authentication

package
v0.179.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 19, 2024 License: Apache-2.0 Imports: 29 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// AuthorizePath indicates the name for the path component used for authorization handlers
	AuthorizePath = "authorize"
	// CallbackPath indicates the name for the path component used for callback handlers
	CallbackPath = "callback"
)
View Source 
const ForwardedQueryParamsKey = "forwarded_query_params"

Variables

This section is empty.

Functions

func NewCSRFMw 

func NewCSRFMw(config CSRFConfig) func(handler http.Handler) http.Handler

func NewLoadUserMw 

func NewLoadUserMw(config LoadUserConfig) func(handler http.Handler) http.Handler

func RedirectAlreadyAuthenticatedUsers 

func RedirectAlreadyAuthenticatedUsers(matchString, matchRegex []string) func(handler http.Handler) http.Handler

func RequiresAuthentication 

func RequiresAuthentication(handler http.Handler) http.Handler

func ValidateRedirectURIQueryParameter 

func ValidateRedirectURIQueryParameter(matchString, matchRegex []string) func(handler http.Handler) http.Handler

Types

type AuthError added in v0.167.0 

type AuthError interface {
	error
	ErrorCode() string
}

type CSRFConfig 

type CSRFConfig struct {
	Path            string
	InsecureCookies bool
	Secret          []byte
}

type CSRFErrorHandler 

type CSRFErrorHandler struct {
}

func (*CSRFErrorHandler) ServeHTTP 

func (u *CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type CSRFTokenHandler 

type CSRFTokenHandler struct{}

func (*CSRFTokenHandler) ServeHTTP 

func (*CSRFTokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type Claims 

type Claims struct {
	Issuer            string                 `json:"iss"`
	Subject           string                 `json:"sub"`
	Name              string                 `json:"name"`
	GivenName         string                 `json:"given_name"`
	FamilyName        string                 `json:"family_name"`
	MiddleName        string                 `json:"middle_name"`
	NickName          string                 `json:"nickname"`
	PreferredUsername string                 `json:"preferred_username"`
	Profile           string                 `json:"profile"`
	Picture           string                 `json:"picture"`
	Website           string                 `json:"website"`
	Email             string                 `json:"email"`
	EmailVerified     bool                   `json:"-"`
	EmailVerifiedRaw  interface{}            `json:"email_verified"`
	Gender            string                 `json:"gender"`
	BirthDate         string                 `json:"birthdate"`
	ZoneInfo          string                 `json:"zoneinfo"`
	Locale            string                 `json:"locale"`
	Location          string                 `json:"location"`
	Raw               map[string]interface{} `json:"-"`
}

Claims decodes JWT claims. See https://www.iana.org/assignments/jwt/jwt.xhtml.

func (*Claims) Custom added in v0.131.0 

func (c *Claims) Custom() map[string]interface{}

Custom returns a non-nil map with claims from c.Raw that we do not parse explicitly

func (*Claims) ToUser added in v0.131.0 

func (c *Claims) ToUser() *User

type ClaimsInfo 

type ClaimsInfo struct {
	ScopesSupported []string `json:"scopes_supported"`
	ClaimsSupported []string `json:"claims_supported"`
}

type GithubConfig 

type GithubConfig struct {
	Provider     ProviderConfig
	ClientID     string
	ClientSecret string
}

type GithubCookieHandler 

type GithubCookieHandler struct {
	// contains filtered or unexported fields
}

func NewGithubCookieHandler 

func NewGithubCookieHandler(config GithubConfig, hooks Hooks, log *zap.Logger) *GithubCookieHandler

func (*GithubCookieHandler) Register 

func (h *GithubCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router)

func (*GithubCookieHandler) User added in v0.167.0 

func (*GithubCookieHandler) User(ctx context.Context, log *zap.Logger, token *oauth2.Token) (*User, error)

