Documentation
¶
Overview ¶
Package sqlite implements store.Store using SQLite via modernc.org/sqlite. Migrations are embedded and run automatically on Open.
Type translations from the postgres backend:
UUID → TEXT (uuid.UUID's Scan/Value handle the round trip) BOOLEAN → INTEGER (0/1; database/sql converts bool↔int) BYTEA → BLOB TEXT[] → TEXT (JSON-encoded; see the stringArray helper) JSONB → TEXT TIMESTAMPTZ → DATETIME (modernc.org/sqlite stores time.Time as RFC3339)
Nullable UUID/time columns are scanned via sql.NullString / sql.NullTime because google/uuid does not implement Scan for the **uuid.UUID indirection that database/sql would need to write a NULL into a *uuid.UUID field.
Index ¶
- type DB
- func (s *DB) AddAWSRevokedUser(ctx context.Context, roleID uuid.UUID, subUUID string) error
- func (s *DB) AddGroupMember(ctx context.Context, groupID, userID uuid.UUID) error
- func (s *DB) Close() error
- func (s *DB) CountUsers(ctx context.Context) (int, error)
- func (s *DB) CreateAWSAccount(ctx context.Context, a *model.AWSAccount) error
- func (s *DB) CreateAWSRole(ctx context.Context, r *model.AWSRole) error
- func (s *DB) CreateAWSRoleAssignment(ctx context.Context, a *model.AWSRoleAssignment) error
- func (s *DB) CreateClient(ctx context.Context, clientID, clientSecretHash, name string, ...) (*model.Client, error)
- func (s *DB) CreateDeviceGrant(ctx context.Context, g *model.DeviceGrant) error
- func (s *DB) CreateGrant(ctx context.Context, g *model.Grant) error
- func (s *DB) CreateGroup(ctx context.Context, displayName string) (*model.SCIMGroup, error)
- func (s *DB) CreateIntegration(ctx context.Context, i *model.AppIntegration) error
- func (s *DB) CreateSession(ctx context.Context, sess *model.Session) error
- func (s *DB) CreateSigningKey(ctx context.Context, k *model.SigningKey) error
- func (s *DB) CreateTOTPCredential(ctx context.Context, c *model.TOTPCredential) error
- func (s *DB) CreateUser(ctx context.Context, email, passwordHash, name string) (*model.User, error)
- func (s *DB) CreateWebAuthnCredential(ctx context.Context, c *model.WebAuthnCredential) error
- func (s *DB) CreateWebAuthnSession(ctx context.Context, userID uuid.UUID, data []byte, purpose string) (uuid.UUID, error)
- func (s *DB) DeactivateSigningKey(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteAWSAccount(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteAWSRevokedUser(ctx context.Context, roleID uuid.UUID, subUUID string) error
- func (s *DB) DeleteAWSRole(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteAWSRoleAssignment(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteClient(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteExpiredDeviceGrants(ctx context.Context) (int, error)
- func (s *DB) DeleteExpiredGrants(ctx context.Context) error
- func (s *DB) DeleteExpiredSessions(ctx context.Context) error
- func (s *DB) DeleteExternalID(ctx context.Context, provider string, userID uuid.UUID) error
- func (s *DB) DeleteGroup(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteIntegration(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteSession(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteSessionsByUserID(ctx context.Context, userID uuid.UUID) error
- func (s *DB) DeleteTOTP(ctx context.Context, userID uuid.UUID) error
- func (s *DB) DeleteUser(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteWebAuthnCredential(ctx context.Context, id uuid.UUID, userID uuid.UUID) error
- func (s *DB) DeleteWebAuthnSession(ctx context.Context, id uuid.UUID) error
- func (s *DB) EnableTOTP(ctx context.Context, id uuid.UUID) error
