chore: implement session sliding expiration and JWT authentication

- Added UpdateSessionLastAccessed method to update session access time.
- Enhanced Authenticate method to support both session cookie and JWT token authentication.
- Introduced AuthResult struct to encapsulate authentication results.
- Added SetUserInContext function to simplify context management for authenticated users.

refactor(auth): streamline gRPC and HTTP authentication

- Removed gRPC authentication interceptor and replaced it with a unified approach using GatewayAuthMiddleware for HTTP requests.
- Updated Connect interceptors to utilize the new authentication logic.
- Consolidated public and admin-only method checks into service layer for better maintainability.

chore(api): clean up unused code and improve documentation

- Removed deprecated logger interceptor and unused gRPC server code.
- Updated ACL configuration documentation for clarity on public and admin-only methods.
- Enhanced metadata handling in Connect RPC to ensure consistent header access.

fix(server): simplify server startup and shutdown process

- Eliminated cmux dependency for handling HTTP and gRPC traffic.
- Streamlined server initialization and shutdown logic for better performance and readability.

Author: johnnyjoygh

go.mod

@@ -13,7 +13,6 @@ require (
 	github.com/google/cel-go v0.26.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/feeds v1.2.0
-	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2
 	github.com/joho/godotenv v1.5.1
 	github.com/labstack/echo/v4 v4.13.4
@@ -85,7 +84,6 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/soheilhy/cmux v0.1.5
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
 	golang.org/x/sys v0.36.0 // indirect

go.sum

@@ -195,3 +195,46 @@ func validateAccessToken(token string, tokens []*storepb.AccessTokensUserSetting
 	}
 	return false
 }
+
+// UpdateSessionLastAccessed updates the last accessed time for a session.
+// This implements sliding expiration - sessions remain valid as long as they're used.
+// Should be called after successful session-based authentication.
+func (a *Authenticator) UpdateSessionLastAccessed(ctx context.Context, userID int32, sessionID string) {
+	// Fire-and-forget update; failures are logged but don't block the request
+	_ = a.store.UpdateUserSessionLastAccessed(ctx, userID, sessionID, timestamppb.Now())
+}
+
+// AuthResult contains the result of an authentication attempt.
+type AuthResult struct {
+	User        *store.User
+	SessionID   string // Non-empty if authenticated via session cookie
+	AccessToken string // Non-empty if authenticated via JWT
+}
+
+// Authenticate tries to authenticate using the provided credentials.
+// It tries session cookie first, then JWT token.
+// Returns nil if no valid credentials are provided.
+// On successful session auth, it also updates the session sliding expiration.
+func (a *Authenticator) Authenticate(ctx context.Context, sessionCookie, authHeader string) *AuthResult {
+	// Try session cookie authentication first
+	if sessionCookie != "" {
+		user, err := a.AuthenticateBySession(ctx, sessionCookie)
+		if err == nil && user != nil {
+			_, sessionID, parseErr := ParseSessionCookieValue(sessionCookie)
+			if parseErr == nil && sessionID != "" {
+				a.UpdateSessionLastAccessed(ctx, user.ID, sessionID)
+			}
+			return &AuthResult{User: user, SessionID: sessionID}
+		}
+	}
+
+	// Try JWT token authentication
+	if token := ExtractBearerToken(authHeader); token != "" {
+		user, err := a.AuthenticateByJWT(ctx, token)
+		if err == nil && user != nil {
+			return &AuthResult{User: user, AccessToken: token}
+		}
+	}
+
+	return nil
+}

server/auth/authenticator.go

@@ -1,6 +1,10 @@
 package auth
 
-import "context"
+import (
+	"context"
+
+	"github.com/usememos/memos/store"
+)
 
 // ContextKey is the key type for context values.
 // Using a custom type prevents collisions with other packages.
@@ -47,3 +51,22 @@ func GetAccessToken(ctx context.Context) string {
 	}
 	return ""
 }
+
+// SetUserInContext sets the authenticated user's information in the context.
+// This is a simpler alternative to AuthorizeAndSetContext for cases where
+// authorization is handled separately (e.g., HTTP middleware).
+//
+// Parameters:
+//   - user: The authenticated user
+//   - sessionID: Set if authenticated via session cookie (empty string otherwise)
+//   - accessToken: Set if authenticated via JWT token (empty string otherwise)
+func SetUserInContext(ctx context.Context, user *store.User, sessionID, accessToken string) context.Context {
+	ctx = context.WithValue(ctx, UserIDContextKey, user.ID)
+	if sessionID != "" {
+		ctx = context.WithValue(ctx, SessionIDContextKey, sessionID)
+	}
+	if accessToken != "" {
+		ctx = context.WithValue(ctx, AccessTokenContextKey, accessToken)
+	}
+	return ctx
+}

server/auth/context.go

@@ -1,56 +1,40 @@
 package v1
 
-// Access Control List (ACL) Configuration
+// PublicMethods defines API endpoints that don't require authentication.
+// All other endpoints require a valid session or access token.
 //
-// This file defines which API methods require authentication and which require admin privileges.
-// Used by both gRPC and Connect interceptors to enforce access control.
+// This is the SINGLE SOURCE OF TRUTH for public endpoints.
+// Both Connect interceptor and gRPC-Gateway interceptor use this map.
 //
-// Method names follow the gRPC full method format: "/{package}.{service}/{method}"
-// Example: "/memos.api.v1.MemoService/CreateMemo"
-
-// publicMethods lists methods that can be called without authentication.
-// These are typically read-only endpoints for public content or login-related endpoints.
-var publicMethods = map[string]bool{
-	// Instance info - needed before login
-	"/memos.api.v1.InstanceService/GetInstanceProfile": true,
-	"/memos.api.v1.InstanceService/GetInstanceSetting": true,
-
-	// Auth - login/session endpoints
-	"/memos.api.v1.AuthService/CreateSession":     true,
-	"/memos.api.v1.AuthService/GetCurrentSession": true,
-
-	// User - public user info and registration
-	"/memos.api.v1.UserService/CreateUser":       true, // Registration (also admin-only when not first user)
-	"/memos.api.v1.UserService/GetUser":          true,
-	"/memos.api.v1.UserService/GetUserAvatar":    true,
-	"/memos.api.v1.UserService/GetUserStats":     true,
-	"/memos.api.v1.UserService/ListAllUserStats": true,
-	"/memos.api.v1.UserService/SearchUsers":      true,
-
-	// Identity providers - needed for SSO login
-	"/memos.api.v1.IdentityProviderService/ListIdentityProviders": true,
-
-	// Memo - public memo access
-	"/memos.api.v1.MemoService/GetMemo":   true,
-	"/memos.api.v1.MemoService/ListMemos": true,
-
-	// Attachment - public attachment access
-	"/memos.api.v1.AttachmentService/GetAttachmentBinary": true,
-}
-
-// adminOnlyMethods lists methods that require admin (Host or Admin role) privileges.
-// Regular users cannot call these methods even if authenticated.
-var adminOnlyMethods = map[string]bool{
-	"/memos.api.v1.UserService/CreateUser":                true, // Admin creates users (except first user registration)
-	"/memos.api.v1.InstanceService/UpdateInstanceSetting": true,
-}
-
-// IsPublicMethod returns true if the method can be called without authentication.
-func IsPublicMethod(fullMethodName string) bool {
-	return publicMethods[fullMethodName]
+// Format: Full gRPC procedure path as returned by req.Spec().Procedure (Connect)
+// or info.FullMethod (gRPC interceptor).
+var PublicMethods = map[string]struct{}{
+	// Auth Service - login flow must be accessible without auth
+	"/memos.api.v1.AuthService/CreateSession":     {},
+	"/memos.api.v1.AuthService/GetCurrentSession": {},
+
+	// Instance Service - needed before login to show instance info
+	"/memos.api.v1.InstanceService/GetInstanceProfile": {},
+	"/memos.api.v1.InstanceService/GetInstanceSetting": {},
+
+	// User Service - public user profiles and stats
+	"/memos.api.v1.UserService/GetUser":          {},
+	"/memos.api.v1.UserService/GetUserAvatar":    {},
+	"/memos.api.v1.UserService/GetUserStats":     {},
+	"/memos.api.v1.UserService/ListAllUserStats": {},
+	"/memos.api.v1.UserService/SearchUsers":      {},
+
+	// Identity Provider Service - SSO buttons on login page
+	"/memos.api.v1.IdentityProviderService/ListIdentityProviders": {},
+
+	// Memo Service - public memos (visibility filtering done in service layer)
+	"/memos.api.v1.MemoService/GetMemo":   {},
+	"/memos.api.v1.MemoService/ListMemos": {},
 }
 
-// IsAdminOnlyMethod returns true if the method requires admin privileges.
-func IsAdminOnlyMethod(fullMethodName string) bool {
-	return adminOnlyMethods[fullMethodName]
+// IsPublicMethod checks if a procedure path is public (no authentication required).
+// Returns true for public methods, false for protected methods.
+func IsPublicMethod(procedure string) bool {
+	_, ok := PublicMethods[procedure]
+	return ok
 }