auth

package
v1.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package auth carries the canonical representation of the value stored under the token cache key (TokenCachePrefix+token) and provides versioned encoding helpers.

Historically the cache value was a `@`-joined string ("uid@name" or "uid@name@role") split ad-hoc at every call site. i18n 主方案 D10/D21 要求把 token cache 真相源收口,并在 payload 中带上用户语言偏好(D20 UserInfo), 因此引入 versioned JSON envelope(v2:);v1 字符串格式保留为解码 fallback, 灰度期老 token 不会因为升级失效。

Index

Constants

This section is empty.

Variables

View Source
var ErrEmptyToken = errors.New("auth: empty token payload")

ErrEmptyToken indicates an empty cache value (missing or evicted token).

View Source
var ErrInvalidToken = errors.New("auth: invalid token payload")

ErrInvalidToken indicates a token payload that matches neither v2 JSON nor the legacy "uid@name[@role]" string.

Functions

func Encode

func Encode(info TokenInfo) (string, error)

Encode serializes a TokenInfo as the versioned JSON envelope. The UID is the only required field; callers should populate Name/Role exactly as they did for the legacy "uid@name@role" string, and Language with the value resolved at write time (may be empty if unknown).

Types

type CacheTokenParser

type CacheTokenParser struct {
	Cache  cache.Cache
	Prefix string
	// contains filtered or unexported fields
}

CacheTokenParser implements octo-lib's wkhttp.TokenParser using the shared pkg/auth codec. It supersedes octo-lib's legacyTokenParser so that octo-server can write v2 JSON envelopes while still decoding any legacy uid@name[@role] values left in cache from older binaries.

When a LanguageResolver is injected via WithLanguageResolver, Parse hits the resolver after Decode to upgrade the token-cache language snapshot to the authoritative value before octo-lib's AuthMiddleware stores UserInfo on the request context. Resolver failures are non-fatal — the decoded snapshot is preserved so a Redis/DB outage degrades to "stale language" rather than "authentication failure".

Construct once at boot and register with WKHttp.SetTokenParser; the parser is safe for concurrent use as long as the underlying cache + resolver are.

func NewCacheTokenParser

func NewCacheTokenParser(c cache.Cache, prefix string, opts ...ParserOption) *CacheTokenParser

NewCacheTokenParser is a convenience constructor; nil cache is a programmer error and panics rather than silently degrading to a parser that fails every request.

func (*CacheTokenParser) Parse

func (p *CacheTokenParser) Parse(ctx context.Context, token string) (wkhttp.UserInfo, error)

Parse implements wkhttp.TokenParser. ctx is propagated to the optional LanguageResolver so resolver implementations can honour deadlines / cancellation set by the surrounding request.

type LanguageResolver

type LanguageResolver interface {
	Resolve(ctx context.Context, uid string) (string, error)
}

LanguageResolver hydrates UserInfo.Language with the freshest user-language preference (Redis cache → DB → ""). It is intentionally a tiny interface shaped at the consumer side so pkg/auth does not need to import the i18n package or know about Redis / DB primitives. The concrete implementation lives in modules/user.

type ParserOption

type ParserOption func(*CacheTokenParser)

ParserOption configures optional CacheTokenParser behaviour.

func WithLanguageResolver

func WithLanguageResolver(r LanguageResolver) ParserOption

WithLanguageResolver wires a LanguageResolver into the parser; nil resolver is a no-op so callers can pass an interface value that may be unset in test environments without an extra guard.

func WithRoleResolver added in v1.7.0

func WithRoleResolver(r RoleResolver) ParserOption

WithRoleResolver wires a RoleResolver into the parser; nil resolver is a no-op so callers (and tests) can pass an interface value that may be unset without an extra guard. When unset, Parse falls back to the role snapshot decoded from the token — i.e. legacy behaviour.

type RoleResolver added in v1.7.0

type RoleResolver interface {
	ResolveRole(ctx context.Context, uid string) (string, error)
}

RoleResolver hydrates UserInfo.Role with the user's *current* system role (Redis cache → DB → "") instead of the value snapshotted into the token at issuance. Without it, a system role baked into the token at login keeps granting admin / superAdmin access until the token expires — a demotion or admin-account removal cannot be honoured promptly. Resolving per request bounds that staleness to the resolver's cache TTL.

Like LanguageResolver it is shaped at the consumer side so pkg/auth stays free of DB / Redis imports; the concrete implementation lives in modules/user (RoleService).

type TokenInfo

type TokenInfo struct {
	UID      string
	Name     string
	Role     string
	Language string
}

TokenInfo is the structured payload stored under TokenCachePrefix+token. UID is required; Role/Language may be empty.

func Decode

func Decode(raw string) (TokenInfo, error)

Decode reverses Encode and tolerates the legacy "uid@name[@role]" string so that tokens written by older binaries (and cached before the upgrade) keep working until they expire. UID emptiness is the only structural check applied here — language validity is enforced at consumption sites via i18n.MatchSupportedLanguage.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL