auth

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 16, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Overview

Package auth provides token-based authentication and key distribution for Tier 2.5 hierarchical private search (Option B).

The authentication flow:

  1. User authenticates with credentials
  2. Auth service validates and returns: - Session token (1-hour TTL) - AES key (for vector decryption) - LSH hyperplanes (for bucket computation) - Centroids (for local HE scoring cache)
  3. Client uses credentials for searches
  4. Token can be refreshed before expiry

Index

Constants

View Source 
const (
	// ScopeSearch allows performing searches
	ScopeSearch = "search"
	// ScopeIndex allows adding/updating vectors
	ScopeIndex = "index"
	// ScopeAdmin allows full access including key management
	ScopeAdmin = "admin"
)

Scopes for authorization

Variables

View Source 
var (
	// ErrInvalidToken is returned when a token is invalid or not found.
	ErrInvalidToken = errors.New("invalid or expired token")
	// ErrUnauthorized is returned when access is denied.
	ErrUnauthorized = errors.New("unauthorized access")
	// ErrTokenExpired is returned when a token has expired.
	ErrTokenExpired = errors.New("token has expired")
	// ErrUserNotFound is returned when a user is not found.
	ErrUserNotFound = errors.New("user not found")
	// ErrInvalidCredentials is returned when credentials are incorrect.
	ErrInvalidCredentials = errors.New("invalid credentials")
	// ErrUserExists is returned when trying to create an existing user.
	ErrUserExists = errors.New("user already exists")
	// ErrUserDisabled is returned when a user account is disabled.
	ErrUserDisabled = errors.New("user account is disabled")
	// ErrTokenNotRefreshable is returned when a token is not yet eligible for refresh.
	ErrTokenNotRefreshable = errors.New("token not yet eligible for refresh")
)

Functions

This section is empty.

Types

type ClientCredentials 

type ClientCredentials struct {
	// Token for subsequent API calls
	Token string

	// TokenExpiry when the token expires
	TokenExpiry time.Time

	// AESKey for vector decryption (32 bytes, AES-256)
	AESKey []byte

	// LSHHyperplanes derived from the enterprise LSH seed
	// Distributed as pre-computed planes instead of the seed for security
	LSHHyperplanes [][]float64

	// Centroids for local caching (used in HE scoring)
	Centroids [][]float64

	// EnterpriseID for reference
	EnterpriseID string

	// Dimension of vectors
	Dimension int

	// NumSuperBuckets for bucket computation
	NumSuperBuckets int

	// NumSubBuckets for sub-bucket computation
	NumSubBuckets int
}

ClientCredentials contains the secrets distributed to an authenticated client. These credentials enable the client to perform Tier 2.5 searches.

func (*ClientCredentials) IsExpired 

func (c *ClientCredentials) IsExpired() bool

IsExpired returns true if the credentials have expired.

func (*ClientCredentials) TimeUntilExpiry 

func (c *ClientCredentials) TimeUntilExpiry() time.Duration

TimeUntilExpiry returns the duration until the credentials expire.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service handles authentication and key distribution.

func NewService 

func NewService(cfg ServiceConfig, configStore enterprise.Store) *Service

NewService creates a new authentication service.

func (*Service) ActiveTokenCount 

func (s *Service) ActiveTokenCount() int

ActiveTokenCount returns the number of active tokens.

func (*Service) Authenticate 

func (s *Service) Authenticate(ctx context.Context, userID string, password []byte) (*ClientCredentials, error)

Authenticate authenticates a user and returns credentials.

func (*Service) CleanupExpiredTokens 

func (s *Service) CleanupExpiredTokens() int

CleanupExpiredTokens removes expired tokens from memory.

func (*Service) DisableUser 

func (s *Service) DisableUser(ctx context.Context, userID string) error

DisableUser disables a user account.

func (*Service) EnableUser 

func (s *Service) EnableUser(ctx context.Context, userID string) error

EnableUser enables a user account.

func (*Service) GetUser 

func (s *Service) GetUser(ctx context.Context, userID string) (*User, error)

GetUser returns a user by ID.

func (*Service) ListUsers 

func (s *Service) ListUsers(ctx context.Context, enterpriseID string) ([]*User, error)

ListUsers returns all users for an enterprise.

func (*Service) RefreshToken 

func (s *Service) RefreshToken(ctx context.Context, tokenID string) (*ClientCredentials, error)

RefreshToken creates a new token if the current one is within the refresh window.

func (*Service) RegisterUser 

func (s *Service) RegisterUser(ctx context.Context, userID, enterpriseID string, passwordHash []byte, scopes []string) error

RegisterUser registers a new user for an enterprise. In production, use bcrypt for password hashing.

func (*Service) RevokeAllUserTokens 

func (s *Service) RevokeAllUserTokens(ctx context.Context, userID string) error

RevokeAllUserTokens invalidates all tokens for a user.

func (*Service) RevokeToken 

func (s *Service) RevokeToken(ctx context.Context, tokenID string) error

RevokeToken invalidates a token.

func (*Service) ValidateToken 

func (s *Service) ValidateToken(ctx context.Context, tokenID string) (*Token, error)

ValidateToken validates a token and returns the associated Token.

type ServiceConfig 

type ServiceConfig struct {
	// TokenTTL is how long tokens are valid (default: 1 hour)
	TokenTTL time.Duration

	// RefreshWindow is how long before expiry a token can be refreshed
	RefreshWindow time.Duration

	// LSHBits is the number of LSH hyperplanes to generate
	LSHBits int

	// Dimension is the vector dimension
	Dimension int
}

ServiceConfig holds configuration for the auth service.

func DefaultServiceConfig 

func DefaultServiceConfig() ServiceConfig

DefaultServiceConfig returns sensible defaults for the auth service.

func (*ServiceConfig) Validate 

func (c *ServiceConfig) Validate() error

Validate checks that the service configuration is valid.

type Token 

type Token struct {
	// TokenID is the unique identifier for this token
	TokenID string

	// EnterpriseID identifies which enterprise this token grants access to
	EnterpriseID string

	// UserID identifies the authenticated user
	UserID string

	// IssuedAt is when the token was created
	IssuedAt time.Time

	// ExpiresAt is when the token expires
	ExpiresAt time.Time

	// Scopes defines what operations this token allows
	Scopes []string
}

Token represents an authentication token with associated metadata.

func (*Token) HasScope 

func (t *Token) HasScope(scope string) bool

HasScope checks if the token has a specific scope.

func (*Token) IsExpired 

func (t *Token) IsExpired() bool

IsExpired returns true if the token has expired.

func (*Token) IsValid 

func (t *Token) IsValid() bool

IsValid returns true if the token is valid and not expired.

func (*Token) TimeUntilExpiry 

func (t *Token) TimeUntilExpiry() time.Duration

TimeUntilExpiry returns the duration until the token expires.

type User 

type User struct {
	// UserID uniquely identifies the user
	UserID string

	// EnterpriseID identifies which enterprise this user belongs to
	EnterpriseID string

	// PasswordHash is the hashed password (use bcrypt in production)
	PasswordHash []byte

	// Scopes defines what operations this user can perform
	Scopes []string

	// Enabled indicates if the user is active
	Enabled bool

	// CreatedAt is when the user was created
	CreatedAt time.Time

	// LastLogin is when the user last authenticated
	LastLogin time.Time
}

User represents an authenticated user.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.