Opaque TFE Token Fix (#2260)

* reuse tokens

* use opaque tokens for terraform like tfe

* adjust token auth

Author: breardon2011

taco/internal/api/routes.go

@@ -112,28 +112,11 @@ func RegisterRoutes(e *echo.Echo, store storage.UnitStore, authEnabled bool) {
 	e.GET("/oauth/debug", authHandler.DebugConfig)
 
 
-	// API v1 protected group
+	// API v1 protected group - JWT tokens only
 	v1 := e.Group("/v1")
-	var verifyFn middleware.AccessTokenVerifier
 	if authEnabled {
-		verifyFn = func(token string) error {
-			// JWT only for /v1
-			if signer == nil {
-				return echo.ErrUnauthorized
-			}
-			_, err := signer.VerifyAccess(token)
-			if err != nil {
-				// Debug: log the verification failure
-				fmt.Printf("[AUTH DEBUG] Token verification failed: %v\n", err)
-				tokenPreview := token
-				if len(token) > 50 {
-					tokenPreview = token[:50] + "..."
-				}
-				fmt.Printf("[AUTH DEBUG] Token preview: %s\n", tokenPreview)
-			}
-			return err
-		}
-		v1.Use(middleware.RequireAuth(verifyFn))
+		jwtVerifyFn := middleware.JWTOnlyVerifier(signer)
+		v1.Use(middleware.RequireAuth(jwtVerifyFn))
 	}
 
 	// Setup RBAC manager if available
@@ -148,22 +131,22 @@ func RegisterRoutes(e *echo.Echo, store storage.UnitStore, authEnabled bool) {
 	// Unit handlers (management API) - pass RBAC manager and signer for filtering
 	unitHandler := unithandlers.NewHandler(store, rbacManager, signer)
 
-	// Management API (units) with RBAC middleware
+	// Management API (units) with JWT-only RBAC middleware
 	if authEnabled && rbacManager != nil {
-		v1.POST("/units", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "*")(unitHandler.CreateUnit))
+		v1.POST("/units", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "*")(unitHandler.CreateUnit))
 		// ListUnits does its own RBAC filtering internally, no middleware needed
 		v1.GET("/units", unitHandler.ListUnits)
-		v1.GET("/units/:id", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.GetUnit))
-		v1.DELETE("/units/:id", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitDelete, "{id}")(unitHandler.DeleteUnit))
-		v1.GET("/units/:id/download", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.DownloadUnit))
-		v1.POST("/units/:id/upload", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "{id}")(unitHandler.UploadUnit))
-		v1.POST("/units/:id/lock", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "{id}")(unitHandler.LockUnit))
-		v1.DELETE("/units/:id/unlock", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "{id}")(unitHandler.UnlockUnit))
+		v1.GET("/units/:id", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.GetUnit))
+		v1.DELETE("/units/:id", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitDelete, "{id}")(unitHandler.DeleteUnit))
+		v1.GET("/units/:id/download", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.DownloadUnit))
+		v1.POST("/units/:id/upload", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "{id}")(unitHandler.UploadUnit))
+		v1.POST("/units/:id/lock", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "{id}")(unitHandler.LockUnit))
+		v1.DELETE("/units/:id/unlock", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "{id}")(unitHandler.UnlockUnit))
 		// Dependency/status
-		v1.GET("/units/:id/status", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.GetUnitStatus))
+		v1.GET("/units/:id/status", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.GetUnitStatus))
 		// Version operations
-		v1.GET("/units/:id/versions", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.ListVersions))
-		v1.POST("/units/:id/restore", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "{id}")(unitHandler.RestoreVersion))
+		v1.GET("/units/:id/versions", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "{id}")(unitHandler.ListVersions))
+		v1.POST("/units/:id/restore", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "{id}")(unitHandler.RestoreVersion))
 	} else {
 		// Fallback without RBAC
 		v1.POST("/units", unitHandler.CreateUnit)
@@ -181,21 +164,23 @@ func RegisterRoutes(e *echo.Echo, store storage.UnitStore, authEnabled bool) {
 		v1.POST("/units/:id/restore", unitHandler.RestoreVersion)
 	}
 
