Documentation
¶
Overview ¶
Package token provides PASETO v4 token validation for microservices.
Index ¶
- Variables
- func ContextWithClaims(ctx context.Context, claims *Claims) context.Context
- func NewTokenValidatorModule() fx.Option
- type Claims
- func (c *Claims) Get(key string, v any) error
- func (c *Claims) GetString(key string) (string, error)
- func (c *Claims) HasAnyPermission(permissions []string) bool
- func (c *Claims) HasPermission(permission string) bool
- func (c *Claims) IsAccess() bool
- func (c *Claims) IsExpired() bool
- func (c *Claims) IsRefresh() bool
- type Config
- type TokenValidator
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidToken is returned when the token cannot be parsed or verified. ErrInvalidToken = errors.New("invalid token") // ErrExpiredToken is returned when the token has expired. ErrExpiredToken = errors.New("token expired") // ErrInvalidPublicKey is returned when the public key is invalid. ErrInvalidPublicKey = errors.New("invalid public key") )
var ErrInsufficientPermissions = errors.New("insufficient permissions")
ErrInsufficientPermissions is returned when user lacks required permissions.
Functions ¶
func ContextWithClaims ¶
ContextWithClaims returns a new context with the claims stored.
func NewTokenValidatorModule ¶
NewTokenValidatorModule provides a TokenValidator for dependency injection.
Types ¶
type Claims ¶
type Claims struct {
// UserID is the unique identifier of the user (subject).
UserID string
// Role is the user's role (e.g., "super_admin", "catalog_manager", "viewer").
Role string
// Permissions is the list of permissions granted to the user.
Permissions []string
// Type is the token type (e.g., "access", "refresh").
Type string
// IssuedAt is the time when the token was issued.
IssuedAt time.Time
// ExpiresAt is the time when the token expires.
ExpiresAt time.Time
// NotBefore is the time before which the token is not valid.
NotBefore time.Time
// contains filtered or unexported fields
}
Claims represents the token claims. This is used across all services for authentication.
func ClaimsFromContext ¶
ClaimsFromContext retrieves claims from the context. Returns nil if no claims are present.
func HandleBearerAuth ¶
func HandleBearerAuth( validator TokenValidator, ctx context.Context, tokenString string, requiredPermissions []string, ) (context.Context, *Claims, error)
HandleBearerAuth validates a token and checks permissions. It returns the context with claims stored, the claims, and any error.
Usage in your service:
func (s *securityHandler) HandleBearerAuth(ctx context.Context, operationName httpapi.OperationName, t httpapi.BearerAuth) (context.Context, error) {
ctx, _, err := token.HandleBearerAuth(s.validator, ctx, t.Token, t.Roles)
return ctx, err
}
func (*Claims) HasAnyPermission ¶
HasAnyPermission checks if the user has at least one of the required permissions.
func (*Claims) HasPermission ¶
HasPermission checks if the user has a specific permission.
type Config ¶
type Config struct {
// PublicKey is the hex-encoded Ed25519 public key for verifying tokens.
PublicKey string `mapstructure:"public-key"`
}
Config holds the configuration for PASETO token validation.
type TokenValidator ¶
type TokenValidator interface {
// ValidateToken validates a token and returns the claims.
ValidateToken(token string) (*Claims, error)
}
TokenValidator validates tokens and returns claims.
Source Files