auth

package
v1.26.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 21, 2026 License: MIT Imports: 35 Imported by: 32

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrOAuth2AuthorizationCodeInvalidated = errors.New("oauth2 authorization code already invalidated")
	ErrOAuth2GrantStaleCounter            = errors.New("oauth2 grant state changed during token refresh")
)
View Source 
var AllAccessTokenScopeCategories = []AccessTokenScopeCategory{
	AccessTokenScopeCategoryActivityPub,
	AccessTokenScopeCategoryAdmin,
	AccessTokenScopeCategoryMisc,
	AccessTokenScopeCategoryNotification,
	AccessTokenScopeCategoryOrganization,
	AccessTokenScopeCategoryPackage,
	AccessTokenScopeCategoryIssue,
	AccessTokenScopeCategoryRepository,
	AccessTokenScopeCategoryUser,
}

AllAccessTokenScopeCategories contains all access token scope categories

View Source 
var ErrAuthTokenNotExist = util.NewNotExistErrorf("auth token does not exist")
View Source 
var Names = map[Type]string{
	LDAP:   "LDAP (via BindDN)",
	DLDAP:  "LDAP (simple auth)",
	SMTP:   "SMTP",
	PAM:    "PAM",
	OAuth2: "OAuth2",
	SSPI:   "SPNEGO with SSPI",
}

Names contains the name of LoginType values.

Functions

func AccessTokenByNameExists added in v1.17.4 

func AccessTokenByNameExists(ctx context.Context, token *AccessToken) (bool, error)

AccessTokenByNameExists checks if a token name has been used already by a user.

func BuiltinApplications added in v1.21.0 

func BuiltinApplications() map[string]*BuiltinOAuth2Application

func CleanupSessions 

func CleanupSessions(ctx context.Context, maxLifetime int64) error

CleanupSessions cleans up expired sessions

func ContainsCategory added in v1.20.0 

func ContainsCategory(categories []AccessTokenScopeCategory, category AccessTokenScopeCategory) bool

ContainsCategory checks if a list of categories contains a specific category

func CountSessions 

func CountSessions(ctx context.Context) (int64, error)

CountSessions returns the number of sessions

func CreateSource 

func CreateSource(ctx context.Context, source *Source) error

CreateSource inserts a AuthSource in the DB if not already existing with the given name.

func DeleteAccessTokenByID added in v1.17.4 

func DeleteAccessTokenByID(ctx context.Context, id, userID int64) error

DeleteAccessTokenByID deletes access token by given ID.

func DeleteAuthTokenByID added in v1.22.0 

func DeleteAuthTokenByID(ctx context.Context, id string) error

func DeleteAuthTokensByUserID added in v1.22.0 

func DeleteAuthTokensByUserID(ctx context.Context, uid int64) error

func DeleteCredential 

func DeleteCredential(ctx context.Context, id, userID int64) (bool, error)

DeleteCredential will delete WebAuthnCredential

func DeleteExpiredAuthTokens added in v1.22.0 

func DeleteExpiredAuthTokens(ctx context.Context) error

func DeleteOAuth2Application 

func DeleteOAuth2Application(ctx context.Context, id, userid int64) error

DeleteOAuth2Application deletes the application with the given id and the grants and auth codes related to it. It checks if the userid was the creator of the app.

func DeleteOAuth2RelictsByUserID added in v1.17.0 

func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error

func DeleteTwoFactorByID 

func DeleteTwoFactorByID(ctx context.Context, id, userID int64) error

DeleteTwoFactorByID deletes two-factor authentication token by given ID.

func DestroySession 

func DestroySession(ctx context.Context, key string) error

DestroySession destroys a session

func ExistSession 

func ExistSession(ctx context.Context, key string) (bool, error)

ExistSession checks if a session exists

func ExistsWebAuthnCredentialsForUID 

func ExistsWebAuthnCredentialsForUID(ctx context.Context, uid int64) (bool, error)

ExistsWebAuthnCredentialsForUID returns if the given user has credentials

func GetAccessTokenCategories added in v1.24.0 

func GetAccessTokenCategories() (res []string)

func HasTwoFactorByUID 

func HasTwoFactorByUID(ctx context.Context, uid int64) (bool, error)

HasTwoFactorByUID returns the two-factor authentication token associated with the user, if any.

func HasTwoFactorOrWebAuthn added in v1.24.0 

func HasTwoFactorOrWebAuthn(ctx context.Context, id int64) (bool, error)

func HasWebAuthnRegistrationsByUID 

func HasWebAuthnRegistrationsByUID(ctx context.Context, uid int64) (bool, error)