-	// Terraform HTTP backend proxy with RBAC middleware
+	// Terraform HTTP backend proxy with JWT-only RBAC middleware
 	backendHandler := backend.NewHandler(store)
 	if authEnabled && rbacManager != nil {
-		v1.GET("/backend/*", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "*")(backendHandler.GetState))
-		v1.POST("/backend/*", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "*")(backendHandler.UpdateState))
-		v1.PUT("/backend/*", middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "*")(backendHandler.UpdateState))
-		// Explicitly wire non-standard HTTP methods used by Terraform backend
-		e.Add("LOCK", "/v1/backend/*", middleware.RequireAuth(verifyFn)(middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "*")(backendHandler.HandleLockUnlock)))
-		e.Add("UNLOCK", "/v1/backend/*", middleware.RequireAuth(verifyFn)(middleware.RBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "*")(backendHandler.HandleLockUnlock)))
+		v1.GET("/backend/*", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitRead, "*")(backendHandler.GetState))
+		v1.POST("/backend/*", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "*")(backendHandler.UpdateState))
+		v1.PUT("/backend/*", middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitWrite, "*")(backendHandler.UpdateState))
+		// Explicitly wire non-standard HTTP methods used by Terraform backend  
+		jwtVerifyFn := middleware.JWTOnlyVerifier(signer)
+		e.Add("LOCK", "/v1/backend/*", middleware.RequireAuth(jwtVerifyFn)(middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "*")(backendHandler.HandleLockUnlock)))
+		e.Add("UNLOCK", "/v1/backend/*", middleware.RequireAuth(jwtVerifyFn)(middleware.JWTOnlyRBACMiddleware(rbacManager, signer, rbac.ActionUnitLock, "*")(backendHandler.HandleLockUnlock)))
 	} else if authEnabled {
+		jwtVerifyFn := middleware.JWTOnlyVerifier(signer)
 		v1.GET("/backend/*", backendHandler.GetState)
 		v1.POST("/backend/*", backendHandler.UpdateState)
 		v1.PUT("/backend/*", backendHandler.UpdateState)
-		e.Add("LOCK", "/v1/backend/*", middleware.RequireAuth(verifyFn)(backendHandler.HandleLockUnlock))
-		e.Add("UNLOCK", "/v1/backend/*", middleware.RequireAuth(verifyFn)(backendHandler.HandleLockUnlock))
+		e.Add("LOCK", "/v1/backend/*", middleware.RequireAuth(jwtVerifyFn)(backendHandler.HandleLockUnlock))
+		e.Add("UNLOCK", "/v1/backend/*", middleware.RequireAuth(jwtVerifyFn)(backendHandler.HandleLockUnlock))
 	} else {
 		v1.GET("/backend/*", backendHandler.GetState)
 		v1.POST("/backend/*", backendHandler.UpdateState)
@@ -248,26 +233,11 @@ func RegisterRoutes(e *echo.Echo, store storage.UnitStore, authEnabled bool) {
 	// TFE api - inject auth handler, storage, and RBAC dependencies
 	tfeHandler := tfe.NewTFETokenHandler(authHandler, store, rbacManager)  // Pass rbacManager (may be nil)
 
-	// Create protected TFE group
+	// Create protected TFE group - opaque tokens only
 	tfeGroup := e.Group("/tfe/api/v2")
 	if authEnabled {
-		// Verifier for TFE: accept JWT or opaque TFE tokens
-		tfeVerify := func(token string) error {
-			// Try JWT first
-			if signer != nil {
-				if _, err := signer.VerifyAccess(token); err == nil {
-					return nil
-				}
-			}
-			// Fallback to opaque via S3-backed manager
-			if apiTokenMgr != nil {
-				if _, err := apiTokenMgr.Verify(context.Background(), token); err == nil {
-					return nil
-				}
-			}
-			return echo.ErrUnauthorized
-		}
-		tfeGroup.Use(middleware.RequireAuth(tfeVerify))
+		opaqueVerifyFn := middleware.OpaqueOnlyVerifier(apiTokenMgr)
+		tfeGroup.Use(middleware.RequireAuth(opaqueVerifyFn))
 	}
 
 	// Move TFE endpoints to protected group

taco/internal/auth/apitokens.go

@@ -5,6 +5,7 @@ import (
     "crypto/rand"
     "encoding/json"
     "fmt"
+    "log"
     "path"
     "strings"
     "sync"
@@ -18,14 +19,15 @@ import (
 
 // APIToken represents an opaque API token record stored in S3 or memory
 type APIToken struct {
-    Token      string    `json:"token"`
-    Subject    string    `json:"sub"`
-    Email      string    `json:"email,omitempty"`
-    Groups     []string  `json:"groups,omitempty"`
-    Scopes     []string  `json:"scopes,omitempty"`
-    CreatedAt  time.Time `json:"created_at"`
-    LastUsedAt time.Time `json:"last_used_at,omitempty"`
-    Status     string    `json:"status"` // active, revoked
+    Token      string     `json:"token"`
+    Subject    string     `json:"sub"`
+    Email      string     `json:"email,omitempty"`
+    Groups     []string   `json:"groups,omitempty"`
+    Scopes     []string   `json:"scopes,omitempty"`
+    CreatedAt  time.Time  `json:"created_at"`
+    LastUsedAt time.Time  `json:"last_used_at,omitempty"`
+    ExpiresAt  *time.Time `json:"expires_at,omitempty"` // nil means never expires
+    Status     string     `json:"status"` // active, revoked, expired
 }
 
 // APITokenManager issues and verifies opaque tokens for the TFE API surface
@@ -48,23 +50,51 @@ func NewAPITokenManagerFromStore(store storage.UnitStore) *APITokenManager {
     }
 }
 
-// Issue creates a new opaque API token and persists it
+// Issue creates a new opaque API token and persists it, or returns existing active token
 func (m *APITokenManager) Issue(ctx context.Context, subject, email string, groups []string) (string, error) {
-    token := "otc_tfe_" + randomBase58(32)
-    now := time.Now().UTC()
-    rec := &APIToken{
-        Token:     token,
-        Subject:   subject,
-        Email:     email,
-        Groups:    groups,
-        Scopes:    []string{"tfe"},
-        CreatedAt: now,
-        Status:    "active",
-    }
-    if err := m.save(ctx, rec); err != nil {
-        return "", err
-    }
-    return token, nil
+	// Check for existing active token for this user first
+	existingToken, err := m.findActiveTokenForUser(ctx, subject, email)
+	if err != nil {
+		return "", fmt.Errorf("failed to check for existing token: %w", err)
+	}
+	if existingToken != "" {
+		log.Printf("Reusing existing opaque token for user: %s", subject)
+		return existingToken, nil
+	}
+
+	// No existing token found, create a new one
+	token := "otc_tfe_" + randomBase58(32)
+	now := time.Now().UTC()
+	
+	// Set expiration based on TERRAFORM_TOKEN_TTL environment variable
+	var expiresAt *time.Time
+	if ttlStr := getenv("OPENTACO_TERRAFORM_TOKEN_TTL", ""); ttlStr != "" {
+		if ttl, err := time.ParseDuration(ttlStr); err == nil {
+			expTime := now.Add(ttl)
+			expiresAt = &expTime
+			log.Printf("Creating opaque token with TTL %s (expires at %s)", ttl, expTime.Format(time.RFC3339))
+		} else {
+			log.Printf("Warning: Invalid TERRAFORM_TOKEN_TTL format '%s', creating token without expiration", ttlStr)
+		}
+	} else {
+		log.Printf("Creating opaque token without expiration (no TTL configured)")
+	}
+	
+	rec := &APIToken{
+		Token:     token,
+		Subject:   subject,
+		Email:     email,
+		Groups:    groups,
+		Scopes:    []string{"tfe"},
+		CreatedAt: now,
+		ExpiresAt: expiresAt,
+		Status:    "active",
+	}
+	if err := m.save(ctx, rec); err != nil {
+		return "", err
+	}
+	log.Printf("Created new opaque token for user: %s", subject)
+	return token, nil
 }
 
 // Verify checks an opaque token and returns its record if valid
@@ -73,6 +103,13 @@ func (m *APITokenManager) Verify(ctx context.Context, token string) (*APIToken,
     if err != nil { return nil, err }
     if rec == nil { return nil, fmt.Errorf("not found") }
     if rec.Status != "active" { return nil, fmt.Errorf("revoked") }
+    
+    // Check if token has expired
+    if rec.ExpiresAt != nil && time.Now().UTC().After(*rec.ExpiresAt) {
+        // Automatically mark as expired (but don't save to avoid race conditions)
+        return nil, fmt.Errorf("expired")
+    }
+    
     // update last used asynchronously; ignore errors
     now := time.Now().UTC()
     go func() {
@@ -131,11 +168,77 @@ func (m *APITokenManager) load(ctx context.Context, token string) (*APIToken, er
     return nil, storage.ErrNotFound
 }
 
