chore: initial commit

internal/svc/auth/api/gateway.go

@@ -0,0 +1,39 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package api
+
+import (
+	"context"
+
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/rs/zerolog/log"
+
+	pb "github.com/hexolan/stocklet/internal/pkg/protogen/auth/v1"
+	"github.com/hexolan/stocklet/internal/pkg/serve"
+	"github.com/hexolan/stocklet/internal/svc/auth"
+)
+
+func PrepareGateway(cfg *auth.ServiceConfig) *runtime.ServeMux {
+	mux, clientOpts := serve.NewGatewayServeBase(&cfg.Shared)
+
+	ctx := context.Background()
+	err := pb.RegisterAuthServiceHandlerFromEndpoint(ctx, mux, serve.GetAddrToGrpc("localhost"), clientOpts)
+	if err != nil {
+		log.Panic().Err(err).Msg("failed to register endpoint for gateway")
+	}
+
+	return mux
+}

internal/svc/auth/api/grpc.go

@@ -0,0 +1,30 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package api
+
+import (
+	"google.golang.org/grpc"
+
+	pb "github.com/hexolan/stocklet/internal/pkg/protogen/auth/v1"
+	"github.com/hexolan/stocklet/internal/pkg/serve"
+	"github.com/hexolan/stocklet/internal/svc/auth"
+)
+
+func PrepareGrpc(cfg *auth.ServiceConfig, svc *auth.AuthService) *grpc.Server {
+	svr := serve.NewGrpcServeBase(&cfg.Shared)
+	pb.RegisterAuthServiceServer(svr, svc)
+	return svr
+}

