Documentation
¶
Index ¶
- Constants
- Variables
- func BlockAccount(ctx context.Context, realm, clientID string) error
- func ClientLoginConfirmationEndpoint(c echo.Context) error
- func ConfirmLoginChallenge(ctx context.Context, token string) (*account.Account, int, error)
- func CreateSimpleToken() string
- func GetAuthorizationEndpoint(c echo.Context) error
- func GetBearerToken(r *http.Request) (string, error)
- func GetClientID(ctx context.Context, r *http.Request) (string, error)
- func LoginConfirmationEndpoint(c echo.Context) error
- func LoginRequestEndpoint(c echo.Context) error
- func LogoutAccount(ctx context.Context, realm, clientID string) (int, error)
- func LogoutRequestEndpoint(c echo.Context) error
- func UpdateAuthorization(ctx context.Context, auth *Authorization) error
- type Authorization
- func CheckAuthorization(ctx context.Context, c echo.Context, scope string) (*Authorization, error)
- func DeleteAuthorization(ctx context.Context, realm, clientID string) (*Authorization, error)
- func ExchangeToken(ctx context.Context, req *AuthorizationRequest, expires int, loginFrom string) (*Authorization, int, error)
- func FindAuthorizationByToken(ctx context.Context, token string) (*Authorization, error)
- func LookupAuthorization(ctx context.Context, realm, clientID string) (*Authorization, error)
- func NewAuthorization(req *AuthorizationRequest, expires int) *Authorization
- type AuthorizationRequest
Constants ¶
const ( // AuthTypeBearerToken constant token AuthTypeBearerToken = "token" // AuthTypeJWT constant jwt AuthTypeJWT = "jwt" // AuthTypeSlack constant slack AuthTypeSlack = "slack" // other defaults UserTokenType = "user" AppTokenType = "app" APITokenType = "api" BotTokenType = "bot" DefaultTokenType = UserTokenType // default scopes DefaultScope = "api:read,api:write" ScopeAPIAdmin = "api:admin" // DefaultAuthenticationExpiration in minutes. Used when sending an account challenge or the temporary token. DefaultAuthenticationExpiration = 10 // DefaultAuthorizationExpiration in days DefaultAuthorizationExpiration = 90 // DefaultEndpoint is used to build the urls in the notifications DefaultEndpoint = "http://localhost:8080" // error messages MsgAuthenticationNotFound = "account '%s' not found" )
Variables ¶
var ( // ErrNotAuthorized indicates that the API caller is not authorized ErrNotAuthorized = errors.New("not authorized") ErrAlreadyAuthorized = errors.New("already authorized") // ErrNoSuchEntity indicates that the authorization does not exist ErrNoSuchEntity = errors.New("entity does not exist") // ErrNoToken indicates that no bearer token was provided ErrNoToken = errors.New("no token provided") // ErrNoScope indicates that no scope was provided ErrNoScope = errors.New("no scope provided") // ErrInvalidRoute indicates that the route and/or its parameters are not valid ErrInvalidRoute = errors.New("invalid route") )
Functions ¶
func ClientLoginConfirmationEndpoint ¶ added in v2.7.0
func ClientLoginConfirmationEndpoint(c echo.Context) error
ClientLoginConfirmationEndpoint validates an email.
GET /login/:token status 201: account is confirmed, no redirect as this is meant to be called from e.g. the CLI status 400: the request could not be understood by the server due to malformed syntax status 401: token is wrong status 403: token is expired or has already been used status 404: token was not found
func ConfirmLoginChallenge ¶
ConfirmLoginChallenge confirms the account
func CreateSimpleToken ¶
func CreateSimpleToken() string
func GetAuthorizationEndpoint ¶
func GetAuthorizationEndpoint(c echo.Context) error
GetAuthorizationEndpoint exchanges a temporary confirmation token for a 'real' token.