+// findActiveTokenForUser searches for an existing active token for the given user
+func (m *APITokenManager) findActiveTokenForUser(ctx context.Context, subject, email string) (string, error) {
+	if m.s3store != nil {
+		// S3 implementation - list all tokens and check each one
+		return m.findActiveTokenForUserS3(ctx, subject, email)
+	}
+	
+	// Memory implementation - iterate through inmem map
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	now := time.Now().UTC()
+	for _, rec := range m.inmem {
+		if rec.Subject == subject && rec.Email == email && rec.Status == "active" {
+			// Check if token has expired
+			if rec.ExpiresAt != nil && now.After(*rec.ExpiresAt) {
+				continue // Skip expired tokens
+			}
+			return rec.Token, nil
+		}
+	}
+	return "", nil
+}
+
+func (m *APITokenManager) findActiveTokenForUserS3(ctx context.Context, subject, email string) (string, error) {
+	// List all objects in the _tfe_tokens prefix
+	prefix := path.Join(m.s3store.GetS3Prefix(), "_tfe_tokens") + "/"
+	listInput := &awsS3.ListObjectsV2Input{
+		Bucket: awsString(m.s3store.GetS3Bucket()),
+		Prefix: awsString(prefix),
+	}
+	
+	paginator := awsS3.NewListObjectsV2Paginator(m.s3store.GetS3Client(), listInput)
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return "", fmt.Errorf("failed to list S3 objects: %w", err)
+		}
+		
+		for _, obj := range page.Contents {
+			// Extract token from key: prefix/_tfe_tokens/TOKEN.json -> TOKEN
+			key := *obj.Key
+			if !strings.HasSuffix(key, ".json") {
+				continue
+			}
+			tokenFromKey := strings.TrimSuffix(path.Base(key), ".json")
+			
+			// Load the token record
+			rec, err := m.load(ctx, tokenFromKey)
+			if err != nil {
+				continue // Skip tokens we can't load
+			}
+			
+			// Check if this token matches the user and is active and not expired
+			if rec != nil && rec.Subject == subject && rec.Email == email && rec.Status == "active" {
+				// Check if token has expired
+				if rec.ExpiresAt != nil && time.Now().UTC().After(*rec.ExpiresAt) {
+					continue // Skip expired tokens
+				}
+				return rec.Token, nil
+			}
+		}
+	}
+	
+	return "", nil
+}
+
 func (m *APITokenManager) s3Key(token string) string {
-    // store under <prefix>_tfe_tokens/<token>.json to avoid collisions with units
-    p := m.s3store.GetS3Prefix()
-    // path.Join will clean slashes appropriately
-    return path.Join(p, "_tfe_tokens", token+".json")
+	// store under <prefix>_tfe_tokens/<token>.json to avoid collisions with units
+	p := m.s3store.GetS3Prefix()
+	// path.Join will clean slashes appropriately
+	return path.Join(p, "_tfe_tokens", token+".json")
 }
 
 func randomBase58(n int) string {

taco/internal/auth/terraform.go

@@ -199,20 +199,33 @@ func (h *Handler) OAuthToken(c echo.Context) error {
         })
     }
 
-    // Also issue an opaque API token for TFE API usage if manager is configured
+    // Issue an opaque API token for TFE compatibility (like real Terraform Cloud)
     if h.apiTokens != nil {
         if opaque, err2 := h.apiTokens.Issue(c.Request().Context(), authCode.Subject, authCode.Email, authCode.Groups); err2 == nil {
-            // Include opaque token for TFE API compatibility
+            // Return opaque token as access_token (matching TFE behavior)
+            // Calculate expiration based on TERRAFORM_TOKEN_TTL or default to very long
+            var expiresIn int
+            if ttlStr := getenv("OPENTACO_TERRAFORM_TOKEN_TTL", ""); ttlStr != "" {
+                if ttl, err := time.ParseDuration(ttlStr); err == nil {
+                    expiresIn = int(ttl.Seconds())
+                } else {
+                    expiresIn = 999999999 // Very long if TTL parse fails
+                }
+            } else {
+                expiresIn = 999999999 // Very long by default (like TFE)
+            }
+            
             response := map[string]interface{}{
-                "access_token": accessToken,
+                "access_token": opaque,  // Use opaque token as main token
                 "token_type":   "Bearer",
-                "expires_in":   int(exp.Sub(time.Now()).Seconds()),
+                "expires_in":   expiresIn,
                 "scope":        "api s3",
-                "token":        opaque,
             }
             return c.JSON(http.StatusOK, response)
         }
     }
+    
+    // Fallback: return JWT if opaque token creation fails
     response := map[string]interface{}{
         "access_token": accessToken,
         "token_type":   "Bearer",