Documentation ¶
Overview ¶
Package authjwt implements JWT authentication.
Index ¶
- func HandlerFuncAuthJWTWrapper(hf func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request)
- func HandlerFuncNoAuthWrapper(hf func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request)
- func Init(configIn Config, mux *http.ServeMux)
- type AuditWriter
- type Config
- type Credential
- type CustomClaims
- type Info
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HandlerFuncAuthJWTWrapper ¶
func HandlerFuncAuthJWTWrapper(hf func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request)
HandlerFuncAuthJWTWrapper is a basic wrapper that verifies the call is authenticated. Use this directly, or for additional verification of Authorizations, Role, etc., use this as an example. Note this wrapper also handles audit logging (logging for all DELETE/POST/PUT methods)
func HandlerFuncNoAuthWrapper ¶
func HandlerFuncNoAuthWrapper(hf func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request)
HandlerFuncNoAuthWrapper is a basic wrapper that DOES NOT authenticate, but does handle audit logging (logging for all DELETE/POST/PUT methods)
Types ¶
type AuditWriter ¶
type AuditWriter struct { http.ResponseWriter Message string StatusCode int }
AuditWriter is used to wrap the http.ResponseWriter passed to handlers in order to store information that is then written to the audit log as the handler exits. Applications using this package need to populate the Message as is done in these handlers in order for messages to show up in the audit log. Best practice is to only add logging information to the audit log once all validations are complete and the command is returning good status. Other information should be logged to an application log.
func (*AuditWriter) WriteHeader ¶
func (aw *AuditWriter) WriteHeader(status int)
type Config ¶
type Config struct { // AppName is used to populate the Issuer field of the Claims. AppName string // AuditLogName is the name of the logh logger for the audit log. Callers // must create their own logh loggers or output will go to STDOUT. AuditLogName string // DataSourcePath is the path to the SQLITE database used to persist auth and tokens. DataSourcePath string // CreateRequiresAuth - when true, requires an already authorized caller to create new // credentials. When false any caller can create their own auth. CreateRequiresAuth bool // JWTAuthRemoveInterval is the interval at which a GO routine runs, checks for expired // tokens, and invalidates all expired tokens. (A user can login from multiple devices // and can have more than one outstanding token.) JWTAuthRemoveInterval time.Duration // JWTAuthExpirationInterval is the duration for which a token is valid. JWTAuthExpirationInterval time.Duration // JWTPrivateKeyPath is the path to the private key used for signing the tokens. JWTPrivateKeyPath string // JWTPublicKeyPath is the path to the public key used for signing the tokens. JWTPublicKeyPath string // LogName is the name of the logh logger for general logging. Callers // must create their own logh loggers or output will go to STDOUT. LogName string // PasswordValidation is a slice of REGEX used for password validation. If nothing is // provided, defaultPasswordValidation is used. PasswordValidation []string // PathCreateOrUpdate is the final portion of the URL path for auth create or update. // If empty the default is used: /auth/createorupdate // Valid HTTP methods: http.MethodPost, http.MethodPut PathCreateOrUpdate string // PathDelete is the final portion of the URL path for delete. If empty the // default is used: /auth/delete // Valid HTTP methods: http.MethodDelete PathDelete string // PathInfo is the final portion of the URL path for info. If empty the // default is used: /auth/info // Valid HTTP methods: http.MethodGet PathInfo string // PathLogin is the final portion of the URL path for login. If empty the // default is used: /auth/login // Valid HTTP methods: http.MethodPut PathLogin string // PathLogout is the final portion of the URL path for logout. If empty the // default is used: /auth/logout // Valid HTTP methods: http.MethodDelete PathLogout string // PathLogoutAll is the final portion of the URL path for logout-all. If empty the // default is used: /auth/logout-all // Valid HTTP methods: http.MethodDelete PathLogoutAll string // PathRefresh is the final portion of the URL path for refresh. If empty the // default is used: /auth/refresh // Valid HTTP methods: http.MethodPost PathRefresh string // contains filtered or unexported fields }
type Credential ¶
Credential is what is supplied by the HTTP request in order to authenticate.
func (*Credential) AuthCreate ¶
func (cred *Credential) AuthCreate() error
AuthCreate creates or updates an ID/authentication pair to kvsAuth. The scope of the function is public to allow apps to create auths directly, without going through the ReST API.
type CustomClaims ¶
CustomClaims are the Claims for the JWT token.
func Authenticated ¶
func Authenticated(w http.ResponseWriter, r *http.Request) (*CustomClaims, error)
Authenticated checks the request for a valid token and will return the users CustomClaims, or an error is auth fails. The token is verified to still exist in kvsToken; meaning the user has not logged out with that token. On any error the header is written with the appropriate http.Status; callers should not write header status.
func AuthenticatedNoTokenInvalidation ¶
func AuthenticatedNoTokenInvalidation(w http.ResponseWriter, r *http.Request) (*CustomClaims, error)
AuthenticatedNoTokenInvalidation checks the request for a valid token and will return the users CustomClaims, or an error is auth fails. The token is NOT verified to still exist in kvsToken; the token may have been invalidated but no error from this function means the token was valid at some point. This function should only be used by independent services that recieve tokens but don't have access to kvsToken. On any error the header is written with the appropriate http.Status; callers should not write header status.