POST /auth status 200: success, the real token is in the response status 401: token is expired or has already been used, token and user_id do not match status 404: token was not found
func GetBearerToken ¶
GetBearerToken extracts the bearer token
func GetClientID ¶
GetClientID extracts the ClientID from the token
func LoginConfirmationEndpoint ¶
func LoginConfirmationEndpoint(c echo.Context) error
LoginConfirmationEndpoint validates an email.
GET /login/:token status 307: account is confirmed, redirect to podops.dev/confirmed status 400: the request could not be understood by the server due to malformed syntax status 401: token is wrong status 403: token is expired or has already been used status 404: token was not found
func LoginRequestEndpoint ¶
func LoginRequestEndpoint(c echo.Context) error
LoginRequestEndpoint initiates the login process.
It creates a new account if the user does not exist and sends confirmation request. Once the account is conformed, it will send the confirmation token that can be swapped for a real login token.
POST /login status 201: new account, account confirmation sent status 204: existing account, email with auth token sent status 400: invalid request data status 403: only logged-out and confirmed users can proceed
func LogoutRequestEndpoint ¶
func LogoutRequestEndpoint(c echo.Context) error
func UpdateAuthorization ¶
func UpdateAuthorization(ctx context.Context, auth *Authorization) error
UpdateAuthorization updates all data needed for the auth fu
Types ¶
type Authorization ¶
type Authorization struct {
ClientID string `json:"client_id" binding:"required"` // UNIQUE
Realm string `json:"realm"`
Token string `json:"token" binding:"required"`
TokenType string `json:"token_type" binding:"required"` // e.g. user,app,api,bot
UserID string `json:"user_id"` // depends on TokenType. UserID could equal ClientID or BotUserID in Slack
Scope string `json:"scope"` // a comma separated list of scopes, see below
Expires int64 `json:"expires"` // 0 = never
// internal
Revoked bool `json:"-"`
Created int64 `json:"-"`
Updated int64 `json:"-"`
}
Authorization represents a user, app or bot and its permissions
func CheckAuthorization ¶
func CheckAuthorization(ctx context.Context, c echo.Context, scope string) (*Authorization, error)
CheckAuthorization relies on the presence of a bearer token and validates the matching authorization against a list of requested scopes. If everything checks out, the function returns the authorization or an error otherwise.
func DeleteAuthorization ¶
func DeleteAuthorization(ctx context.Context, realm, clientID string) (*Authorization, error)
func ExchangeToken ¶
func ExchangeToken(ctx context.Context, req *AuthorizationRequest, expires int, loginFrom string) (*Authorization, int, error)
ExchangeToken confirms the temporary auth token and creates the permanent one
func FindAuthorizationByToken ¶
func FindAuthorizationByToken(ctx context.Context, token string) (*Authorization, error)
FindAuthorizationByToken looks for an authorization by the token
func LookupAuthorization ¶
func LookupAuthorization(ctx context.Context, realm, clientID string) (*Authorization, error)
LookupAuthorization looks for an authorization
func NewAuthorization ¶
func NewAuthorization(req *AuthorizationRequest, expires int) *Authorization
func (*Authorization) Equal ¶
func (ath *Authorization) Equal(a *Authorization) bool
func (*Authorization) HasAdminScope ¶
func (ath *Authorization) HasAdminScope() bool
HasAdminScope checks if the authorization includes scope 'api:admin'
func (*Authorization) IsValid ¶
func (ath *Authorization) IsValid() bool
IsValid verifies that the Authorization is still valid, i.e. is not expired and not revoked.
func (*Authorization) Key ¶
func (ath *Authorization) Key() string
type AuthorizationRequest ¶
type AuthorizationRequest struct {
Realm string `json:"realm" binding:"required"`
UserID string `json:"user_id" binding:"required"`
ClientID string `json:"client_id"`
Token string `json:"token"`
Scope string `json:"scope"`
}
AuthorizationRequest represents a login/authorization request from a user, app, or bot
Source Files