Documentation
¶
Overview ¶
Package auth manages token storage in the OS keyring and JWT utilities.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrMalformedToken = errors.New("malformed token")
ErrMalformedToken is returned when the JWT cannot be decoded.
var ErrNoToken = errors.New("no token stored for context (run `finna login`)")
ErrNoToken is returned when no token is stored for the requested context.
Functions ¶
func Delete ¶
Delete removes the token for the named context. It is not an error if no token was stored.
func DeleteAll ¶
DeleteAll removes tokens for every context in the provided list. It continues past individual errors, collecting them all.
func Get ¶
Get retrieves the JWT for the named context from the OS keychain. Returns ErrNoToken if nothing is stored.
func TokenProvider ¶
TokenProvider returns a TokenProvider function suitable for api.New that reads from the keyring. A missing token returns ("", nil) so unauthenticated callers get a clean 401 rather than a startup failure.
Types ¶
type Claims ¶
type Claims struct {
Sub string `json:"sub"`
Username string `json:"username"`
IsAdmin bool `json:"is_admin"`
Provider string `json:"provider"` // "local" | "github" | "oidc"
Issuer string `json:"iss"`
IssuedAt int64 `json:"iat"`
Exp int64 `json:"exp"`
// Raw holds the full decoded payload for forward-compat display.
Raw map[string]any
}
Claims is the decoded payload of a Finna JWT. We decode locally; no signature verification is needed since the server validates on every API call.
func DecodeJWT ¶
DecodeJWT decodes the payload section of a JWT without verifying the signature. This is intentionally read-only; the server is the authority.