type GithubUserEmail 

type GithubUserEmail struct {
	Email      string `json:"email"`
	Primary    bool   `json:"primary"`
	Verified   bool   `json:"verified"`
	Visibility string `json:"visibility"`
}

type GithubUserEmails 

type GithubUserEmails []GithubUserEmail

type GithubUserInfo 

type GithubUserInfo struct {
	AvatarURL string `json:"avatar_url"`
	ID        int64  `json:"id"`
	Location  string `json:"location"`
	Login     string `json:"login"`
	Name      string `json:"name"`
	NodeID    string `json:"node_id"`
}

type Hooks 

type Hooks interface {
	// PostAuthentication runs after authentication and doesn't mutate the user
	PostAuthentication(ctx context.Context, user *User) error
	// MutatingPostAuthentication runs after PostAuthentication and might mutate the user
	MutatingPostAuthentication(ctx context.Context, user *User) (*User, error)
	// PostLogout runs after logout and doesn't mutate the user
	PostLogout(ctx context.Context, user *User) error
	// RevalidateAuthentication is used when an API client request the
	// authenticated user to be revalidated. It might mutate the user
	RevalidateAuthentication(ctx context.Context, user *User) (*User, error)
}

Hooks represents the interface for the available authentication hooks

type LoadUserConfig 

type LoadUserConfig struct {
	Log             *zap.Logger
	Cookie          *securecookie.SecureCookie
	InsecureCookies bool
	CSRFSecret      []byte
	JwksProviders   []*wgpb.JwksAuthProvider
	Hooks           Hooks
}

type OAuth2AuthenticationConfig added in v0.167.0 

type OAuth2AuthenticationConfig struct {
	Provider        ProviderConfig
	ClientID        string
	ClientSecret    string
	Endpoint        oauth2.Endpoint
	Scopes          []string
	QueryParameters []QueryParameter
	Hooks           Hooks
	Log             *zap.Logger
}

type OAuth2AuthenticationHandler added in v0.167.0 

type OAuth2AuthenticationHandler struct {
	// contains filtered or unexported fields
}

func NewOAuth2AuthenticationHandler added in v0.167.0 

func NewOAuth2AuthenticationHandler(config OAuth2AuthenticationConfig, retriever OAuth2UserRetriever) *OAuth2AuthenticationHandler

func (*OAuth2AuthenticationHandler) Authorize added in v0.167.0 

func (h *OAuth2AuthenticationHandler) Authorize(w http.ResponseWriter, r *http.Request)

func (*OAuth2AuthenticationHandler) Callback added in v0.167.0 

func (h *OAuth2AuthenticationHandler) Callback(w http.ResponseWriter, r *http.Request)

type OAuth2UserRetriever added in v0.167.0 

type OAuth2UserRetriever interface {
	User(ctx context.Context, log *zap.Logger, token *oauth2.Token) (*User, error)
}

type OpenIDConnectConfig 

type OpenIDConnectConfig struct {
	Provider        ProviderConfig
	Issuer          string
	ClientID        string
	ClientSecret    string
	QueryParameters []QueryParameter
}

type OpenIDConnectCookieHandler 

type OpenIDConnectCookieHandler struct {
	// contains filtered or unexported fields
}

func NewOpenIDConnectCookieHandler 

func NewOpenIDConnectCookieHandler(config OpenIDConnectConfig, hooks Hooks, log *zap.Logger) (*OpenIDConnectCookieHandler, error)

func (*OpenIDConnectCookieHandler) Register 

func (h *OpenIDConnectCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router)

func (*OpenIDConnectCookieHandler) User added in v0.167.0 

func (h *OpenIDConnectCookieHandler) User(ctx context.Context, log *zap.Logger, token *oauth2.Token) (*User, error)

type OpenIDConnectFlavor added in v0.126.0 

type OpenIDConnectFlavor int
const (
	OpenIDConnectFlavorDefault OpenIDConnectFlavor = iota
	OpenIDConnectFlavorAuth0
)