HasWebAuthnRegistrationsByUID returns whether a given user has WebAuthn registrations

func HashToken 

func HashToken(token, salt string) string

HashToken return the hashable salt

func Init added in v1.21.0 

func Init(ctx context.Context) error

func InsertAuthToken added in v1.22.0 

func InsertAuthToken(ctx context.Context, t *AuthToken) error

func IsErrAccessTokenEmpty added in v1.17.4 

func IsErrAccessTokenEmpty(err error) bool

IsErrAccessTokenEmpty checks if an error is a ErrAccessTokenEmpty.

func IsErrAccessTokenNotExist added in v1.17.4 

func IsErrAccessTokenNotExist(err error) bool

IsErrAccessTokenNotExist checks if an error is a ErrAccessTokenNotExist.

func IsErrOAuthApplicationNotFound 

func IsErrOAuthApplicationNotFound(err error) bool

IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist.

func IsErrOauthClientIDInvalid 

func IsErrOauthClientIDInvalid(err error) bool

IsErrOauthClientIDInvalid checks if an error is a ErrOAuthClientIDInvalid.

func IsErrSourceAlreadyExist 

func IsErrSourceAlreadyExist(err error) bool

IsErrSourceAlreadyExist checks if an error is a ErrSourceAlreadyExist.

func IsErrSourceInUse 

func IsErrSourceInUse(err error) bool

IsErrSourceInUse checks if an error is a ErrSourceInUse.

func IsErrSourceNotExist 

func IsErrSourceNotExist(err error) bool

IsErrSourceNotExist checks if an error is a ErrSourceNotExist.

func IsErrTwoFactorNotEnrolled 

func IsErrTwoFactorNotEnrolled(err error) bool

IsErrTwoFactorNotEnrolled checks if an error is a ErrTwoFactorNotEnrolled.

func IsErrWebAuthnCredentialNotExist 

func IsErrWebAuthnCredentialNotExist(err error) bool

IsErrWebAuthnCredentialNotExist checks if an error is a ErrWebAuthnCredentialNotExist.

func IsSSPIEnabled 

func IsSSPIEnabled(ctx context.Context) bool

IsSSPIEnabled returns true if there is at least one activated login source of type LoginSSPI

func NewAccessToken added in v1.17.4 

func NewAccessToken(ctx context.Context, t *AccessToken) error

NewAccessToken creates new access token.

func NewTwoFactor 

func NewTwoFactor(ctx context.Context, t *TwoFactor) error

NewTwoFactor creates a new two-factor authentication token.

func RegisterTypeConfig 

func RegisterTypeConfig(typ Type, exemplar Config)

RegisterTypeConfig register a config for a provided type

func RevokeOAuth2Grant 

func RevokeOAuth2Grant(ctx context.Context, grantID, userID int64) error

RevokeOAuth2Grant deletes the grant with grantID and userID

func UpdateAccessToken added in v1.17.4 

func UpdateAccessToken(ctx context.Context, t *AccessToken) error

UpdateAccessToken updates information of access token.

func UpdateAuthTokenByID added in v1.22.0 

func UpdateAuthTokenByID(ctx context.Context, t *AuthToken) error

func UpdateSession 

func UpdateSession(ctx context.Context, key string, data []byte) error

UpdateSession updates the session with provided id

func UpdateSource 

func UpdateSource(ctx context.Context, source *Source) error

UpdateSource updates a Source record in DB.

func UpdateTwoFactor 

func UpdateTwoFactor(ctx context.Context, t *TwoFactor) error

UpdateTwoFactor updates a two-factor authentication token.

func WebAuthnCredentials 

func WebAuthnCredentials(ctx context.Context, userID int64) ([]webauthn.Credential, error)

WebAuthnCredentials implements the webauthn.User interface

Types

type AccessToken added in v1.17.4 

type AccessToken struct {
	ID             int64 `xorm:"pk autoincr"`
	UID            int64 `xorm:"INDEX"`
	Name           string
	Token          string `xorm:"-"`
	TokenHash      string `xorm:"UNIQUE"` // sha256 of token
	TokenSalt      string
	TokenLastEight string `xorm:"INDEX token_last_eight"`
	Scope          AccessTokenScope

	CreatedUnix       timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix       timeutil.TimeStamp `xorm:"INDEX updated"`
	HasRecentActivity bool               `xorm:"-"`
	HasUsed           bool               `xorm:"-"`
}

AccessToken represents a personal access token.

func GetAccessTokenBySHA added in v1.17.4 

func GetAccessTokenBySHA(ctx context.Context, token string) (*AccessToken, error)

GetAccessTokenBySHA returns access token by given token value

func (*AccessToken) AfterLoad added in v1.17.4 

func (t *AccessToken) AfterLoad()