internal/svc/auth/auth.go

@@ -0,0 +1,157 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package auth
+
+import (
+	"context"
+
+	"github.com/bufbuild/protovalidate-go"
+	"github.com/rs/zerolog/log"
+	"google.golang.org/protobuf/types/known/emptypb"
+
+	"github.com/hexolan/stocklet/internal/pkg/errors"
+	"github.com/hexolan/stocklet/internal/pkg/gwauth"
+	"github.com/hexolan/stocklet/internal/pkg/messaging"
+	pb "github.com/hexolan/stocklet/internal/pkg/protogen/auth/v1"
+	commonpb "github.com/hexolan/stocklet/internal/pkg/protogen/common/v1"
+	eventpb "github.com/hexolan/stocklet/internal/pkg/protogen/events/v1"
+)
+
+// Interface for the service
+type AuthService struct {
+	pb.UnimplementedAuthServiceServer
+
+	cfg *ServiceConfig
+
+	store StorageController
+	pbVal *protovalidate.Validator
+}
+
+// Interface for database methods
+// Allows implementing seperate controllers for different databases (e.g. Postgres, MongoDB, etc)
+type StorageController interface {
+	SetPassword(ctx context.Context, userId string, password string) error
+	VerifyPassword(ctx context.Context, userId string, password string) (bool, error)
+
+	DeleteAuthMethods(ctx context.Context, userId string) error
+}
+
+// Interface for event consumption
+// Flexibility for seperate controllers for different messaging systems (e.g. Kafka, NATS, etc)
+type ConsumerController interface {
+	messaging.ConsumerController
+
+	Attach(svc pb.AuthServiceServer)
+}
+
+// Create the auth service
+func NewAuthService(cfg *ServiceConfig, store StorageController) *AuthService {
+	// Initialise the protobuf validator
+	pbVal, err := protovalidate.New()
+	if err != nil {
+		log.Panic().Err(err).Msg("failed to initialise protobuf validator")
+	}
+
+	svc := &AuthService{
+		cfg:   cfg,
+		store: store,
+		pbVal: pbVal,
+	}
+
+	return svc
+}
+
+func (svc AuthService) ServiceInfo(ctx context.Context, req *commonpb.ServiceInfoRequest) (*commonpb.ServiceInfoResponse, error) {
+	return &commonpb.ServiceInfoResponse{
+		Name:          "auth",
+		Source:        "https://github.com/hexolan/stocklet",
+		SourceLicense: "AGPL-3.0",
+	}, nil
+}
+
+func (svc AuthService) LoginPassword(ctx context.Context, req *pb.LoginPasswordRequest) (*pb.LoginPasswordResponse, error) {
+	// Validate the request args
+	if err := svc.pbVal.Validate(req); err != nil {
+		// provide validation err context to user
+		return nil, errors.NewServiceError(errors.ErrCodeInvalidArgument, "invalid request: "+err.Error())
+	}
+
+	// Verify password
+	match, err := svc.store.VerifyPassword(ctx, req.UserId, req.Password)
+	if err != nil || match == false {
+		return nil, errors.WrapServiceError(errors.ErrCodeForbidden, "invalid user id or password", err)
+	}
+
+	// Issue token for the user
+	token, err := issueToken(svc.cfg, req.UserId)
+	if err != nil {
+		return nil, errors.WrapServiceError(errors.ErrCodeService, "error issuing token", err)
+	}
+
+	return &pb.LoginPasswordResponse{Detail: "Success", Data: token}, nil
+}
+
+func (svc AuthService) SetPassword(ctx context.Context, req *pb.SetPasswordRequest) (*pb.SetPasswordResponse, error) {
+	// If the request is through the gateway,
+	// then perform permission checking
+	gatewayRequest, gwMd := gwauth.IsGatewayRequest(ctx)
+	if gatewayRequest {
+		log.Info().Msg("is a gateway request")
+		// Ensure user is authenticated
+		claims, err := gwauth.GetGatewayUser(gwMd)
+		if err != nil {
+			return nil, err
+		}
+
+		// Only allow changing of own password
+		req.UserId = claims.Subject
+	}
+
+	// Validate the request args
+	if err := svc.pbVal.Validate(req); err != nil {
+		// provide validation err context to user
+		return nil, errors.NewServiceError(errors.ErrCodeInvalidArgument, "invalid request: "+err.Error())
+	}
+
+	// Set the password
+	err := svc.store.SetPassword(ctx, req.UserId, req.Password)
+	if err != nil {
+		return nil, err
+	}
+
+	return &pb.SetPasswordResponse{Detail: "Successfully updated password"}, nil
+}
+
+func (svc AuthService) ProcessUserDeletedEvent(ctx context.Context, req *eventpb.UserDeletedEvent) (*emptypb.Empty, error) {
+	// Validate the request args
+	if err := svc.pbVal.Validate(req); err != nil {
+		// provide validation err context to user
+		return nil, errors.NewServiceError(errors.ErrCodeInvalidArgument, "invalid request: "+err.Error())
+	}
+
+	err := svc.store.DeleteAuthMethods(ctx, req.UserId)
+	if err != nil {
+		return nil, errors.WrapServiceError(errors.ErrCodeService, "failed to process event", err)
+	}
+
+	return &emptypb.Empty{}, nil
+}
+
+// Provide the JWK ECDSA public key as part of a JSON Web Key set.
+// This method is called by the API gateway for usage when validating inbound JWT tokens.
+func (svc AuthService) GetJwks(ctx context.Context, req *pb.GetJwksRequest) (*pb.GetJwksResponse, error) {
+	return &pb.GetJwksResponse{Keys: []*pb.PublicEcJWK{svc.cfg.ServiceOpts.PublicJwk}}, nil
+}

