Documentation
¶
Overview ¶
Package auth contains the domain types and logic for authentication.
Index ¶
- Variables
- func DetectHashType(storedHash string) string
- func HashKey(rawKey string) string
- func HashKeyArgon2id(rawKey string) (string, error)
- func VerifyKey(rawKey, storedHash string) (bool, error)
- type APIKey
- type APIKeyService
- type AuthStore
- type ExtendedIdentity
- type Identity
- type Role
- type UserStore
Constants ¶
This section is empty.
Variables ¶
var ( // ErrUserNotFound is returned when a proxy user is not found. ErrUserNotFound = errors.New("user not found") // ErrUserKeyNotFound is returned when a proxy API key is not found. ErrUserKeyNotFound = errors.New("user API key not found") )
Sentinel errors for user store operations.
var ErrInvalidKey = errors.New("invalid api key")
ErrInvalidKey is returned when an API key is invalid (expired or revoked).
var ErrUnknownHashType = errors.New("unknown hash type")
ErrUnknownHashType is returned when a stored hash has an unrecognized format.
Functions ¶
func DetectHashType ¶
DetectHashType identifies the hash algorithm used for a stored hash. Returns "argon2id" for PHC format, "sha256" for prefixed or bare hex, "unknown" for unrecognized formats.
func HashKey ¶
HashKey returns the SHA-256 hex hash of the raw key. Deprecated: Use HashKeyArgon2id for new keys. This is kept for backward compatibility.
func HashKeyArgon2id ¶
HashKeyArgon2id returns an Argon2id hash of the raw key in PHC format. The hash includes a random salt and uses OWASP minimum parameters. Format: $argon2id$v=19$m=47104,t=1,p=1$<salt>$<hash>
Types ¶
type APIKey ¶
type APIKey struct {
// Key is the hashed key value (SHA-256 hex or Argon2id PHC format).
Key string
// IdentityID maps this key to an Identity.
IdentityID string
// Name is a human-readable label for this key.
Name string
// CreatedAt is when the key was created (UTC).
CreatedAt time.Time
// ExpiresAt is when the key expires (nil = never expires).
ExpiresAt *time.Time
// Revoked indicates if the key has been revoked.
Revoked bool
}
APIKey represents an API key for authentication.
type APIKeyService ¶
type APIKeyService struct {
// contains filtered or unexported fields
}
APIKeyService validates API keys and returns identities.
func NewAPIKeyService ¶
func NewAPIKeyService(store AuthStore) *APIKeyService
NewAPIKeyService creates a new APIKeyService with the given store.
type AuthStore ¶
type AuthStore interface {
// GetAPIKey retrieves an API key by its hash.
// Returns outbound.ErrKeyNotFound if key doesn't exist.
GetAPIKey(ctx context.Context, keyHash string) (*APIKey, error)
// GetIdentity retrieves user identity by ID.
// Returns outbound.ErrIdentityNotFound if identity doesn't exist.
GetIdentity(ctx context.Context, id string) (*Identity, error)
// ListAPIKeys returns all stored API keys for iteration-based verification.
ListAPIKeys(ctx context.Context) ([]*APIKey, error)
}
AuthStore provides credential lookup for authentication. This interface is defined in the domain to avoid circular imports. Implementations: in-memory (dev), PostgreSQL (prod).
type ExtendedIdentity ¶
type ExtendedIdentity struct {
Identity
// Enabled indicates if this user is active.
Enabled bool
// CreatedAt is when the user was created (UTC).
CreatedAt time.Time
// UpdatedAt is when the user was last modified (UTC).
UpdatedAt time.Time
}
ExtendedIdentity extends Identity with additional fields for admin operations.
type Identity ¶
type Identity struct {
// ID is the unique identifier for this identity.
ID string
// Name is the display name for this identity.
Name string
// Roles are the roles assigned to this identity.
Roles []Role
}
Identity represents an authenticated user or service.
func (*Identity) HasAnyRole ¶
HasAnyRole returns true if the identity has any of the specified roles.
type UserStore ¶
type UserStore interface {
// ListUsers retrieves all proxy users.
// Returns both enabled and disabled users.
ListUsers(ctx context.Context) ([]Identity, error)
// GetUser retrieves a proxy user by ID.
// Returns ErrUserNotFound if the user doesn't exist.
GetUser(ctx context.Context, id string) (*Identity, error)
// CreateUser creates a new proxy user.
// The ID field is set by the implementation if empty.
CreateUser(ctx context.Context, user *Identity) error
// UpdateUser updates an existing proxy user.
// Updates Name, Roles, and Enabled fields.
UpdateUser(ctx context.Context, user *Identity) error
// DeleteUser deletes a proxy user by ID.
// Also deletes associated API keys (cascade).
// Returns ErrUserNotFound if the user doesn't exist.
DeleteUser(ctx context.Context, id string) error
// CreateUserAPIKey creates a new API key for a proxy user.
// The keyHash should be the SHA-256 hex hash of the raw API key.
// Returns ErrUserNotFound if the user doesn't exist.
CreateUserAPIKey(ctx context.Context, userID, keyHash string, expiresAt *time.Time) error
// RevokeUserAPIKey revokes a proxy user's API key by its hash.
// Returns ErrUserKeyNotFound if the key doesn't exist.
RevokeUserAPIKey(ctx context.Context, keyHash string) error
}
UserStore provides admin CRUD operations for proxy users (identities). This interface is defined in the domain to avoid circular imports. Implementations: PostgreSQL (prod).
Source Files