feat: sdk migration in progress

internal/auth/jwt_issue.go

@@ -0,0 +1,55 @@
+package auth
+
+import (
+	"errors"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type IssueOpts struct {
+	Subject  string
+	Issuer   string
+	Audience string
+	TTL      time.Duration
+	Claims   map[string]any // extra app claims
+}
+
+func IssueAccessToken(opts IssueOpts) (string, error) {
+	kc.mu.RLock()
+	defer kc.mu.RUnlock()
+
+	if kc.selPriv == nil || kc.selKid == "" || kc.selAlg == "" {
+		return "", errors.New("no active signing key")
+	}
+
+	claims := jwt.MapClaims{
+		"iss": opts.Issuer,
+		"aud": opts.Audience,
+		"sub": opts.Subject,
+		"iat": time.Now().Unix(),
+		"exp": time.Now().Add(opts.TTL).Unix(),
+	}
+	for k, v := range opts.Claims {
+		claims[k] = v
+	}
+
+	var method jwt.SigningMethod
+	switch kc.selAlg {
+	case "RS256":
+		method = jwt.SigningMethodRS256
+	case "RS384":
+		method = jwt.SigningMethodRS384
+	case "RS512":
+		method = jwt.SigningMethodRS512
+	case "EdDSA":
+		method = jwt.SigningMethodEdDSA
+	default:
+		return "", errors.New("unsupported alg")
+	}
+
+	token := jwt.NewWithClaims(method, claims)
+	token.Header["kid"] = kc.selKid
+
+	return token.SignedString(kc.selPriv)
+}