auth

package

v1.0.1 Latest Latest Go to latest Published: Mar 30, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/accept-io/midas

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Authenticator
type StaticTokenAuthenticator
- func LoadStaticTokensFromEnv() (*StaticTokenAuthenticator, error)
- func NewStaticTokenAuthenticator(tokens map[string]*identity.Principal) *StaticTokenAuthenticator
- func (a *StaticTokenAuthenticator) Authenticate(r *http.Request) (*identity.Principal, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNoCredentials = errors.New("auth: no credentials provided")

ErrNoCredentials is returned when the request carries no recognisable credentials (e.g. missing Authorization header). Use errors.Is to test for this sentinel.

Functions ¶

This section is empty.

Types ¶

type Authenticator ¶

type Authenticator interface {
	Authenticate(r *http.Request) (*identity.Principal, error)
}

Authenticator verifies inbound HTTP requests and returns a verified Principal. Implementations may read a bearer token, a JWT, or any other credential scheme. Returning ErrNoCredentials signals "no credentials presented" (distinct from "credentials presented but invalid") — both map to 401 in the middleware, but the distinction is logged for observability.

type StaticTokenAuthenticator ¶

type StaticTokenAuthenticator struct {
	// contains filtered or unexported fields
}

StaticTokenAuthenticator authenticates requests by looking up a bearer token in a pre-configured token-to-principal map. This is the community-edition authentication implementation. Enterprise deployments will supply Entra or Ping implementations that satisfy the same Authenticator interface.

func LoadStaticTokensFromEnv ¶

func LoadStaticTokensFromEnv() (*StaticTokenAuthenticator, error)

LoadStaticTokensFromEnv reads the MIDAS_AUTH_TOKENS environment variable and returns a configured StaticTokenAuthenticator. Returns nil when the variable is unset or empty — callers should skip auth wiring in that case.

Format: semicolon-separated entries, each with the form:

token|principal-id|role1,role2

The pipe character (|) separates the three fields so that principal IDs may contain colons (e.g. "user:alice", "svc:payments-engine").

Example:

MIDAS_AUTH_TOKENS="secret-1|user:alice|admin,approver;secret-2|svc:deploy|operator"

func NewStaticTokenAuthenticator ¶

func NewStaticTokenAuthenticator(tokens map[string]*identity.Principal) *StaticTokenAuthenticator

NewStaticTokenAuthenticator constructs an authenticator from the provided token map. tokens must not be nil; use an empty map to accept no requests.

func (*StaticTokenAuthenticator) Authenticate ¶

func (a *StaticTokenAuthenticator) Authenticate(r *http.Request) (*identity.Principal, error)

Authenticate extracts the bearer token from the Authorization header and returns the associated Principal. Returns ErrNoCredentials when no header is present; returns a descriptive error when the token is present but unknown.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL