From bc291a1a1975610297786ffef374b76cbd179fcb Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 19 Feb 2024 15:20:54 +0100
Subject: [PATCH] Add secret kind prefix

---
 entity.go | 37 +++++++++++++++++++++++++++++++++++--

diff --git a/entity.go b/entity.go
index 84ac2b723a74ce0ebbbfb6182cd6bac5f04136bd..15c99c938f18a27b8fe98c0d3d6af0face5dfc91 100644
--- a/entity.go
+++ b/entity.go
@@ -270,8 +270,30 @@ func (code *AuthCode) VerifySecret(secret string) bool {
 	return verifyHash(code.Hash, secret) && verifyExpiration(code.CreatedAt.Add(authCodeExpiration))
 }
 
+type SecretKind byte
+
+const (
+	SecretKindAccessToken = SecretKind('a')
+	SecretKindAuthCode    = SecretKind('c')
+)
+
 func UnmarshalSecret[T entity](s string) (id ID[T], secret string, err error) {
-	idStr, secret, _ := strings.Cut(s, ".")
+	kind, s, _ := strings.Cut(s, ".")
+	idStr, secret, ok := strings.Cut(s, ".")
+	if !ok || len(kind) != 1 {
+		return 0, "", fmt.Errorf("malformed secret")
+	}
+
+	switch SecretKind(kind[0]) {
+	case SecretKindAccessToken:
+		_, ok = interface{}(id).(ID[*AccessToken])
+	case SecretKindAuthCode:
+		_, ok = interface{}(id).(ID[*AuthCode])
+	}
+	if !ok {
+		return 0, "", fmt.Errorf("invalid secret kind %q", kind)
+	}
+
 	id, err = ParseID[T](idStr)
 	return id, secret, err
 }
@@ -280,7 +302,18 @@ func MarshalSecret[T entity](id ID[T], secret string) string {
 	if id == 0 {
 		panic("cannot marshal zero ID")
 	}
-	return fmt.Sprintf("%v.%v", int64(id), secret)
+
+	var kind SecretKind
+	switch interface{}(id).(type) {
+	case ID[*AccessToken]:
+		kind = SecretKindAccessToken
+	case ID[*AuthCode]:
+		kind = SecretKindAuthCode
+	default:
+		panic(fmt.Sprintf("unsupported secret kind for ID type %T", id))
+	}
+
+	return fmt.Sprintf("%v.%v.%v", string(kind), int64(id), secret)
 }
 
 func generateUID() (string, error) {

-- 
2.48.1