Documentation ¶
Overview ¶
Package auth provides a way for Encore applications to authenticate against Encore Platform services.
It provides a Sign function that can be used to sign a request and generate the required headers for including an API call to Encore platform services. The design of the Authorization header is based on AWS Signature Version 4, with the addition of a OperationHash value which includes a hash of the payload of the request.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrNoAuthorizationHeader = errors.New("no authorization header provided") ErrNoDateHeader = errors.New("no date header or invalid format provided") ErrAuthenticationExpired = errors.New("authentication expired") ErrAuthenticationFailed = errors.New("authentication failed") ErrInvalidSignature = errors.New("invalid signature") )
Functions ¶
This section is empty.
Types ¶
type ActionType ¶
type ActionType string
const ( Create ActionType = "create" Read ActionType = "read" Update ActionType = "update" Delete ActionType = "delete" )
type BytesPayload ¶
type BytesPayload []byte
BytesPayload is a payload that is represented by a byte slice.
func (BytesPayload) DeterministicBytes ¶
func (b BytesPayload) DeterministicBytes() []byte
type Headers ¶
type Headers struct { Authorization string `header:"Authorization" encore:"sensitive"` Date string `header:"Date"` }
Headers are the headers that are used to authenticate a request.
func Sign ¶
Sign creates the authorization headers for a new request.
The signature algorithm is based on the AWS Signature Version 4 signing process and is valid for 2 minutes from the time the request is signed.
func SignForVerification ¶
func SignForVerification(key *Key, appSlug, envName string, timestamp time.Time, operation OperationHash) *Headers
SignForVerification uses the Headers.SigningComponents from a received request to generate a new set of headers that can be used to verify the request using Headers.Equal.
This function should not be used to sign a new request, for that use Sign.
func (*Headers) Equal ¶
Equal returns true if the headers are equal.
It compares the Authorization and Date headers using hmac.Equal to prevent timing attacks.
func (*Headers) SigningComponents ¶
func (h *Headers) SigningComponents() (keyID uint32, appSlug, envName string, timestamp time.Time, operationHash OperationHash, err error)
SigningComponents returns the components of the authorization header.
type Key ¶
type Key struct { KeyID uint32 `json:"kid"` Data []byte `json:"data" encore:"sensitive"` // secret key data }
Key is a MAC key for authenticating communication between an Encore app and the Encore Platform. It is designed to be JSON marshalable, but as it contains secret material care must be taken when using it.
type OperationHash ¶
type OperationHash string
An OperationHash is a hash that is used to verify that an operation is allowed.
func GetVerifiedOperationHash ¶
func GetVerifiedOperationHash(req *http.Request, keys []Key, clock clock.Clock) (OperationHash, error)
GetVerifiedOperationHash returns the operation hash from the request if the request is authenticated. If the request is not authenticated, it returns an error.
Once the operation hash has been verified and extracted from the HTTP headers it is then can be used to verify the request body.
func NewOperationHash ¶
func NewOperationHash(object ObjectType, action ActionType, payload Payload, additionalContext ...[]byte) (OperationHash, error)
NewOperationHash creates a new operation hash.
An operation hash is the result of combining the object type and action type Additional context can be added to the hash by passing in additional byte slices.
func (OperationHash) HashString ¶
func (h OperationHash) HashString() string
HashString returns the hex encoded hash.
func (OperationHash) Verify ¶
func (h OperationHash) Verify(object ObjectType, action ActionType, payload Payload, additionalContext ...[]byte) (bool, error)
Verify verifies that the operation hash matches the given object and action.