authn

package
v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 15, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package authn provides pluggable authentication middleware for the pbflags admin API. It extracts an Identity from each HTTP request using a configurable Authenticator strategy.

Strategies are selected via [Config.Strategy]:

  • "none" — no authentication; all requests are anonymous (default)
  • "shared-secret" — Bearer token matched against a configured secret
  • "trusted-header" — identity read from a reverse-proxy header (e.g. X-Forwarded-User)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Middleware 

func Middleware(auth Authenticator, next http.Handler) http.Handler

Middleware wraps an http.Handler, running the Authenticator on every request. On success the Identity is stored in the request context. On failure a 401 response is returned.

func SubjectFromContext 

func SubjectFromContext(ctx context.Context, fallback string) string

SubjectFromContext is a convenience that returns the subject string, or fallback if no identity is present.

Types

type Authenticator 

type Authenticator interface {
	// Authenticate inspects the request and returns the caller's identity.
	// Returning an error rejects the request with 401.
	Authenticate(r *http.Request) (Identity, error)
}

Authenticator extracts an identity from an HTTP request.

func NewAuthenticator 

func NewAuthenticator(cfg Config) (Authenticator, error)

NewAuthenticator creates an Authenticator from the given Config.

type Config 

type Config struct {
	Strategy string // "none", "shared-secret", "trusted-header"
	Token    string // shared-secret token
	Header   string // trusted-header header name
}

Config holds authentication configuration.

func LoadConfig 

func LoadConfig() Config

LoadConfig reads auth configuration from environment variables.

type Identity 

type Identity struct {
	Subject string // who, e.g. "alice@example.com", "ci-bot"
}

Identity represents an authenticated caller.

func FromContext 

func FromContext(ctx context.Context) (Identity, bool)

FromContext returns the Identity attached to ctx, or a zero Identity if none.

type None 

type None struct{}

None always succeeds with Subject "anonymous".

func (None) Authenticate 

func (None) Authenticate(_ *http.Request) (Identity, error)

type SharedSecret 

type SharedSecret struct {
	// contains filtered or unexported fields
}

SharedSecret validates a Bearer token against a pre-shared secret using constant-time comparison.

func NewSharedSecret 

func NewSharedSecret(token string) (*SharedSecret, error)

NewSharedSecret creates a SharedSecret authenticator. The token must not be empty.

func (*SharedSecret) Authenticate 

func (s *SharedSecret) Authenticate(r *http.Request) (Identity, error)

type TrustedHeader 

type TrustedHeader struct {
	// contains filtered or unexported fields
}

TrustedHeader reads identity from a header set by a reverse proxy. The header name is configurable (defaults to "X-Forwarded-User").

func NewTrustedHeader 

func NewTrustedHeader(header string) *TrustedHeader

NewTrustedHeader creates a TrustedHeader authenticator. If header is empty, "X-Forwarded-User" is used.

func (*TrustedHeader) Authenticate 

func (t *TrustedHeader) Authenticate(r *http.Request) (Identity, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.