- func (s *DB) ExtendSessionExpiry(ctx context.Context, id uuid.UUID, newExpiry time.Time) error
- func (s *DB) GetAWSAccount(ctx context.Context, id uuid.UUID) (*model.AWSAccount, error)
- func (s *DB) GetAWSRole(ctx context.Context, id uuid.UUID) (*model.AWSRole, error)
- func (s *DB) GetActiveSigningKey(ctx context.Context) (*model.SigningKey, error)
- func (s *DB) GetClientByClientID(ctx context.Context, clientID string) (*model.Client, error)
- func (s *DB) GetClientByID(ctx context.Context, id uuid.UUID) (*model.Client, error)
- func (s *DB) GetDeviceGrantByDeviceCodeHash(ctx context.Context, hash string) (*model.DeviceGrant, error)
- func (s *DB) GetDeviceGrantByUserCodeHash(ctx context.Context, hash string) (*model.DeviceGrant, error)
- func (s *DB) GetExternalID(ctx context.Context, provider string, userID uuid.UUID) (string, error)
- func (s *DB) GetGrantByCodeHash(ctx context.Context, codeHash string) (*model.Grant, error)
- func (s *DB) GetGroupByID(ctx context.Context, id uuid.UUID) (*model.SCIMGroup, error)
- func (s *DB) GetIntegration(ctx context.Context, id uuid.UUID) (*model.AppIntegration, error)
- func (s *DB) GetIntegrationByName(ctx context.Context, name string) (*model.AppIntegration, error)
- func (s *DB) GetSessionByAccessTokenHash(ctx context.Context, hash string) (*model.Session, error)
- func (s *DB) GetSessionByRefreshTokenHash(ctx context.Context, hash string) (*model.Session, error)
- func (s *DB) GetTOTPByUserID(ctx context.Context, userID uuid.UUID) (*model.TOTPCredential, error)
- func (s *DB) GetUserByEmail(ctx context.Context, email string) (*model.User, error)
- func (s *DB) GetUserByID(ctx context.Context, id uuid.UUID) (*model.User, error)
- func (s *DB) GetWebAuthnCredentialByCredentialID(ctx context.Context, credID []byte) (*model.WebAuthnCredential, error)
- func (s *DB) GetWebAuthnSession(ctx context.Context, id uuid.UUID, userID uuid.UUID, purpose string) ([]byte, error)
- func (s *DB) ListAWSAccounts(ctx context.Context) ([]*model.AWSAccount, error)
- func (s *DB) ListAWSRevokedUsers(ctx context.Context, roleID uuid.UUID) ([]*model.AWSRevokedUser, error)
- func (s *DB) ListAWSRevokedUsersOlderThan(ctx context.Context, cutoff time.Time) ([]*model.AWSRevokedUser, error)
- func (s *DB) ListAWSRoleAssignments(ctx context.Context) ([]*model.AWSRoleAssignment, error)
- func (s *DB) ListAWSRoles(ctx context.Context) ([]*model.AWSRole, error)
- func (s *DB) ListAWSRolesForUser(ctx context.Context, userID uuid.UUID) ([]*model.AWSRole, error)
- func (s *DB) ListActiveSigningKeys(ctx context.Context) ([]*model.SigningKey, error)
- func (s *DB) ListClientVisibility(ctx context.Context, clientID uuid.UUID) ([]uuid.UUID, error)
- func (s *DB) ListClients(ctx context.Context) ([]*model.Client, error)
- func (s *DB) ListEnabledIntegrations(ctx context.Context) ([]*model.AppIntegration, error)
- func (s *DB) ListGroups(ctx context.Context) ([]*model.SCIMGroup, error)
- func (s *DB) ListIntegrations(ctx context.Context) ([]*model.AppIntegration, error)
- func (s *DB) ListPortalClientsForUser(ctx context.Context, userID uuid.UUID) ([]*model.Client, error)
- func (s *DB) ListSessionClientIDsByUser(ctx context.Context, userID uuid.UUID) ([]uuid.UUID, error)
- func (s *DB) ListUsers(ctx context.Context) ([]*model.User, error)
- func (s *DB) ListWebAuthnCredentials(ctx context.Context, userID uuid.UUID) ([]*model.WebAuthnCredential, error)
- func (s *DB) MarkDeviceGrantApproved(ctx context.Context, id, userID uuid.UUID, mfaVerified bool, ...) error
- func (s *DB) MarkDeviceGrantDenied(ctx context.Context, id uuid.UUID, approverIP string) error
- func (s *DB) MarkDeviceGrantRedeemed(ctx context.Context, id uuid.UUID) error
- func (s *DB) MarkGrantUsed(ctx context.Context, id uuid.UUID) error
- func (s *DB) MarkSessionMFA(ctx context.Context, id uuid.UUID, when time.Time) error
- func (s *DB) RemoveGroupMember(ctx context.Context, groupID, userID uuid.UUID) error
- func (s *DB) ReplaceClientVisibility(ctx context.Context, clientID uuid.UUID, groupIDs []uuid.UUID) error
- func (s *DB) ReplaceGroupMembers(ctx context.Context, groupID uuid.UUID, memberIDs []uuid.UUID) error
- func (s *DB) RotateRefreshToken(ctx context.Context, id uuid.UUID, newRefreshHash string, ...) error
- func (s *DB) SetExternalID(ctx context.Context, provider string, userID uuid.UUID, externalID string) error
- func (s *DB) SetUserActive(ctx context.Context, id uuid.UUID, active bool) error
- func (s *DB) SetUserAdmin(ctx context.Context, id uuid.UUID, isAdmin bool) error
- func (s *DB) SetUserMustChangePassword(ctx context.Context, id uuid.UUID, flag bool) error
- func (s *DB) SetUserSCIMExternalID(ctx context.Context, id uuid.UUID, externalID string) error
- func (s *DB) UpdateAWSAccount(ctx context.Context, a *model.AWSAccount) error
- func (s *DB) UpdateAWSRole(ctx context.Context, r *model.AWSRole) error
- func (s *DB) UpdateClient(ctx context.Context, id uuid.UUID, name string, redirectURIs, scopes []string, ...) error
- func (s *DB) UpdateClientDeviceGrant(ctx context.Context, id uuid.UUID, allow bool) error
- func (s *DB) UpdateClientPortalConfig(ctx context.Context, id uuid.UUID, showInPortal bool, ...) error
- func (s *DB) UpdateClientSecret(ctx context.Context, id uuid.UUID, secretHash string) error
- func (s *DB) UpdateDeviceGrantPoll(ctx context.Context, id uuid.UUID, now time.Time, intervalSec int) error
- func (s *DB) UpdateGroup(ctx context.Context, id uuid.UUID, displayName string) error
- func (s *DB) UpdateIntegration(ctx context.Context, i *model.AppIntegration) error
- func (s *DB) UpdateSessionActivity(ctx context.Context, id uuid.UUID, lastActivity time.Time) error
- func (s *DB) UpdateUser(ctx context.Context, id uuid.UUID, name string, active bool) error
- func (s *DB) UpdateUserFailedAttempts(ctx context.Context, id uuid.UUID, count int, lockedUntil *time.Time) error
- func (s *DB) UpdateUserMFAEnabled(ctx context.Context, id uuid.UUID, enabled bool) error
- func (s *DB) UpdateUserPassword(ctx context.Context, id uuid.UUID, passwordHash string) error
- func (s *DB) UpdateWebAuthnSignCount(ctx context.Context, id uuid.UUID, signCount uint32, lastUsed time.Time) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DB ¶
type DB struct {
// contains filtered or unexported fields
}
DB wraps sql.DB and implements store.Store.
func Open ¶
Open opens (or creates) the SQLite database at path and runs migrations. SQLite is single-writer; one connection avoids locking contention.
func (*DB) AddAWSRevokedUser ¶ added in v0.2.0
func (*DB) AddGroupMember ¶
func (*DB) CreateAWSAccount ¶ added in v0.2.0
func (*DB) CreateAWSRole ¶ added in v0.2.0
func (*DB) CreateAWSRoleAssignment ¶ added in v0.2.0
func (*DB) CreateClient ¶
func (*DB) CreateDeviceGrant ¶ added in v0.3.0
func (*DB) CreateGroup ¶
func (*DB) CreateIntegration ¶
func (*DB) CreateSession ¶
func (*DB) CreateSigningKey ¶
func (*DB) CreateTOTPCredential ¶
func (*DB) CreateUser ¶
func (*DB) CreateWebAuthnCredential ¶
func (*DB) CreateWebAuthnSession ¶
func (*DB) DeactivateSigningKey ¶
func (*DB) DeleteAWSAccount ¶ added in v0.2.0
func (*DB) DeleteAWSRevokedUser ¶ added in v0.2.0
func (*DB) DeleteAWSRole ¶ added in v0.2.0