internal/svc/auth/config.go

@@ -0,0 +1,156 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package auth
+
+import (
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/rs/zerolog/log"
+	"google.golang.org/protobuf/encoding/protojson"
+
+	"github.com/hexolan/stocklet/internal/pkg/config"
+	"github.com/hexolan/stocklet/internal/pkg/errors"
+	pb "github.com/hexolan/stocklet/internal/pkg/protogen/auth/v1"
+)
+
+// Auth Service Configuration
+type ServiceConfig struct {
+	// Core configuration
+	Shared      config.SharedConfig
+	ServiceOpts ServiceConfigOpts
+
+	// Dynamically loaded configuration
+	Postgres config.PostgresConfig
+	Kafka    config.KafkaConfig
+}
+
+// load the service configuration
+func NewServiceConfig() (*ServiceConfig, error) {
+	cfg := ServiceConfig{}
+
+	// load the shared config options
+	if err := cfg.Shared.Load(); err != nil {
+		return nil, err
+	}
+
+	// load the service config opts
+	if err := cfg.ServiceOpts.Load(); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
+
+// Service specific config options
+type ServiceConfigOpts struct {
+	// Env Var: "AUTH_PRIVATE_KEY"
+	// to be provided in base64 format
+	PrivateKey *ecdsa.PrivateKey
+
+	// Generated from PrivateKey
+	PublicJwk *pb.PublicEcJWK
+}
+
+// Load the ServiceConfigOpts
+//
+// PrivateKey is loaded and decoded from the base64
+// encoded PEM file exposed in the 'AUTH_PRIVATE_KEY'
+// environment variable.
+func (opts *ServiceConfigOpts) Load() error {
+	// load the private key
+	if err := opts.loadPrivateKey(); err != nil {
+		return err
+	}
+
+	// prepare the JWK public key
+	opts.PublicJwk = preparePublicJwk(opts.PrivateKey)
+
+	return nil
+}
+
+// Load the ECDSA private key.
+//
+// Used for signing JWT tokens.
+// The public key is also served in JWK format, from this service,
+// for use when validating the tokens at the API ingress.
+func (opts *ServiceConfigOpts) loadPrivateKey() error {
+	// PEM private key file exposed as an environment variable encoded in base64
+	opt, err := config.RequireFromEnv("AUTH_PRIVATE_KEY")
+	if err != nil {
+		return err
+	}
+
+	// Decode from base64
+	pkBytes, err := base64.StdEncoding.DecodeString(opt)
+	if err != nil {
+		return errors.WrapServiceError(errors.ErrCodeService, "the provided 'AUTH_PRIVATE_KEY' is not valid base64", err)
+	}
+
+	// Decode the PEM key
+	pkBlock, _ := pem.Decode(pkBytes)
+	if pkBlock == nil {
+		return errors.NewServiceError(errors.ErrCodeService, "the provided 'AUTH_PRIVATE_KEY' is not valid PEM format")
+	}
+
+	// Parse the block to a ecdsa.PrivateKey object
+	privKey, err := x509.ParseECPrivateKey(pkBlock.Bytes)
+	if err != nil {
+		return errors.WrapServiceError(errors.ErrCodeService, "failed to parse the provided 'AUTH_PRIVATE_KEY' to an EC private key", err)
+	}
+
+	opts.PrivateKey = privKey
+	return nil
+}
+
+// Converts the ECDSA key to a public JWK.
+func preparePublicJwk(privateKey *ecdsa.PrivateKey) *pb.PublicEcJWK {
+	// Assemble the public JWK
+	jwk, err := jwk.FromRaw(privateKey.PublicKey)
+	if err != nil {
+		log.Panic().Err(err).Msg("something went wrong parsing public key from private key")
+	}
+
+	// denote use for signatures
+	jwk.Set("use", "sig")
+
+	// envoy includes support for ES256, ES384 and ES512
+	alg := fmt.Sprintf("ES%v", privateKey.Curve.Params().BitSize)
+	if alg != "ES256" && alg != "ES384" && alg != "ES512" {
+		log.Panic().Err(err).Msg("unsupported bitsize for private key")
+	}
+	jwk.Set("alg", alg)
+
+	// Convert the JWK to JSON
+	jwkBytes, err := json.Marshal(jwk)
+	if err != nil {
+		log.Panic().Err(err).Msg("something went wrong preparing the public JWK (json marshal)")
+	}
+
+	// Unmarshal the JSON to Protobuf format
+	publicJwkPB := pb.PublicEcJWK{}
+	err = protojson.Unmarshal(jwkBytes, &publicJwkPB)
+	if err != nil {
+		log.Panic().Err(err).Msg("something went wrong preparing the public JWK (protonjson unmarshal)")
+	}
+
+	return &publicJwkPB
+}

internal/svc/auth/controller/kafka.go

@@ -0,0 +1,109 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package controller
+
+import (
+	"context"
+
+	"github.com/rs/zerolog/log"
+	"github.com/twmb/franz-go/pkg/kgo"
+	"google.golang.org/protobuf/proto"
+
+	"github.com/hexolan/stocklet/internal/pkg/messaging"
+	pb "github.com/hexolan/stocklet/internal/pkg/protogen/auth/v1"
+	eventpb "github.com/hexolan/stocklet/internal/pkg/protogen/events/v1"
+	"github.com/hexolan/stocklet/internal/svc/auth"
+)
+
+type kafkaController struct {
+	cl *kgo.Client
+
+	svc pb.AuthServiceServer
+
+	ctx       context.Context
+	ctxCancel context.CancelFunc
+}
+
+func NewKafkaController(cl *kgo.Client) auth.ConsumerController {
+	// Create a cancellable context for the consumer
+	ctx, ctxCancel := context.WithCancel(context.Background())
+
+	// Ensure the required Kafka topics exist
+	err := messaging.EnsureKafkaTopics(
+		cl,
+
+		messaging.User_State_Deleted_Topic,
+	)
+	if err != nil {
+		log.Warn().Err(err).Msg("kafka: raised attempting to ensure svc topics")
+	}
+
+	// Add the consumption topics
+	cl.AddConsumeTopics(
+		messaging.User_State_Deleted_Topic,
+	)
+
+	return &kafkaController{cl: cl, ctx: ctx, ctxCancel: ctxCancel}
+}
+
+func (c *kafkaController) Attach(svc pb.AuthServiceServer) {
+	c.svc = svc
+}
+
+func (c *kafkaController) Start() {
+	if c.svc == nil {
+		log.Panic().Msg("consumer: no service interface attached")
+	}
+
+	for {
+		fetches := c.cl.PollFetches(c.ctx)
+		if errs := fetches.Errors(); len(errs) > 0 {
+			log.Panic().Any("kafka-errs", errs).Msg("consumer: unrecoverable kafka errors")
+		}
+
+		fetches.EachTopic(func(ft kgo.FetchTopic) {
+			switch ft.Topic {
+			case messaging.User_State_Deleted_Topic:
+				c.consumeUserDeletedEventTopic(ft)
+			default:
+				log.Warn().Str("topic", ft.Topic).Msg("consumer: recieved records from unexpected topic")
+			}
+		})
+	}
+}
+
+func (c *kafkaController) Stop() {
+	// Cancel the consumer context
+	c.ctxCancel()
+}
+
+func (c *kafkaController) consumeUserDeletedEventTopic(ft kgo.FetchTopic) {
+	log.Info().Str("topic", ft.Topic).Msg("consumer: recieved records from topic")
+
+	// Process each message from the topic
+	ft.EachRecord(func(record *kgo.Record) {
+		// Unmarshal the event
+		var event eventpb.UserDeletedEvent
+		err := proto.Unmarshal(record.Value, &event)
+		if err != nil {
+			log.Panic().Err(err).Msg("consumer: failed to unmarshal event")
+		}
+
+		// Process the event
+		ctx := context.Background()
+		c.svc.ProcessUserDeletedEvent(ctx, &event)
+	})
+}