AfterLoad is invoked from XORM after setting the values of all fields of this object.

func (*AccessToken) DisplayPublicOnly added in v1.20.0 

func (t *AccessToken) DisplayPublicOnly() bool

DisplayPublicOnly whether to display this as a public-only token.

type AccessTokenScope added in v1.19.0 

type AccessTokenScope string

AccessTokenScope represents the scope for an access token. 

const (
	AccessTokenScopeAll        AccessTokenScope = "all"
	AccessTokenScopePublicOnly AccessTokenScope = "public-only" // limited to public orgs/repos

	AccessTokenScopeReadActivityPub  AccessTokenScope = "read:activitypub"
	AccessTokenScopeWriteActivityPub AccessTokenScope = "write:activitypub"

	AccessTokenScopeReadAdmin  AccessTokenScope = "read:admin"
	AccessTokenScopeWriteAdmin AccessTokenScope = "write:admin"

	AccessTokenScopeReadMisc  AccessTokenScope = "read:misc"
	AccessTokenScopeWriteMisc AccessTokenScope = "write:misc"

	AccessTokenScopeReadNotification  AccessTokenScope = "read:notification"
	AccessTokenScopeWriteNotification AccessTokenScope = "write:notification"

	AccessTokenScopeReadOrganization  AccessTokenScope = "read:organization"
	AccessTokenScopeWriteOrganization AccessTokenScope = "write:organization"

	AccessTokenScopeReadPackage  AccessTokenScope = "read:package"
	AccessTokenScopeWritePackage AccessTokenScope = "write:package"

	AccessTokenScopeReadIssue  AccessTokenScope = "read:issue"
	AccessTokenScopeWriteIssue AccessTokenScope = "write:issue"

	AccessTokenScopeReadRepository  AccessTokenScope = "read:repository"
	AccessTokenScopeWriteRepository AccessTokenScope = "write:repository"

	AccessTokenScopeReadUser  AccessTokenScope = "read:user"
	AccessTokenScopeWriteUser AccessTokenScope = "write:user"
)

for all categories, write implies read

func GetRequiredScopes added in v1.20.0 

func GetRequiredScopes(level AccessTokenScopeLevel, scopeCategories ...AccessTokenScopeCategory) []AccessTokenScope

GetRequiredScopes gets the specific scopes for a given level and categories

func (AccessTokenScope) HasAnyScope added in v1.22.2 

func (s AccessTokenScope) HasAnyScope(scopes ...AccessTokenScope) (bool, error)

HasAnyScope returns true if any of the scopes is contained in the string

func (AccessTokenScope) HasPermissionScope added in v1.23.7 

func (s AccessTokenScope) HasPermissionScope() bool

func (AccessTokenScope) HasScope added in v1.19.0 

func (s AccessTokenScope) HasScope(scopes ...AccessTokenScope) (bool, error)

HasScope returns true if the string has the given scope

func (AccessTokenScope) Normalize added in v1.19.0 

func (s AccessTokenScope) Normalize() (AccessTokenScope, error)

Normalize returns a normalized scope string without any duplicates.

func (AccessTokenScope) PublicOnly added in v1.20.0 

func (s AccessTokenScope) PublicOnly() (bool, error)

PublicOnly checks if this token scope is limited to public resources

func (AccessTokenScope) StringSlice added in v1.19.0 

func (s AccessTokenScope) StringSlice() []string

StringSlice returns the AccessTokenScope as a []string

type AccessTokenScopeCategory added in v1.20.0 

type AccessTokenScopeCategory int

AccessTokenScopeCategory represents the scope category for an access token 

const (
	AccessTokenScopeCategoryActivityPub AccessTokenScopeCategory = iota
	AccessTokenScopeCategoryAdmin
	AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values
	AccessTokenScopeCategoryNotification
	AccessTokenScopeCategoryOrganization
	AccessTokenScopeCategoryPackage
	AccessTokenScopeCategoryIssue
	AccessTokenScopeCategoryRepository
	AccessTokenScopeCategoryUser
)

type AccessTokenScopeLevel added in v1.20.0 

type AccessTokenScopeLevel int

AccessTokenScopeLevel represents the access levels without a given scope category 

const (
	NoAccess AccessTokenScopeLevel = iota
	Read
	Write
)

func GetScopeLevelFromAccessMode added in v1.20.0 

func GetScopeLevelFromAccessMode(mode perm.AccessMode) AccessTokenScopeLevel

GetScopeLevelFromAccessMode converts permission access mode to scope level

type AuthToken added in v1.22.0 

type AuthToken struct {
	ID          string `xorm:"pk"`
	TokenHash   string
	UserID      int64              `xorm:"INDEX"`
	ExpiresUnix timeutil.TimeStamp `xorm:"INDEX"`
}

func GetAuthTokenByID added in v1.22.0 

func GetAuthTokenByID(ctx context.Context, id string) (*AuthToken, error)

type BuiltinOAuth2Application added in v1.21.0 

type BuiltinOAuth2Application struct {
	ConfigName   string
	DisplayName  string
	RedirectURIs []string
}

type Config 

type Config interface {
	convert.Conversion
	SetAuthSource(*Source)
}

Config represents login config as far as the db is concerned

type ConfigBase added in v1.24.0 

type ConfigBase struct {
	AuthSource *Source
}

func (*ConfigBase) SetAuthSource added in v1.24.0 

func (p *ConfigBase) SetAuthSource(s *Source)

type CreateOAuth2ApplicationOptions 

type CreateOAuth2ApplicationOptions struct {
	Name                       string
	UserID                     int64
	ConfidentialClient         bool
	SkipSecondaryAuthorization bool
	RedirectURIs               []string
}

CreateOAuth2ApplicationOptions holds options to create an oauth2 application

type ErrAccessTokenEmpty added in v1.17.4 

type ErrAccessTokenEmpty struct{}

ErrAccessTokenEmpty represents a "AccessTokenEmpty" kind of error.

func (ErrAccessTokenEmpty) Error added in v1.17.4 

func (err ErrAccessTokenEmpty) Error() string

func (ErrAccessTokenEmpty) Unwrap added in v1.17.4 

func (err ErrAccessTokenEmpty) Unwrap() error

type ErrAccessTokenNotExist added in v1.17.4 

type ErrAccessTokenNotExist struct {
	Token string
}

ErrAccessTokenNotExist represents a "AccessTokenNotExist" kind of error.

func (ErrAccessTokenNotExist) Error added in v1.17.4 

func (err ErrAccessTokenNotExist) Error() string

func (ErrAccessTokenNotExist) Unwrap added in v1.17.4 

func (err ErrAccessTokenNotExist) Unwrap() error

type ErrOAuthApplicationNotFound 

type ErrOAuthApplicationNotFound struct {
	ID int64
}

ErrOAuthApplicationNotFound will be thrown if id cannot be found

func (ErrOAuthApplicationNotFound) Error 

func (err ErrOAuthApplicationNotFound) Error() string

Error returns the error message

func (ErrOAuthApplicationNotFound) Unwrap added in v1.17.4 

func (err ErrOAuthApplicationNotFound) Unwrap() error

Unwrap unwraps this as a ErrNotExist err

type ErrOAuthClientIDInvalid 

type ErrOAuthClientIDInvalid struct {
	ClientID string
}

ErrOAuthClientIDInvalid will be thrown if client id cannot be found

func (ErrOAuthClientIDInvalid) Error 

func (err ErrOAuthClientIDInvalid) Error() string

Error returns the error message

func (ErrOAuthClientIDInvalid) Unwrap added in v1.17.4 

func (err ErrOAuthClientIDInvalid) Unwrap() error

Unwrap unwraps this as a ErrNotExist err

type ErrSourceAlreadyExist 

type ErrSourceAlreadyExist struct {
	Name string
}

ErrSourceAlreadyExist represents a "SourceAlreadyExist" kind of error.

func (ErrSourceAlreadyExist) Error 

func (err ErrSourceAlreadyExist) Error() string

func (ErrSourceAlreadyExist) Unwrap added in v1.17.4 

func (err ErrSourceAlreadyExist) Unwrap() error

Unwrap unwraps this as a ErrExist err

type ErrSourceInUse 

type ErrSourceInUse struct {
	ID int64
}

ErrSourceInUse represents a "SourceInUse" kind of error.

func (ErrSourceInUse) Error 

func (err ErrSourceInUse) Error() string

type ErrSourceNotExist 

type ErrSourceNotExist struct {
	ID int64
}

ErrSourceNotExist represents a "SourceNotExist" kind of error.

func (ErrSourceNotExist) Error 

func (err ErrSourceNotExist) Error() string

func (ErrSourceNotExist) Unwrap added in v1.17.4 

func (err ErrSourceNotExist) Unwrap() error

Unwrap unwraps this as a ErrNotExist err

type ErrTwoFactorNotEnrolled 

type ErrTwoFactorNotEnrolled struct {
	UID int64
}

ErrTwoFactorNotEnrolled indicates that a user is not enrolled in two-factor authentication.

