Skip to content

Document authentication system added in PR #24 #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
allisson merged 3 commits into from
Jan 2, 2026
Merged

Document authentication system added in PR #24 #25

allisson merged 3 commits into from
Jan 2, 2026
+327 −6

Conversation

Copy link
Contributor

Copilot AI commented Jan 2, 2026
edited
Loading

PR #24 added JWT-based authentication with OAuth2 client credentials flow, scope-based permissions, and client management endpoints. This updates the README to document the new authentication system.

Configuration

  • Added FASTPUBSUB_AUTH_ENABLED (default: false), FASTPUBSUB_AUTH_SECRET_KEY, FASTPUBSUB_AUTH_ALGORITHM, and FASTPUBSUB_AUTH_ACCESS_TOKEN_EXPIRE_MINUTES environment variables

CLI Commands

  • generate_secret_key - Generates cryptographically secure secret for JWT signing
  • create_client <name> <scopes> <is_active> - Creates OAuth client with specified permissions

Scopes

Global scopes: * (admin), topics:{create,read,delete,publish}, subscriptions:{create,read,delete,consume}, clients:{create,update,read,delete}

Object-specific scopes: topics:publish:my-topic-id restricts publish to single topic

API Reference

  • Authentication flow: POST /oauth/token with client_id/client_secret returns JWT access token
  • Client management: Full CRUD at /clients endpoint (create, get, list, update, delete)
  • Token usage: Include Authorization: Bearer <token> header on authenticated requests
  • Token revocation: Updating a client increments token_version, invalidating existing tokens

Examples

# Generate secret and create admin client
docker run --rm allisson/fastpubsub generate_secret_key
docker run --rm \
  -e FASTPUBSUB_AUTH_ENABLED=true \
  -e FASTPUBSUB_AUTH_SECRET_KEY=<generated-secret> \
  allisson/fastpubsub create_client "Admin" "*" true

# Get access token
curl -X POST http://localhost:8000/oauth/token \
  -H "Content-Type: application/json" \
  -d '{"client_id": "<id>", "client_secret": "<secret>"}'

# Use token
curl -H "Authorization: Bearer <token>" http://localhost:8000/topics

Troubleshooting

  • 401 errors: Verify FASTPUBSUB_AUTH_ENABLED=true on server, token not expired (30min default), client active
  • 403 errors: Check client has required scope (e.g., topics:publish or topics:publish:specific-topic)
Original prompt

Update the README.md with the recent changes of #24

Some additional information:

  • Authentication is optional and controlled by the env FASTPUBSUB_AUTH_ENABLED, which has a default value of false.

  • To enable authentication, you must set the envs FASTPUBSUB_AUTH_ENABLED=true and FASTPUBSUB_AUTH_SECRET_KEY=my-super-secret-key.

  • There is a command called generate_secret_key that generates a secure secret key for use.

  • There is a command called create_client that generates a new client via the CLI.

  • Regarding scopes, we have the following valid global scopes:
    “*” -> admin mode, can do anything.
    “topics:create” -> can create a new topic.
    “topics:read” -> can list or get a topic.
    “topics:delete” -> can delete a topic.
    “topics:publish” -> can publish a message to the topic.
    “subscriptions:create” -> can create a new subscription.
    “subscriptions:read” -> can list or get a subscription.
    “subscriptions:delete” -> can delete a subscription.
    “subscriptions:consume” -> can consume messages from subscription.
    “clients:create” -> can create a new client.
    “clients:update” -> can update a client.
    “clients:read” -> can list or get a client.
    “clients:delete” -> can delete a client.

  • We can have scopes per object. For a client to publish to only one topic, we can set a scope “topics:publish:my-topic-id.”

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 2, 2026 14:58
@allisson
Add comprehensive authentication documentation to README
5de3e20 
- Add authentication configuration section with all auth-related environment variables
- Add Docker commands section for generate_secret_key and create_client
- Add Authentication section to API Reference explaining scopes and OAuth flow
- Add Clients API documentation with all CRUD endpoints
- Add Example 1 showing how to set up authentication
- Add Example 3 showing how to create clients with different scopes
- Add Security best practices section
- Add Authentication Issues troubleshooting section
- Renumber all examples to maintain consistency

Co-authored-by: allisson <[email protected]>
@allisson
Fix formatting: add backticks to token_version in security section
6228d52 
Co-authored-by: allisson <[email protected]>
Copilot AI changed the title [WIP] Update README.md to include authentication changes Document authentication system added in PR #24 Jan 2, 2026
Copilot AI requested a review from allisson January 2, 2026 15:03
@allisson allisson marked this pull request as ready for review January 2, 2026 15:03
@allisson allisson merged commit 26ed2c3 into main Jan 2, 2026
1 check passed
@allisson allisson deleted the copilot/update-readme-with-auth-details branch January 2, 2026 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@allisson allisson allisson approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@allisson allisson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@allisson