stdauthnfx

package

v0.0.220 Latest Latest Go to latest Published: Apr 25, 2026 License: MIT Imports: 24 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/advdv/stdgo

Links

Open Source Insights

Documentation ¶

Overview ¶

Package stdauthnfx provides authentication and access control via JWTs and API keys.

Index ¶

Constants
func APIKeyFingerprint(ctx context.Context) ([]byte, bool)
func FromContext(ctx context.Context) *stdauthnfxv1.Access
func New(deps struct{ ... }) (res struct{ ... }, err error)
func Provide() fx.Option
func WithAPIKeyFingerprint(ctx context.Context, hash hash.Hash, data []byte) context.Context
func WithAccess(ctx context.Context, val protovalidate.Validator, access *stdauthnfxv1.Access) context.Context
func WithAnonymousAccess(ctx context.Context, val protovalidate.Validator) context.Context
func WithWebUserAccess(ctx context.Context, val protovalidate.Validator, ...) context.Context
type AccessControl
type Config

Constants ¶

View Source

const (
	// APIKeyPrefix is the prefix to recognize our API keys.
	APIKeyPrefix = "bwak_"
)

Variables ¶

This section is empty.

Functions ¶

func APIKeyFingerprint ¶ added in v0.0.192

func APIKeyFingerprint(ctx context.Context) ([]byte, bool)

APIKeyFingerprint returns the API key fingerprint from the context, if present.

func FromContext ¶ added in v0.0.191

func FromContext(ctx context.Context) *stdauthnfxv1.Access

FromContext retrieves the access information from the context.

func New ¶

func New(deps struct {
	fx.In

	Config    Config
	Validator protovalidate.Validator
	Hasher    func() hash.Hash `name:"api_key"`
},
) (res struct {
	fx.Out

	AccessControl *AccessControl
}, err error,
)

New constructs a new AccessControl from the provided dependencies.

func Provide ¶

func Provide() fx.Option

Provide returns an fx.Option that supplies AccessControl and its dependencies.

func WithAPIKeyFingerprint ¶ added in v0.0.192

func WithAPIKeyFingerprint(ctx context.Context, hash hash.Hash, data []byte) context.Context

WithAPIKeyFingerprint stores the hashed API key fingerprint in the context.

func WithAccess ¶ added in v0.0.191

func WithAccess(ctx context.Context, val protovalidate.Validator, access *stdauthnfxv1.Access) context.Context

WithAccess stores the given access in the context after validation.

func WithAnonymousAccess ¶ added in v0.0.191

func WithAnonymousAccess(ctx context.Context, val protovalidate.Validator) context.Context

WithAnonymousAccess stores anonymous access in the context.

func WithWebUserAccess ¶ added in v0.0.191

func WithWebUserAccess(
	ctx context.Context, val protovalidate.Validator, info *stdauthnfxv1.AccessIdentity,
) context.Context

WithWebUserAccess stores web-user access with the given identity in the context.

Types ¶

type AccessControl ¶ added in v0.0.191

type AccessControl struct {
	// contains filtered or unexported fields
}

AccessControl manages API key signing/validation and access token verification.

func (*AccessControl) Authenticate ¶ added in v0.0.191

func (ac *AccessControl) Authenticate(ctx context.Context, rpcMethod, authzHeader string) (context.Context, error)

Authenticate a HTTP authorization header value. If an empty string is passed, it is considered as not set and the "anonymous" access behavior is triggered.

func (*AccessControl) BuildAndSignAPIKey ¶ added in v0.0.191

func (ac *AccessControl) BuildAndSignAPIKey(acc *stdauthnfxv1.Access) (string, error)

BuildAndSignAPIKey takes an access and signs it as our API keys.

func (*AccessControl) CRPCInterceptor ¶ added in v0.0.191

func (ac *AccessControl) CRPCInterceptor() connect.Interceptor

CRPCInterceptor returns a Connect interceptor that authenticates requests.

func (*AccessControl) GRPCInterceptor ¶ added in v0.0.191

func (ac *AccessControl) GRPCInterceptor() grpc.UnaryServerInterceptor

GRPCInterceptor returns a gRPC unary server interceptor that authenticates requests.

type Config ¶

type Config struct {
	// The base64-encoded key information for signing.
	SigningKeySetBase64 string `env:"SIGNING_KEY_SET_BASE64,required"`
	// SigningKeyID is the id we use for signing
	SigningKeyID string `env:"SIGNING_KEY_ID,required"`
	// Access Token validation JWKS endpoint
	TokenValidationJWKSEndpoint string `env:"TOKEN_VALIDATION_JWKS_ENDPOINT,required"`
	// Access Token issuer to be checked.
	TokenIssuer string `env:"TOKEN_ISSUER,required"`
	// Access Token audience to be checked.
	TokenAudience string `env:"TOKEN_AUDIENCE,required"`
	// Configure a fixed wall-clock time as far as token validation is concerned. Only useful in testing.
	FixedWallClockTimestamp int64 `env:"FIXED_WALL_CLOCK_TIMESTAMP"`
	// AnonymousAccessWhitelist can be set to allow some rpcs to be accessed anonymously.
	AnonymousAccessWhitelist []string `env:"ANONYMOUS_ACCESS_WHITELIST"`
}

Config holds configuration for authentication and access control.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
getauth0testtoken
insecureaccesstools Package insecureaccesstools provides insecure access token tools for testing.	Package insecureaccesstools provides insecure access token tools for testing.
v1

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL