Documentation ¶
Index ¶
- Constants
- func AuthFuncAuthenticated(user *Identity) error
- func Authorize(ctx context.Context, auth ...AuthFunc) error
- func MaskString(origin string) string
- func RandString(l int, s string) (string, error)
- type AuthFunc
- type ClientAuthorizer
- type ExtendedClaims
- type Identity
- type InMemoryTokenStore
- type JsonWebTokenStore
- type RedisTokenConfig
- type RedisTokenStore
- type ServerAuthorizer
- type Status
- type Token
- func (t *Token) Client() string
- func (t *Token) ExpiresAt() time.Time
- func (t *Token) HasScope(scope string) bool
- func (t *Token) IsExpired() bool
- func (t *Token) IssuedAt() time.Time
- func (t *Token) MarshalJSON() ([]byte, error)
- func (t *Token) Realm() string
- func (t *Token) Scope() []string
- func (t *Token) Subject() string
- func (t *Token) UnmarshalJSON(data []byte) error
- type TokenStore
Constants ¶
const ( // ErrInvalidToken is returned when the token is invalid. ErrInvalidToken = Status("token is invalid") // ErrExpiredToken is returned when the token is expired. ErrExpiredToken = Status("token is expired") // ErrInvalidTokenType is returned when the token type is invalid. ErrInvalidTokenType = Status("token type is invalid") // ErrInvalidTokenSignature is returned when the token signature is invalid. ErrInvalidTokenSignature = Status("token signature is invalid") // ErrUnsupportedSigningMethod is returned when the signing method is not supported. ErrUnsupportedSigningMethod = Status("unsupported signing method") // ErrUnsupportedTokenType is returned when the token type is not supported. ErrUnsupportedTokenType = Status("unsupported token type") // ErrUnsupportedOperation is returned when the operation is not supported. ErrUnsupportedOperation = Status("unsupported operation") // ErrInvalidAuthExprOutput is returned when the authorization expression does not return a boolean. ErrInvalidAuthExprOutput = Status("authorization expression must return a boolean") // ErrUnauthenticated is returned when the user is not authenticated. ErrUnauthenticated = Status("unauthenticated") // ErrPermissionDenied is returned when the user does not have permission to perform the operation. ErrPermissionDenied = Status("permission denied") )
const ( AUTH_HEADER_KEY = "Authorization" AUTH_SCHEMA_BASIC = "basic" AUTH_SCHEMA_BEARER = "bearer" )
const ( TOKEN_TYPE_BEARER = "Bearer" TOKEN_TYPE_REFRESH = "Refresh" )
const (
DEFAULT_PASSWORD_SYMBOLS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+,.?/:;{}[]`~"
)
Variables ¶
This section is empty.
Functions ¶
func AuthFuncAuthenticated ¶
AuthFuncAuthenticated returns an AuthFunc that requires the identity is authenticated.
func Authorize ¶
Authorize authorizes the identity in the given context with the given auth functions.
func MaskString ¶
MaskString masks the given string. The middle third of the given string will be masked with asterisks.
Types ¶
type AuthFunc ¶
AuthFunc is a function that authorizes an identity.
func AuthFuncExpiression ¶
AuthFuncExpiression returns an AuthFunc that evaluates the given expression. The expression must return a boolean. The expression is evaluated with the identity as the context. Example:
AuthFuncExpiression(`Token().Realm() == "default"`)
func AuthFuncRequireRealm ¶
AuthFuncRequireRealm returns an AuthFunc that requires the identity has the given realm.
func AuthFuncRequireSchema ¶
AuthFuncRequireSchema returns an AuthFunc that requires the identity has the given schema.
func AuthFuncRequireScope ¶
AuthFuncRequireScope returns an AuthFunc that requires the identity has the given scope.
type ClientAuthorizer ¶
type ClientAuthorizer struct {
// contains filtered or unexported fields
}
ClientAuthorizer provides client-side grpc interceptors for authorization.
func NewClientAuthorizer ¶
func NewClientAuthorizer(cred credentials.PerRPCCredentials) *ClientAuthorizer
NewClientAuthorizer returns a new ClientAuthorizer with the given credentials.
func (*ClientAuthorizer) StreamClientInterceptor ¶
func (auth *ClientAuthorizer) StreamClientInterceptor() grpc.StreamClientInterceptor
StreamClientInterceptor returns a grpc.StreamClientInterceptor that authorizes the client connection with the given credentials.
