authn

package
v0.4.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 6, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package authn provides a generic Kratos middleware for JWT-based authentication. It is engine-agnostic: any Authenticator implementation can be injected.

Example usage: 

import (
    "github.com/Servora-Kit/servora/security/authn"
    "github.com/Servora-Kit/servora/security/authn/jwt"
)

mw = append(mw, authn.Server(
    jwt.NewAuthenticator(jwt.WithVerifier(km.Verifier())),
))

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ExtractBearerToken 

func ExtractBearerToken(header string) string

ExtractBearerToken parses the Bearer token from an Authorization header value. Returns empty string if the header is absent or malformed.

func Server 

func Server(authenticator Authenticator, opts ...Option) middleware.Middleware

Server returns a Kratos middleware that authenticates requests using the provided Authenticator. It extracts the Bearer token from the Authorization header, stores it in context via svrmw.NewTokenContext, then delegates to the Authenticator to produce an actor.Actor.

Behavior:

  • No transport in context → anonymous actor injected, handler called
  • No Authorization header → anonymous actor injected (authenticator may override)
  • Authenticator error + no error handler → error returned
  • Authenticator error + error handler → handler's return value used

Types

type Authenticator 

type Authenticator interface {
	Authenticate(ctx context.Context) (actor.Actor, error)
}

Authenticator is the interface for authenticating incoming requests. Implementations receive the full request context (which may include the raw token stored by Server) and return an actor.Actor.

type AuthnDetail added in v0.4.3 

type AuthnDetail struct {
	Method  string      // "jwt" / "mtls" / ...
	Subject actor.Actor // resolved actor on success; actor.NewAnonymousActor() on failure
	Allowed bool        // true on success (incl. anonymous success); false on failure
	Err     error       // nil on success; original error on failure
}

AuthnDetail captures the outcome of one authentication attempt for the observer callback. Note: this is distinct from obs/audit.AuthnDetail (which is the audit event payload). The mapping between them lives in obs/audit/observers.go.

Coverage: JWT engine (current) and future mTLS app-layer SAN/XFCC failures. Does NOT cover TLS handshake errors — those should be captured by transport-level metrics + logs (see TODO P1-3 mTLS plan).

type Option 

type Option func(*serverConfig)

Option configures the Server middleware.

func WithErrorHandler 

func WithErrorHandler(h func(ctx context.Context, err error) error) Option

WithErrorHandler sets a custom error handler invoked when authentication fails.

func WithObserver added in v0.4.3 

func WithObserver(fn func(ctx context.Context, d AuthnDetail)) Option

WithObserver installs a callback invoked after every Authenticate call (success or failure). Pair it with `recorder.AuthnObserver()` from obs/audit to bridge results into the audit pipeline: 

authn.Server(authenticator,
    authn.WithObserver(recorder.AuthnObserver()),
)

observer == nil leaves the middleware unaffected (no-op).

Source Files

View all Source files

Directories

Path Synopsis
Package jwt provides a JWT-based Authenticator implementation for pkg/authn.
 Package jwt provides a JWT-based Authenticator implementation for pkg/authn.
Package noop provides a no-op Authenticator that always returns an anonymous actor.
 Package noop provides a no-op Authenticator that always returns an anonymous actor.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.