Documentation
¶
Overview ¶
Package auth implements JWT authentication and API key management for Engram Cloud.
It handles user registration, login, token generation/validation, and API key creation with bcrypt password hashing and HMAC-SHA256 JWTs.
Index ¶
- Variables
- func GenerateAPIKey() (plainKey, hash string, err error)
- func ValidateAPIKey(store *cloudstore.CloudStore, key string) (*cloudstore.CloudUser, error)
- type AuthResult
- type Claims
- type Service
- func (s *Service) GenerateTokenPair(userID, username string) (accessToken, refreshToken string, err error)
- func (s *Service) Login(identifier, password string) (*AuthResult, error)
- func (s *Service) RefreshAccessToken(refreshTokenStr string) (newAccessToken string, err error)
- func (s *Service) Register(username, email, password string) (*AuthResult, error)
- func (s *Service) ValidateAccessToken(tokenStr string) (*Claims, error)
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidCredentials is returned for failed login attempts. The message // is deliberately generic to avoid leaking whether the username exists. ErrInvalidCredentials = errors.New("invalid credentials") // ErrWeakPassword is returned when a password is shorter than 8 characters. ErrWeakPassword = errors.New("password must be at least 8 characters") // ErrSecretTooShort is returned when the JWT secret is shorter than 32 bytes. ErrSecretTooShort = errors.New("jwt secret must be at least 32 bytes") // ErrInvalidToken is returned for any token validation failure. ErrInvalidToken = errors.New("invalid token") // ErrTokenExpired is returned when a token has expired. ErrTokenExpired = errors.New("token has expired") // ErrWrongTokenType is returned when a token's type claim doesn't match expectations. ErrWrongTokenType = errors.New("wrong token type") )
Functions ¶
func GenerateAPIKey ¶
GenerateAPIKey creates a new API key with the eng_ prefix and returns both the plain key (for display to the user) and its SHA-256 hash (for storage). Uses crypto/rand for cryptographically secure random bytes.
func ValidateAPIKey ¶
func ValidateAPIKey(store *cloudstore.CloudStore, key string) (*cloudstore.CloudUser, error)
ValidateAPIKey validates an API key by hashing it with SHA-256 and looking up the user by api_key_hash in the store.
Types ¶
type AuthResult ¶
type AuthResult struct {
UserID string `json:"user_id"`
Username string `json:"username"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresIn int `json:"expires_in"` // seconds until access token expires
}
AuthResult is returned by Register and Login on success.
type Claims ¶
type Claims struct {
UserID string `json:"user_id"`
Username string `json:"username"`
Type string `json:"type"` // "access" or "refresh"
jwt.RegisteredClaims
}
Claims represents the custom JWT claims for Engram Cloud tokens.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service handles JWT authentication and user registration/login for Engram Cloud.
func NewService ¶
func NewService(store *cloudstore.CloudStore, jwtSecret string) (*Service, error)
NewService creates a new auth Service. The jwtSecret MUST be at least 32 bytes.
func (*Service) GenerateTokenPair ¶
func (s *Service) GenerateTokenPair(userID, username string) (accessToken, refreshToken string, err error)
GenerateTokenPair creates an access token (1h) and refresh token (7d) for the given user. Both are signed with HMAC-SHA256.
func (*Service) Login ¶
func (s *Service) Login(identifier, password string) (*AuthResult, error)
Login authenticates a user by username or email and password, returning JWT tokens. On any failure (wrong password, nonexistent user), it returns ErrInvalidCredentials with no information about which part failed. Uses bcrypt.CompareHashAndPassword which is inherently constant-time.
func (*Service) RefreshAccessToken ¶
RefreshAccessToken validates a refresh token and issues a new access token. It verifies that the token type is "refresh", then generates a fresh access token for the same user.
Source Files