func (ErrTwoFactorNotEnrolled) Error 

func (err ErrTwoFactorNotEnrolled) Error() string

func (ErrTwoFactorNotEnrolled) Unwrap added in v1.17.4 

func (err ErrTwoFactorNotEnrolled) Unwrap() error

Unwrap unwraps this as a ErrNotExist err

type ErrWebAuthnCredentialNotExist 

type ErrWebAuthnCredentialNotExist struct {
	ID           int64
	CredentialID []byte
}

ErrWebAuthnCredentialNotExist represents a "ErrWebAuthnCRedentialNotExist" kind of error.

func (ErrWebAuthnCredentialNotExist) Error 

func (err ErrWebAuthnCredentialNotExist) Error() string

func (ErrWebAuthnCredentialNotExist) Unwrap added in v1.17.4 

func (err ErrWebAuthnCredentialNotExist) Unwrap() error

Unwrap unwraps this as a ErrNotExist err

type FindOAuth2ApplicationsOptions added in v1.22.0 

type FindOAuth2ApplicationsOptions struct {
	db.ListOptions
	// OwnerID is the user id or org id of the owner of the application
	OwnerID int64
	// find global applications, if true, then OwnerID will be igonred
	IsGlobal bool
}

func (FindOAuth2ApplicationsOptions) ToConds added in v1.22.0 

func (opts FindOAuth2ApplicationsOptions) ToConds() builder.Cond

func (FindOAuth2ApplicationsOptions) ToOrders added in v1.22.0 

func (opts FindOAuth2ApplicationsOptions) ToOrders() string

type FindSourcesOptions added in v1.22.0 

type FindSourcesOptions struct {
	db.ListOptions
	IsActive  optional.Option[bool]
	LoginType Type
}

func (FindSourcesOptions) ToConds added in v1.22.0 

func (opts FindSourcesOptions) ToConds() builder.Cond

type HasTLSer 

type HasTLSer interface {
	HasTLS() bool
}

HasTLSer configurations provide a HasTLS to check if TLS can be enabled

type ListAccessTokensOptions added in v1.17.4 

type ListAccessTokensOptions struct {
	db.ListOptions
	Name   string
	UserID int64
}

ListAccessTokensOptions contain filter options

func (ListAccessTokensOptions) ToConds added in v1.22.0 

func (opts ListAccessTokensOptions) ToConds() builder.Cond

func (ListAccessTokensOptions) ToOrders added in v1.22.0 

func (opts ListAccessTokensOptions) ToOrders() string

type OAuth2Application 

type OAuth2Application struct {
	ID           int64 `xorm:"pk autoincr"`
	UID          int64 `xorm:"INDEX"`
	Name         string
	ClientID     string `xorm:"unique"`
	ClientSecret string
	// OAuth defines both Confidential and Public client types
	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
	// "Authorization servers MUST record the client type in the client registration details"
	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
	ConfidentialClient         bool               `xorm:"NOT NULL DEFAULT TRUE"`
	SkipSecondaryAuthorization bool               `xorm:"NOT NULL DEFAULT FALSE"`
	RedirectURIs               []string           `xorm:"redirect_uris JSON TEXT"`
	CreatedUnix                timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix                timeutil.TimeStamp `xorm:"INDEX updated"`
}

OAuth2Application represents an OAuth2 client (RFC 6749)

func CreateOAuth2Application 

func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOptions) (*OAuth2Application, error)

CreateOAuth2Application inserts a new oauth2 application

func GetOAuth2ApplicationByClientID 

func GetOAuth2ApplicationByClientID(ctx context.Context, clientID string) (app *OAuth2Application, err error)

GetOAuth2ApplicationByClientID returns the oauth2 application with the given client_id. Returns an error if not found.

func GetOAuth2ApplicationByID 

func GetOAuth2ApplicationByID(ctx context.Context, id int64) (app *OAuth2Application, err error)

GetOAuth2ApplicationByID returns the oauth2 application with the given id. Returns an error if not found.

func UpdateOAuth2Application 

func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOptions) (*OAuth2Application, error)

UpdateOAuth2Application updates an oauth2 application

func (*OAuth2Application) ContainsRedirectURI 

func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool

ContainsRedirectURI checks if redirectURI is allowed for app

func (*OAuth2Application) CreateGrant 

func (app *OAuth2Application) CreateGrant(ctx context.Context, userID int64, scope string) (*OAuth2Grant, error)

CreateGrant generates a grant for an user

func (*OAuth2Application) GenerateClientSecret 

func (app *OAuth2Application) GenerateClientSecret(ctx context.Context) (string, error)

GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database

func (*OAuth2Application) GetGrantByUserID 

func (app *OAuth2Application) GetGrantByUserID(ctx context.Context, userID int64) (grant *OAuth2Grant, err error)