type OpenIDConnectProvider added in v0.126.0 

type OpenIDConnectProvider struct {
	// contains filtered or unexported fields
}

func NewOpenIDConnectProvider added in v0.126.0 

func NewOpenIDConnectProvider(issuer string, clientID string, clientSecret string, opts *OpenIDConnectProviderOptions) (*OpenIDConnectProvider, error)

func (*OpenIDConnectProvider) Disconnect added in v0.126.0 

func (p *OpenIDConnectProvider) Disconnect(ctx context.Context, user *User) (*OpenIDDisconnectResult, error)

type OpenIDConnectProviderOptions added in v0.126.0 

type OpenIDConnectProviderOptions struct {
	Flavor     OpenIDConnectFlavor
	HTTPClient *http.Client
	Logger     *zap.Logger
}

type OpenIDConnectProviderSet added in v0.126.0 

type OpenIDConnectProviderSet struct {
	// contains filtered or unexported fields
}

func (*OpenIDConnectProviderSet) Add added in v0.126.0 

func (s *OpenIDConnectProviderSet) Add(id string, p *OpenIDConnectProvider) error

func (*OpenIDConnectProviderSet) ByID added in v0.126.0 

func (s *OpenIDConnectProviderSet) ByID(id string) (*OpenIDConnectProvider, error)

type OpenIDDisconnectResult added in v0.126.0 

type OpenIDDisconnectResult struct {
	// Redirect indicates an URL that must be visited by the client to complete the logout
	Redirect string `json:"redirect,omitempty"`
}

func (*OpenIDDisconnectResult) RequiresClientCooperation added in v0.126.0 

func (r *OpenIDDisconnectResult) RequiresClientCooperation() bool

type ProviderConfig added in v0.174.0 

type ProviderConfig struct {
	ID              string
	InsecureCookies bool
	// ForceRedirectHttps makes all redirect_uris become HTTPS when
	// redirecting the out provider
	ForceRedirectHttps bool
	Cookie             *securecookie.SecureCookie
	AuthTimeout        time.Duration
}

ProviderConfig holds the common configuration between all authentication provider types

func (*ProviderConfig) RedirectProtocol added in v0.174.0 

func (c *ProviderConfig) RedirectProtocol(r *http.Request, redirectURI string) string

RedirectProtocol returns the protocol that should be used for a redirect to this provider and back into the application, set from the ForceRedirectHttps. If ForceRedirectHttps is not set the protocol is guessed based on the incoming request and the redirectURI to be used after authentication.

type QueryParameter added in v0.108.0 

type QueryParameter struct {
	Name  string
	Value string
}

type RBACEnforcer 

type RBACEnforcer struct {
	// contains filtered or unexported fields
}

func NewRBACEnforcer 

func NewRBACEnforcer(operation *wgpb.Operation) *RBACEnforcer

func (*RBACEnforcer) Enforce 

func (e *RBACEnforcer) Enforce(r *http.Request) (proceed bool)

type RedirectURIValidator 

type RedirectURIValidator struct {
	// contains filtered or unexported fields
}

func NewRedirectValidator 

func NewRedirectValidator(matchString, matchRegex []string) *RedirectURIValidator

func (*RedirectURIValidator) GetValidatedRedirectURI 

func (v *RedirectURIValidator) GetValidatedRedirectURI(r *http.Request) (redirectURI string, authorized bool)

