb
 - lib/durable_streams/rails/broadcasts.rb
 - lib/durable_streams/rails/engine.rb
 - lib/durable_streams/rails/feeds.rb
+- lib/durable_streams/rails/gatekeeper.rb
 - lib/durable_streams/rails/server_config.rb
 - lib/durable_streams/rails/stream_name.rb
 - lib/durable_streams/rails/stream_provisioner.rb

data/app/controllers/durable_streams/rails/auth_controller.rb

@@ -1,42 +0,0 @@
-module DurableStreams
-  module Rails
-    class AuthController < ActionController::API
-      def verify
-        if request.headers["X-Forwarded-Uri"] && authorized_by_token?
-          head :ok
-        elsif valid_server_api_key?
-          head :ok
-        else
-          head :unauthorized
-        end
-      end
-
-      private
-        def authorized_by_token?
-          if payload = DurableStreams.verify_signed_url(request.headers["X-Forwarded-Uri"])
-            permissions = Array(payload["permissions"]) & DurableStreams::Rails::StreamName::PERMISSIONS
-            permitted_method?(permissions)
-          end
-        end
-
-        # Only GET and POST reach token auth. PUT and DELETE are server-only
-        # operations authenticated via API key (valid_server_api_key?), not tokens.
-        # See README.md "Access control" for the full matrix.
-        def permitted_method?(permissions)
-          case request.headers["X-Forwarded-Method"]&.upcase
-          when "POST"
-            permissions.include?("write")
-          else
-            permissions.include?("read")
-          end
-        end
-
-        def valid_server_api_key?
-          if auth_header = request.headers["Authorization"]
-            auth_header.start_with?("Bearer ") &&
-              ActiveSupport::SecurityUtils.secure_compare(auth_header.delete_prefix("Bearer "), DurableStreams.server_api_key)
-          end
-        end
-    end
-  end
-end

data/config/routes.rb

@@ -1,3 +0,0 @@
-::Rails.application.routes.draw do
-  get "durable_streams/auth/verify", to: "durable_streams/rails/auth#verify", as: :durable_streams_auth_verify
-end if DurableStreams.draw_routes