GetGrantByUserID returns a OAuth2Grant by its user and application ID

func (*OAuth2Application) TableName 

func (app *OAuth2Application) TableName() string

TableName sets the table name to `oauth2_application`

func (*OAuth2Application) ValidateClientSecret 

func (app *OAuth2Application) ValidateClientSecret(secret []byte) bool

ValidateClientSecret validates the given secret by the hash saved in database

type OAuth2AuthorizationCode 

type OAuth2AuthorizationCode struct {
	ID                  int64        `xorm:"pk autoincr"`
	Grant               *OAuth2Grant `xorm:"-"`
	GrantID             int64
	Code                string `xorm:"INDEX unique"`
	CodeChallenge       string
	CodeChallengeMethod string
	RedirectURI         string
	ValidUntil          timeutil.TimeStamp `xorm:"index"`
}

OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.

func GetOAuth2AuthorizationByCode 

func GetOAuth2AuthorizationByCode(ctx context.Context, code string) (auth *OAuth2AuthorizationCode, err error)

GetOAuth2AuthorizationByCode returns an authorization by its code

func (*OAuth2AuthorizationCode) GenerateRedirectURI 

func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL, error)

GenerateRedirectURI generates a redirect URI for a successful authorization request. State will be used if not empty.

func (*OAuth2AuthorizationCode) Invalidate 

func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error

Invalidate deletes the auth code from the database to invalidate this code

func (*OAuth2AuthorizationCode) IsExpired added in v1.25.5 

func (code *OAuth2AuthorizationCode) IsExpired() bool

IsExpired reports whether the authorization code is expired.

func (*OAuth2AuthorizationCode) TableName 

func (code *OAuth2AuthorizationCode) TableName() string

TableName sets the table name to `oauth2_authorization_code`

func (*OAuth2AuthorizationCode) ValidateCodeChallenge 

func (code *OAuth2AuthorizationCode) ValidateCodeChallenge(verifier string) bool

ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.

type OAuth2Grant 

type OAuth2Grant struct {
	ID            int64              `xorm:"pk autoincr"`
	UserID        int64              `xorm:"INDEX unique(user_application)"`
	Application   *OAuth2Application `xorm:"-"`
	ApplicationID int64              `xorm:"INDEX unique(user_application)"`
	Counter       int64              `xorm:"NOT NULL DEFAULT 1"`
	Scope         string             `xorm:"TEXT"`
	Nonce         string             `xorm:"TEXT"`
	CreatedUnix   timeutil.TimeStamp `xorm:"created"`
	UpdatedUnix   timeutil.TimeStamp `xorm:"updated"`
}

OAuth2Grant represents the permission of an user for a specific application to access resources

func GetOAuth2GrantByID 

func GetOAuth2GrantByID(ctx context.Context, id int64) (grant *OAuth2Grant, err error)

GetOAuth2GrantByID returns the grant with the given ID

func GetOAuth2GrantsByUserID 

func GetOAuth2GrantsByUserID(ctx context.Context, uid int64) ([]*OAuth2Grant, error)

GetOAuth2GrantsByUserID lists all grants of a certain user

func (*OAuth2Grant) GenerateNewAuthorizationCode 

func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redirectURI, codeChallenge, codeChallengeMethod string) (code *OAuth2AuthorizationCode, err error)

GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database

func (*OAuth2Grant) IncreaseCounter 

func (grant *OAuth2Grant) IncreaseCounter(ctx context.Context) error

IncreaseCounter increases the counter and updates the grant

func (*OAuth2Grant) ScopeContains 

func (grant *OAuth2Grant) ScopeContains(scope string) bool

ScopeContains returns true if the grant scope contains the specified scope

func (*OAuth2Grant) SetNonce 

func (grant *OAuth2Grant) SetNonce(ctx context.Context, nonce string) error

SetNonce updates the current nonce value of a grant

func (*OAuth2Grant) TableName 

func (grant *OAuth2Grant) TableName() string

TableName sets the table name to `oauth2_grant`

type RegisterableSource 

type RegisterableSource interface {
	RegisterSource() error
	UnregisterSource() error
}

RegisterableSource configurations provide RegisterSource which needs to be run on creation

type SSHKeyProvider 

type SSHKeyProvider interface {
	ProvidesSSHKeys() bool
}

SSHKeyProvider configurations provide ProvidesSSHKeys to check if they provide SSHKeys

type Session 

type Session struct {
	Key    string             `xorm:"pk CHAR(16)"` // has to be Key to match with go-chi/session
	Data   []byte             `xorm:"BLOB"`        // on MySQL this has a maximum size of 64Kb - this may need to be increased
	Expiry timeutil.TimeStamp // has to be Expiry to match with go-chi/session
}

Session represents a session compatible for go-chi session

func ReadSession 

func ReadSession(ctx context.Context, key string) (*Session, error)

ReadSession reads the data for the provided session

func RegenerateSession 

func RegenerateSession(ctx context.Context, oldKey, newKey string) (*Session, error)

RegenerateSession regenerates a session from the old id

type SkipVerifiable 

type SkipVerifiable interface {
	IsSkipVerify() bool
}

SkipVerifiable configurations provide a IsSkipVerify to check if SkipVerify is set

type Source 

type Source struct {
	ID              int64 `xorm:"pk autoincr"`
	Type            Type
	Name            string `xorm:"UNIQUE"` // it can be the OIDC's provider name, see services/auth/source/oauth2/source_register.go: RegisterSource
	IsActive        bool   `xorm:"INDEX NOT NULL DEFAULT false"`
	IsSyncEnabled   bool   `xorm:"INDEX NOT NULL DEFAULT false"`
	TwoFactorPolicy string `xorm:"two_factor_policy NOT NULL DEFAULT ''"`
	Cfg             Config `xorm:"TEXT"`

	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
}

Source represents an external way for authorizing users.

func GetActiveOAuth2SourceByAuthName added in v1.25.0 

func GetActiveOAuth2SourceByAuthName(ctx context.Context, name string) (*Source, error)

GetActiveOAuth2SourceByAuthName returns a OAuth2 AuthSource based on the given name

func GetSourceByID 

func GetSourceByID(ctx context.Context, id int64) (*Source, error)

GetSourceByID returns login source by given ID.

func (*Source) BeforeSet 

func (source *Source) BeforeSet(colName string, val xorm.Cell)

BeforeSet is invoked from XORM before setting the value of a field of this object.

func (*Source) HasTLS 

func (source *Source) HasTLS() bool

HasTLS returns true of this source supports TLS.

func (*Source) IsDLDAP 

func (source *Source) IsDLDAP() bool

IsDLDAP returns true of this source is of the DLDAP type.

func (*Source) IsLDAP 

func (source *Source) IsLDAP() bool

IsLDAP returns true of this source is of the LDAP type.

func (*Source) IsOAuth2 

func (source *Source) IsOAuth2() bool

IsOAuth2 returns true of this source is of the OAuth2 type.

func (*Source) IsPAM 

func (source *Source) IsPAM() bool

IsPAM returns true of this source is of the PAM type.

func (*Source) IsSMTP 

func (source *Source) IsSMTP() bool

IsSMTP returns true of this source is of the SMTP type.

func (*Source) IsSSPI 

func (source *Source) IsSSPI() bool

IsSSPI returns true of this source is of the SSPI type.

func (*Source) SkipVerify 

func (source *Source) SkipVerify() bool

SkipVerify returns true if this source is configured to skip SSL verification.

func (Source) TableName 

func (Source) TableName() string

TableName xorm will read the table name from this method

func (*Source) TwoFactorShouldSkip added in v1.24.0 

func (source *Source) TwoFactorShouldSkip() bool

func (*Source) TypeName 

func (source *Source) TypeName() string

TypeName return name of this login source type.

func (*Source) UseTLS 

func (source *Source) UseTLS() bool

UseTLS returns true of this source is configured to use TLS.

type TwoFactor 

type TwoFactor struct {
	ID               int64 `xorm:"pk autoincr"`
	UID              int64 `xorm:"UNIQUE"`
	Secret           string
	ScratchSalt      string
	ScratchHash      string
	LastUsedPasscode string             `xorm:"VARCHAR(10)"`
	CreatedUnix      timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix      timeutil.TimeStamp `xorm:"INDEX updated"`
}

TwoFactor represents a two-factor authentication token.

func GetTwoFactorByUID 

func GetTwoFactorByUID(ctx context.Context, uid int64) (*TwoFactor, error)

GetTwoFactorByUID returns the two-factor authentication token associated with the user, if any.

func (*TwoFactor) GenerateScratchToken 

func (t *TwoFactor) GenerateScratchToken() (string, error)

GenerateScratchToken recreates the scratch token the user is using.

func (*TwoFactor) SetSecret 

func (t *TwoFactor) SetSecret(secretString string) error

SetSecret sets the 2FA secret.

func (*TwoFactor) ValidateAndConsumeTOTP added in v1.26.3 

func (t *TwoFactor) ValidateAndConsumeTOTP(ctx context.Context, passcode string) (bool, error)

