Documentation
¶
Overview ¶
Package auth carries the canonical representation of the value stored under the token cache key (TokenCachePrefix+token) and provides versioned encoding helpers.
Historically the cache value was a `@`-joined string ("uid@name" or "uid@name@role") split ad-hoc at every call site. i18n 主方案 D10/D21 要求把 token cache 真相源收口,并在 payload 中带上用户语言偏好(D20 UserInfo), 因此引入 versioned JSON envelope(v2:);v1 字符串格式保留为解码 fallback, 灰度期老 token 不会因为升级失效。
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrEmptyToken = errors.New("auth: empty token payload")
ErrEmptyToken indicates an empty cache value (missing or evicted token).
var ErrInvalidToken = errors.New("auth: invalid token payload")
ErrInvalidToken indicates a token payload that matches neither v2 JSON nor the legacy "uid@name[@role]" string.
Functions ¶
Types ¶
type CacheTokenParser ¶
type CacheTokenParser struct {
Cache cache.Cache
Prefix string
// contains filtered or unexported fields
}
CacheTokenParser implements octo-lib's wkhttp.TokenParser using the shared pkg/auth codec. It supersedes octo-lib's legacyTokenParser so that octo-server can write v2 JSON envelopes while still decoding any legacy uid@name[@role] values left in cache from older binaries.
When a LanguageResolver is injected via WithLanguageResolver, Parse hits the resolver after Decode to upgrade the token-cache language snapshot to the authoritative value before octo-lib's AuthMiddleware stores UserInfo on the request context. Resolver failures are non-fatal — the decoded snapshot is preserved so a Redis/DB outage degrades to "stale language" rather than "authentication failure".
Construct once at boot and register with WKHttp.SetTokenParser; the parser is safe for concurrent use as long as the underlying cache + resolver are.
func NewCacheTokenParser ¶
func NewCacheTokenParser(c cache.Cache, prefix string, opts ...ParserOption) *CacheTokenParser
NewCacheTokenParser is a convenience constructor; nil cache is a programmer error and panics rather than silently degrading to a parser that fails every request.
type LanguageResolver ¶
LanguageResolver hydrates UserInfo.Language with the freshest user-language preference (Redis cache → DB → ""). It is intentionally a tiny interface shaped at the consumer side so pkg/auth does not need to import the i18n package or know about Redis / DB primitives. The concrete implementation lives in modules/user.
type ParserOption ¶
type ParserOption func(*CacheTokenParser)
ParserOption configures optional CacheTokenParser behaviour.
func WithLanguageResolver ¶
func WithLanguageResolver(r LanguageResolver) ParserOption
WithLanguageResolver wires a LanguageResolver into the parser; nil resolver is a no-op so callers can pass an interface value that may be unset in test environments without an extra guard.
func WithRoleResolver ¶ added in v1.7.0
func WithRoleResolver(r RoleResolver) ParserOption
WithRoleResolver wires a RoleResolver into the parser; nil resolver is a no-op so callers (and tests) can pass an interface value that may be unset without an extra guard. When unset, Parse falls back to the role snapshot decoded from the token — i.e. legacy behaviour.
type RoleResolver ¶ added in v1.7.0
RoleResolver hydrates UserInfo.Role with the user's *current* system role (Redis cache → DB → "") instead of the value snapshotted into the token at issuance. Without it, a system role baked into the token at login keeps granting admin / superAdmin access until the token expires — a demotion or admin-account removal cannot be honoured promptly. Resolving per request bounds that staleness to the resolver's cache TTL.
Like LanguageResolver it is shaped at the consumer side so pkg/auth stays free of DB / Redis imports; the concrete implementation lives in modules/user (RoleService).
type TokenInfo ¶
TokenInfo is the structured payload stored under TokenCachePrefix+token. UID is required; Role/Language may be empty.
func Decode ¶
Decode reverses Encode and tolerates the legacy "uid@name[@role]" string so that tokens written by older binaries (and cached before the upgrade) keep working until they expire. UID emptiness is the only structural check applied here — language validity is enforced at consumption sites via i18n.MatchSupportedLanguage.