Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ValidateAlgorithm ¶
func ValidateAlgorithm(alg JWTAlgorithm) error
ValidateAlgorithm enforces that the algorithm can be used for JWT signing
Types ¶
type Claims ¶
type Claims struct {
UserID string `json:"user_id"`
SessionID string `json:"sid"`
Type string `json:"type"` // "access_token" or "refresh_token"
Sub string `json:"sub"`
Iss string `json:"iss"`
Aud string `json:"aud"`
Exp int64 `json:"exp"`
Iat int64 `json:"iat"`
Nbf int64 `json:"nbf,omitempty"`
Jti string `json:"jti"`
}
Claims represents standard JWT claims
type JWKS ¶
type JWKS struct {
bun.BaseModel `bun:"table:jwks"`
ID string `json:"id" bun:"column:id,pk"`
PublicKey string `json:"public_key" bun:"column:public_key"`
PrivateKey string `json:"private_key" bun:"column:private_key"`
ExpiresAt *time.Time `json:"expires_at" bun:"column:expires_at"`
CreatedAt time.Time `json:"created_at" bun:"column:created_at,default:current_timestamp"`
}
JWKS represents a cryptographic key pair for signing and verification
type JWTAlgorithm ¶
type JWTAlgorithm string
const ( JWTAlgEdDSA JWTAlgorithm = "eddsa" JWTAlgRS256 JWTAlgorithm = "rs256" JWTAlgPS256 JWTAlgorithm = "ps256" JWTAlgES256 JWTAlgorithm = "es256" JWTAlgES512 JWTAlgorithm = "es512" JWTAlgECDHES JWTAlgorithm = "ecdh-es" )
func ParseAlgorithm ¶
func ParseAlgorithm(s string) (JWTAlgorithm, error)
ParseAlgorithm parses a string into an Algorithm, accepting only canonical names (case-insensitive input)
func (JWTAlgorithm) String ¶
func (a JWTAlgorithm) String() string
type JWTPluginConfig ¶
type JWTPluginConfig struct {
Enabled bool `json:"enabled" toml:"enabled"`
Algorithm JWTAlgorithm `json:"algorithm" toml:"algorithm"` // EdDSA (default), RS256, PS256, ES256, ES512
KeyRotationInterval time.Duration `json:"key_rotation_interval" toml:"key_rotation_interval"` // Default: 30 days
KeyRotationGracePeriod time.Duration `json:"key_rotation_grace_period" toml:"key_rotation_grace_period"` // Grace period for old key validity after rotation, default: 1 hour
ExpiresIn time.Duration `json:"expires_in" toml:"expires_in"` // Access token TTL
RefreshExpiresIn time.Duration `json:"refresh_expires_in" toml:"refresh_expires_in"` // Refresh token TTL
JWKSCacheTTL time.Duration `json:"jwks_cache_ttl" toml:"jwks_cache_ttl"` // Cache TTL for JWKS, default 24 hours
RefreshGracePeriod time.Duration `json:"refresh_grace_period" toml:"refresh_grace_period"` // Grace period for refresh token reuse, default 10s
}
JWTPluginConfig configures the JWKS-based JWT plugin
func (*JWTPluginConfig) ApplyDefaults ¶
func (c *JWTPluginConfig) ApplyDefaults()
ApplyDefaults returns sensible defaults for the JWT plugin
func (*JWTPluginConfig) NormalizeAlgorithm ¶
func (c *JWTPluginConfig) NormalizeAlgorithm() error
NormalizeAlgorithm normalizes and validates the algorithm string. Use when parsing config or on update to catch legacy or unsupported values.
type JWTTokenType ¶
type JWTTokenType string
const ( JWTTokenTypeAccess JWTTokenType = "access_token" JWTTokenTypeRefresh JWTTokenType = "refresh_token" )
func (JWTTokenType) String ¶
func (t JWTTokenType) String() string
type RefreshToken ¶
type RefreshToken struct {
bun.BaseModel `bun:"table:refresh_tokens"`
ID string `json:"id" bun:"column:id,pk"`
SessionID string `json:"session_id" bun:"column:session_id"`
TokenHash string `json:"token_hash" bun:"column:token_hash"`
ExpiresAt time.Time `json:"expires_at" bun:"column:expires_at"`
IsRevoked bool `json:"is_revoked" bun:"column:is_revoked"`
RevokedAt *time.Time `json:"revoked_at" bun:"column:revoked_at"`
LastReuseAttempt *time.Time `json:"last_reuse_attempt" bun:"column:last_reuse_attempt"`
CreatedAt time.Time `json:"created_at" bun:"column:created_at,default:current_timestamp"`
}
RefreshToken represents a stored refresh token in the database
Source Files
Click to show internal directories.
Click to hide internal directories.