ValidateAndConsumeTOTP validates the passcode and atomically records it as used so that the same passcode cannot be redeemed more than once (RFC 6238 §5.2). It returns false for an invalid passcode as well as for a replay, including the case where a concurrent request with the same passcode won the race first. All TOTP login surfaces must go through this helper.

func (*TwoFactor) VerifyScratchToken 

func (t *TwoFactor) VerifyScratchToken(token string) bool

VerifyScratchToken verifies if the specified scratch token is valid.

type Type 

type Type int

Type represents an login type. 

const (
	NoType Type = iota
	Plain       // 1
	LDAP        // 2
	SMTP        // 3
	PAM         // 4
	DLDAP       // 5
	OAuth2      // 6
	SSPI        // 7
)

Note: new type must append to the end of list to maintain compatibility.

func (Type) Int 

func (typ Type) Int() int

Int returns the int value of the LoginType

func (Type) String 

func (typ Type) String() string

String returns the string name of the LoginType

type UpdateOAuth2ApplicationOptions 

type UpdateOAuth2ApplicationOptions struct {
	ID                         int64
	Name                       string
	UserID                     int64
	ConfidentialClient         bool
	SkipSecondaryAuthorization bool
	RedirectURIs               []string
}

UpdateOAuth2ApplicationOptions holds options to update an oauth2 application

type UseTLSer 

type UseTLSer interface {
	UseTLS() bool
}

UseTLSer configurations provide a HasTLS to check if TLS is enabled

type WebAuthnCredential 

type WebAuthnCredential struct {
	ID              int64 `xorm:"pk autoincr"`
	Name            string
	LowerName       string `xorm:"unique(s)"`
	UserID          int64  `xorm:"INDEX unique(s)"`
	CredentialID    []byte `xorm:"INDEX VARBINARY(1024)"`
	PublicKey       []byte
	AttestationType string
	AAGUID          []byte
	SignCount       uint32 `xorm:"BIGINT"`
	CloneWarning    bool
	CreatedUnix     timeutil.TimeStamp `xorm:"INDEX created"`
	UpdatedUnix     timeutil.TimeStamp `xorm:"INDEX updated"`
}

WebAuthnCredential represents the WebAuthn credential data for a public-key credential conformant to WebAuthn Level 1

func CreateCredential 

func CreateCredential(ctx context.Context, userID int64, name string, cred *webauthn.Credential) (*WebAuthnCredential, error)

CreateCredential will create a new WebAuthnCredential from the given Credential

func GetWebAuthnCredentialByCredID 

func GetWebAuthnCredentialByCredID(ctx context.Context, userID int64, credID []byte) (*WebAuthnCredential, error)

GetWebAuthnCredentialByCredID returns WebAuthn credential by credential ID

func GetWebAuthnCredentialByID 

func GetWebAuthnCredentialByID(ctx context.Context, id int64) (*WebAuthnCredential, error)

GetWebAuthnCredentialByID returns WebAuthn credential by id

func GetWebAuthnCredentialByName 

func GetWebAuthnCredentialByName(ctx context.Context, uid int64, name string) (*WebAuthnCredential, error)

GetWebAuthnCredentialByName returns WebAuthn credential by id

func (*WebAuthnCredential) AfterLoad 

func (cred *WebAuthnCredential) AfterLoad()

AfterLoad is invoked from XORM after setting the values of all fields of this object.

func (*WebAuthnCredential) BeforeInsert 

func (cred *WebAuthnCredential) BeforeInsert()

BeforeInsert will be invoked by XORM before updating a record

func (*WebAuthnCredential) BeforeUpdate 

func (cred *WebAuthnCredential) BeforeUpdate()

BeforeUpdate will be invoked by XORM before updating a record

func (WebAuthnCredential) TableName 

func (cred WebAuthnCredential) TableName() string

TableName returns a better table name for WebAuthnCredential

func (*WebAuthnCredential) UpdateSignCount 

func (cred *WebAuthnCredential) UpdateSignCount(ctx context.Context) error

UpdateSignCount will update the database value of SignCount

type WebAuthnCredentialList 

type WebAuthnCredentialList []*WebAuthnCredential

WebAuthnCredentialList is a list of *WebAuthnCredential

func GetWebAuthnCredentialsByUID 

func GetWebAuthnCredentialsByUID(ctx context.Context, uid int64) (WebAuthnCredentialList, error)

GetWebAuthnCredentialsByUID returns all WebAuthn credentials of the given user

func (WebAuthnCredentialList) ToCredentials 

func (list WebAuthnCredentialList) ToCredentials(defaultAuthFlags ...protocol.AuthenticatorFlags) []webauthn.Credential

ToCredentials will convert all WebAuthnCredentials to webauthn.Credentials

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.