func (*ClientAuthorizer) UnaryClientInterceptor ¶
func (auth *ClientAuthorizer) UnaryClientInterceptor() grpc.UnaryClientInterceptor
UnaryClientInterceptor returns a grpc.UnaryClientInterceptor that authorizes the client connection with the given credentials.
type ExtendedClaims ¶
type ExtendedClaims struct { jwt.RegisteredClaims // the `typ` (Type) claim. A custom claim to identify the type of the token. Type string `json:"typ,omitempty"` // the `realm` (Realm) claim. A custom claim to identify the realm of the token. Realm string `json:"realm,omitempty"` // the `azp` (Authorized party) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3 Client string `json:"azp,omitempty"` // the `scope` (Scope) claim. See https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 // Note: the scope claim is a space-separated list of scopes, not a JSON array. Scope string `json:"scope,omitempty"` }
ExtendedClaims is a custom claims type that extends the default claims with additional claims.
type Identity ¶
type Identity struct {
// contains filtered or unexported fields
}
Identity represents the result of authentication.
func IdentityFromContext ¶
IdentityFromContext returns the identity from the given context.
func NewIdentity ¶
NewIdentity returns a new Identity with the given schema and token.
type InMemoryTokenStore ¶
type InMemoryTokenStore struct {
// contains filtered or unexported fields
}
InMemoryTokenStore is an in-memory token store.
type JsonWebTokenStore ¶
type JsonWebTokenStore struct {
// contains filtered or unexported fields
}
JsonWebTokenStore is a token store that uses JSON Web Tokens (JWT) to store tokens.
func NewJsonWebTokenStore ¶
func NewJsonWebTokenStore(tokenIssuer, tokenAudience, signingAlgName string, signingKeyData, verifyKeyData keyData) (*JsonWebTokenStore, error)
NewJsonWebTokenStore creates a new JSON Web Token (JWT) token store.
type RedisTokenConfig ¶
type RedisTokenStore ¶
type RedisTokenStore struct {
// contains filtered or unexported fields
}
RedisTokenStore is a token store that uses Redis to store tokens.
func NewRedisTokenStore ¶
func NewRedisTokenStore(rdb rueidis.Client, bkt string) (*RedisTokenStore, error)
NewRedisTokenStore creates a new Redis token store.
type ServerAuthorizer ¶
type ServerAuthorizer struct {
// contains filtered or unexported fields
}
ServerAuthorizer provides server-side grpc interceptors for authorization.
func NewServerAuthorizer ¶
func NewServerAuthorizer(stores map[string]TokenStore) *ServerAuthorizer
NewServerAuthorizer returns a new ServerAuthorizer with the given token stores. The key of the map stores is the authentication schema.
func (*ServerAuthorizer) StreamServerInterceptor ¶
func (auth *ServerAuthorizer) StreamServerInterceptor() grpc.StreamServerInterceptor
StreamServerInterceptor returns a grpc.StreamServerInterceptor that authorizes the identity in the context.
func (*ServerAuthorizer) UnaryServerInterceptor ¶
func (auth *ServerAuthorizer) UnaryServerInterceptor() grpc.UnaryServerInterceptor
UnaryServerInterceptor returns a grpc.UnaryServerInterceptor that authorizes the identity in the context.
type Status ¶
type Status string
Status represents an error status.
func (Status) GRPCStatus ¶
GRPCStatus returns the gRPC status for the error. Implements the GRPCStatus() method, see status.FromError(error).
type Token ¶
type Token struct {
// contains filtered or unexported fields
}
Token is used to authenticate a user. All fields are private so will not be modified outside of this package.
func (*Token) MarshalJSON ¶
func (*Token) UnmarshalJSON ¶
type TokenStore ¶
type TokenStore interface { // Issue issues a new token with the given ttl. Issue(token *Token, ttl time.Duration) (string, error) // Renew renews the token and returns the new one. Renew(value string, ttl time.Duration) (string, error) // Verify verifies the token and returns the token if valid. Verify(value string) (*Token, error) // Revoke revokes the token and returns the token if revoked. Revoke(value string) (*Token, error) }
TokenStore used to manage tokens.
func NewTokenStore ¶
func NewTokenStore(cfg config.SecureTokenConfig, rdb rueidis.Client) (TokenStore, error)
NewTokenStore returns a new TokenStore with the given config. There are three types of token stores: jwt, redis, and memory. rueidis.Client is required if the type of token store is redis.