func (*RedirectURIValidator) IsValid added in v0.175.0 

func (v *RedirectURIValidator) IsValid(redirectURI string) bool

type User 

type User struct {
	ProviderName      string `json:"provider,omitempty"`
	ProviderID        string `json:"providerId,omitempty"`
	UserID            string `json:"userId,omitempty"`
	Name              string `json:"name,omitempty"`
	FirstName         string `json:"firstName,omitempty"`
	LastName          string `json:"lastName,omitempty"`
	MiddleName        string `json:"middleName,omitempty"`
	NickName          string `json:"nickName,omitempty"`
	PreferredUsername string `json:"preferredUsername,omitempty"`
	Profile           string `json:"profile,omitempty"`
	Picture           string `json:"picture,omitempty"`
	Website           string `json:"website,omitempty"`
	Email             string `json:"email,omitempty"`
	EmailVerified     bool   `json:"emailVerified,omitempty"`
	Gender            string `json:"gender,omitempty"`
	BirthDate         string `json:"birthDate,omitempty"`
	ZoneInfo          string `json:"zoneInfo,omitempty"`
	Locale            string `json:"locale,omitempty"`
	Location          string `json:"location,omitempty"`
	// Expires indicate the unix timestamp in milliseconds when this User is
	// considered as expired. This can only be set from the authentication
	// hooks.
	Expires *int64 `json:"expires,omitempty"`

	CustomClaims     map[string]interface{} `json:"customClaims,omitempty"`
	CustomAttributes []string               `json:"customAttributes,omitempty"`
	Roles            []string               `json:"roles"`
	/* Internal fields */
	ExpiresAt      time.Time       `json:"-"`
	ETag           string          `json:"etag,omitempty"`
	FromCookie     bool            `json:"fromCookie,omitempty"`
	AccessToken    json.RawMessage `json:"accessToken,omitempty"`
	RawAccessToken string          `json:"rawAccessToken,omitempty"`
	IdToken        json.RawMessage `json:"idToken,omitempty"`
	RefreshToken   string          `json:"refreshToken,omitempty"`
	RawIDToken     string          `json:"rawIdToken,omitempty"`
}

User holds user data for non public APIs (backend and hooks). Before exposing a User publicly, always call User.ToPublic().

XXX: Keep in sync with the TS side (wellKnownClaimField, type User, type WunderGraphUser)

func UserFromContext 

func UserFromContext(ctx context.Context) *User

func (*User) HasExpired added in v0.159.0 

func (u *User) HasExpired() bool

HasExpired returns true iff the user has expired, as configured by the authentication hooks (via User.Expired)

func (*User) Load 

func (u *User) Load(loader *UserLoader, w http.ResponseWriter, r *http.Request) error

func (*User) Save 

func (u *User) Save(s *securecookie.SecureCookie, w http.ResponseWriter, r *http.Request, insecureCookies bool) error

func (*User) ToPublic added in v0.132.0 

func (u *User) ToPublic(publicClaims []string) *User

ToPublic returns a copy of the User with fields non intended for public consumption erased. If publicClaims is non-empty, only fields listed in it are included. Each public claim must be either a well known claim (as in the WG_CLAIM enum) or a JSON path to a custom claim.

type UserHandler added in v0.126.0 

type UserHandler struct {
	Log             *zap.Logger
	Host            string
	InsecureCookies bool
	Hooks           Hooks
	Cookie          *securecookie.SecureCookie
	PublicClaims    []string
}

func (*UserHandler) ServeHTTP added in v0.126.0 

func (u *UserHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type UserLoadConfig 

type UserLoadConfig struct {
	// contains filtered or unexported fields
}

func (*UserLoadConfig) Keyfunc added in v0.128.0 

func (cfg *UserLoadConfig) Keyfunc() jwt.Keyfunc

Keyfunc returns a function for retrieving a token key from the UserLoadConfig's key set if there are any keys. Otherwise, it returns nil.

type UserLoader 

type UserLoader struct {
	// contains filtered or unexported fields
}

type UserLogoutHandler 

type UserLogoutHandler struct {
	InsecureCookies bool
	OpenIDProviders *OpenIDConnectProviderSet
	Hooks           Hooks
	Log             *zap.Logger
}

func (*UserLogoutHandler) ServeHTTP 

func (u *UserLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.