func (*DB) DeleteAWSRoleAssignment ¶ added in v0.2.0
func (*DB) DeleteExpiredDeviceGrants ¶ added in v0.3.0
func (*DB) DeleteExternalID ¶
func (*DB) DeleteIntegration ¶
func (*DB) DeleteSessionsByUserID ¶
func (*DB) DeleteWebAuthnCredential ¶
func (*DB) DeleteWebAuthnSession ¶
func (*DB) ExtendSessionExpiry ¶
func (*DB) GetAWSAccount ¶ added in v0.2.0
func (*DB) GetAWSRole ¶ added in v0.2.0
func (*DB) GetActiveSigningKey ¶
func (*DB) GetClientByClientID ¶
func (*DB) GetClientByID ¶
func (*DB) GetDeviceGrantByDeviceCodeHash ¶ added in v0.3.0
func (*DB) GetDeviceGrantByUserCodeHash ¶ added in v0.3.0
func (*DB) GetExternalID ¶
func (*DB) GetGrantByCodeHash ¶
func (*DB) GetGroupByID ¶
func (*DB) GetIntegration ¶
func (*DB) GetIntegrationByName ¶
func (*DB) GetSessionByAccessTokenHash ¶
func (*DB) GetSessionByRefreshTokenHash ¶
func (*DB) GetTOTPByUserID ¶
func (*DB) GetUserByEmail ¶
func (*DB) GetUserByID ¶
func (*DB) GetWebAuthnCredentialByCredentialID ¶
func (*DB) GetWebAuthnSession ¶
func (*DB) ListAWSAccounts ¶ added in v0.2.0
func (*DB) ListAWSRevokedUsers ¶ added in v0.2.0
func (*DB) ListAWSRevokedUsersOlderThan ¶ added in v0.2.0
func (*DB) ListAWSRoleAssignments ¶ added in v0.2.0
func (*DB) ListAWSRoles ¶ added in v0.2.0
func (*DB) ListAWSRolesForUser ¶ added in v0.2.0
func (*DB) ListActiveSigningKeys ¶
func (*DB) ListClientVisibility ¶ added in v0.2.0
func (*DB) ListEnabledIntegrations ¶
func (*DB) ListIntegrations ¶
func (*DB) ListPortalClientsForUser ¶ added in v0.2.0
func (s *DB) ListPortalClientsForUser(ctx context.Context, userID uuid.UUID) ([]*model.Client, error)
ListPortalClientsForUser: see postgres equivalent for design notes. SQLite needs `c.` prefixes hand-written rather than the prefixCols helper used in postgres, because the column list interpolation happens at compile time of the SQL string and SQLite's parser is stricter about it. Kept the column list inline for readability.
func (*DB) ListSessionClientIDsByUser ¶
func (*DB) ListWebAuthnCredentials ¶
func (*DB) MarkDeviceGrantApproved ¶ added in v0.3.0
func (*DB) MarkDeviceGrantDenied ¶ added in v0.3.0
func (*DB) MarkDeviceGrantRedeemed ¶ added in v0.3.0
func (*DB) MarkSessionMFA ¶ added in v0.3.0
MarkSessionMFA updates the MFA freshness columns on an existing session. Called after a step-up MFA challenge succeeds so the next step-up gate sees a fresh timestamp without minting a new session row.
func (*DB) RemoveGroupMember ¶
func (*DB) ReplaceClientVisibility ¶ added in v0.2.0
func (*DB) ReplaceGroupMembers ¶
func (*DB) RotateRefreshToken ¶
func (*DB) SetExternalID ¶
func (*DB) SetUserActive ¶
func (*DB) SetUserAdmin ¶
func (*DB) SetUserMustChangePassword ¶ added in v0.2.0
func (*DB) SetUserSCIMExternalID ¶
func (*DB) UpdateAWSAccount ¶ added in v0.2.0
func (*DB) UpdateAWSRole ¶ added in v0.2.0
func (*DB) UpdateClient ¶
func (*DB) UpdateClientDeviceGrant ¶ added in v0.3.0
UpdateClientDeviceGrant flips the per-client opt-in for the RFC 8628 device authorization flow. Separate from UpdateClient so the admin edit form can save this independently of the core fields.
func (*DB) UpdateClientPortalConfig ¶ added in v0.2.0
func (*DB) UpdateClientSecret ¶
func (*DB) UpdateDeviceGrantPoll ¶ added in v0.3.0
func (*DB) UpdateGroup ¶
func (*DB) UpdateIntegration ¶
func (*DB) UpdateSessionActivity ¶
func (*DB) UpdateUser ¶
func (*DB) UpdateUserFailedAttempts ¶
func (*DB) UpdateUserMFAEnabled ¶
func (*DB) UpdateUserPassword ¶
UpdateUserPassword writes a new password hash and resets the rotate-required flag in the same statement. See the postgres equivalent for design notes.