internal/svc/auth/controller/postgres.go

@@ -0,0 +1,97 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package controller
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"github.com/hexolan/stocklet/internal/pkg/errors"
+	"github.com/hexolan/stocklet/internal/svc/auth"
+)
+
+type postgresController struct {
+	cl *pgxpool.Pool
+}
+
+func NewPostgresController(cl *pgxpool.Pool) auth.StorageController {
+	return postgresController{cl: cl}
+}
+
+func (c postgresController) getPasswordAuthMethod(ctx context.Context, userId string) (string, error) {
+	var hashedPassword string
+	err := c.cl.QueryRow(ctx, "SELECT hashed_password FROM auth_methods WHERE user_id=$1", userId).Scan(&hashedPassword)
+	if err != nil {
+		return "", errors.WrapServiceError(errors.ErrCodeNotFound, "unknown user id", err)
+	}
+
+	return hashedPassword, nil
+}
+
+func (c postgresController) SetPassword(ctx context.Context, userId string, password string) error {
+	hashedPassword, err := auth.HashPassword(password)
+	if err != nil {
+		return errors.WrapServiceError(errors.ErrCodeInvalidArgument, "unable to hash password", err)
+	}
+
+	// Check if auth method already exists
+	var statement string
+	_, err = c.getPasswordAuthMethod(ctx, userId)
+	if err != nil {
+		// Auth method does not exist
+		statement = "INSERT INTO auth_methods (user_id, hashed_password) VALUES ($1, $2)"
+	} else {
+		// Auth method already exists
+		statement = "UPDATE auth_methods SET hashed_password=$2 WHERE user_id=$1"
+	}
+
+	// Execute statement
+	result, err := c.cl.Exec(ctx, statement, userId, hashedPassword)
+	if err != nil {
+		return errors.WrapServiceError(errors.ErrCodeExtService, "failed to set password", err)
+	}
+
+	// Ensure a row was affected
+	if result.RowsAffected() != 1 {
+		return errors.WrapServiceError(errors.ErrCodeExtService, "auth methods unaffected", err)
+	}
+
+	return nil
+}
+
+func (c postgresController) VerifyPassword(ctx context.Context, userId string, password string) (bool, error) {
+	hashedPassword, err := c.getPasswordAuthMethod(ctx, userId)
+	if err != nil {
+		return false, err
+	}
+
+	match := auth.CompareHashAndPassword(password, hashedPassword)
+	if !match {
+		return false, errors.WrapServiceError(errors.ErrCodeForbidden, "invalid user id or password", err)
+	}
+
+	return true, nil
+}
+
+func (c postgresController) DeleteAuthMethods(ctx context.Context, userId string) error {
+	_, err := c.cl.Exec(ctx, "DELETE FROM auth_methods WHERE user_id=$1", userId)
+	if err != nil {
+		return errors.WrapServiceError(errors.ErrCodeExtService, "failed to delete", err)
+	}
+
+	return nil
+}

internal/svc/auth/hashing.go

@@ -0,0 +1,40 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package auth
+
+import (
+	"golang.org/x/crypto/bcrypt"
+)
+
+func HashPassword(password string) (string, error) {
+	// bcrypt has a 72 byte limitation on password length
+	// passwords are already validated to ensure no greater than 64 chars
+	hashedPasswordB, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+
+	return string(hashedPasswordB), nil
+}
+
+func CompareHashAndPassword(password string, hashedPassword string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
+	if err != nil {
+		return false
+	}
+
+	return true
+}

internal/svc/auth/jwt.go

@@ -0,0 +1,56 @@
+// Copyright (C) 2024 Declan Teevan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package auth
+
+import (
+	"time"
+
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwt"
+
+	"github.com/hexolan/stocklet/internal/pkg/errors"
+	"github.com/hexolan/stocklet/internal/pkg/gwauth"
+	pb "github.com/hexolan/stocklet/internal/pkg/protogen/auth/v1"
+)
+
+// Issues a JWT token
+func issueToken(cfg *ServiceConfig, sub string) (*pb.AuthToken, error) {
+	const expiryTime = 86400 // 1 day
+
+	// Set token claims
+	token := jwt.New()
+	claims := &gwauth.JWTClaims{
+		Subject:  sub,
+		IssuedAt: time.Now().Unix(),
+		Expiry:   time.Now().Unix() + expiryTime,
+	}
+
+	token.Set("sub", claims.Subject)
+	token.Set("iat", claims.IssuedAt)
+	token.Set("exp", claims.Expiry)
+
+	// Sign token
+	accessToken, err := jwt.Sign(token, jwt.WithKey(jwa.KeyAlgorithmFrom(cfg.ServiceOpts.PrivateKey), cfg.ServiceOpts.PrivateKey))
+	if err != nil {
+		return nil, errors.WrapServiceError(errors.ErrCodeService, "failed to sign JWT token", err)
+	}
+
+	return &pb.AuthToken{
+		TokenType:   "Bearer",
+		AccessToken: string(accessToken),
+		ExpiresIn:   expiryTime,
+	}, nil
+}