security

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 5, 2026 License: MIT Imports: 22 Imported by: 0

Documentation

Overview

Package security — value resolution.

alaye.Value is the canonical type for lazy-resolving config strings. pkg/security provides Resolver to wire the keeper Store into alaye's resolution system via alaye.SetStoreLookup.

SecureString is kept here as a small wipe-on-use wrapper for any server-side code that wants an explicit zero-on-free primitive.

Index

Constants

This section is empty.

Variables

View Source 
var ErrDecrypt = errors.New("decryption failed")

Functions

func NewPPK added in v0.1.0 

func NewPPK(path string) error

Types

type Cipher 

type Cipher struct {
	// contains filtered or unexported fields
}

Cipher handles authenticated encryption using XChaCha20-Poly1305.

func NewCipher 

func NewCipher(secret string) (*Cipher, error)

NewCipher creates a cipher. It attempts to decode secret as Base64. If decoding fails or length != 32, it hashes the string to generate a 32-byte key.

func NewCipherFromKey added in v0.1.0 

func NewCipherFromKey(key []byte) (*Cipher, error)

func (*Cipher) Decrypt 

func (c *Cipher) Decrypt(ciphertext []byte) ([]byte, error)

func (*Cipher) Encrypt 

func (c *Cipher) Encrypt(plaintext []byte) ([]byte, error)

type HOTPGenerator added in v0.1.0 

type HOTPGenerator struct {
	// contains filtered or unexported fields
}

HOTP support (counter-based)

func NewHOTPGenerator added in v0.1.0 

func NewHOTPGenerator(config *TOTPConfig) *HOTPGenerator

NewHOTPGenerator creates a new HOTP generator

func (*HOTPGenerator) GenerateCode added in v0.1.0 

func (h *HOTPGenerator) GenerateCode(secret string, counter int64) (string, error)

GenerateCode generates an HOTP code at the given counter

func (*HOTPGenerator) GenerateSecret added in v0.1.0 

func (h *HOTPGenerator) GenerateSecret() (string, error)

GenerateSecret creates a new random HOTP secret

func (*HOTPGenerator) GetProvisioningURI added in v0.1.0 

func (h *HOTPGenerator) GetProvisioningURI(secret, username string, counter int64) string

GetProvisioningURI returns the otpauth:// URI for HOTP

func (*HOTPGenerator) NewHOTP added in v0.1.0 

func (h *HOTPGenerator) NewHOTP(secret string) *gotp.HOTP

NewHOTP creates a gotp.HOTP instance

func (*HOTPGenerator) VerifyCode added in v0.1.0 

func (h *HOTPGenerator) VerifyCode(secret, code string, counter int64) bool

VerifyCode verifies an HOTP code at the given counter

type PPK added in v0.1.0 

type PPK struct {
	// contains filtered or unexported fields
}

func GeneratePPK added in v0.1.0 

func GeneratePPK() (*PPK, []byte, error)

func LoadPPKFromPEM added in v0.1.0 

func LoadPPKFromPEM(pemData []byte) (*PPK, error)

func PPKLoad added in v0.1.0 

func PPKLoad(path string) (*PPK, error)

func (*PPK) Mint added in v0.1.0 

func (m *PPK) Mint(service string, ttl time.Duration) (string, error)

func (*PPK) Verify added in v0.1.0 

func (m *PPK) Verify(tokenString string) (VerifiedToken, error)

type Password added in v0.1.0 

type Password struct{}

Password handles password and hash generation

func NewPassword added in v0.1.0 

func NewPassword() *Password

NewPassword creates a new password generator

func (*Password) Dummy added in v0.1.0 

func (g *Password) Dummy() []byte

Dummy returns a dummy bcrypt hash for timing attack resistance

func (*Password) Generate added in v0.1.0 

func (g *Password) Generate(length int) (string, error)

Generate creates a cryptographically secure random password of the specified length (default 32 if length <= 0)

func (*Password) Hash added in v0.1.0 

func (g *Password) Hash(password string) (string, error)

Hash generates a bcrypt hash from a plaintext password

func (*Password) HashWithCost added in v0.1.0 

func (g *Password) HashWithCost(password string, cost int) (string, error)

HashWithCost generates a bcrypt hash with custom cost

func (*Password) JTI added in v0.1.0 

func (g *Password) JTI() (string, error)

It returns the JTI string or an error if random generation fails.

func (*Password) Make added in v0.1.0 

func (g *Password) Make(length int) (password, hash string, err error)

Make creates a random password and returns both the plaintext and its hash

func (*Password) Random added in v0.1.0 

func (g *Password) Random(n int) ([]byte, error)

func (*Password) Verify added in v0.1.0 

func (g *Password) Verify(password, hash string) bool

Verify compares a plaintext password against a bcrypt hash

type SecureString added in v0.1.0 

type SecureString struct {
	// contains filtered or unexported fields
}

SecureString holds a sensitive string and provides an explicit Wipe method that zeros the backing memory. Use it for short-lived copies of secrets that should not linger in heap memory.

func NewSecureString added in v0.1.0 

func NewSecureString(s string) *SecureString

func (*SecureString) String added in v0.1.0 

func (ss *SecureString) String() string

func (*SecureString) Wipe added in v0.1.0 

func (ss *SecureString) Wipe()

type TOTPConfig added in v0.1.0 

type TOTPConfig struct {
	Digits    int    // 6 or 8 digits (default 6)
	Period    int    // Time step in seconds (default 30)
	Algorithm string // SHA1, SHA256, SHA512 (default SHA1)
	Window    int    // Verification window size in time steps (default 1)
	Issuer    string // Issuer name for URI
}

TOTPConfig holds configuration for TOTP generation

func DefaultTOTPConfig added in v0.1.0 

func DefaultTOTPConfig() *TOTPConfig

DefaultTOTPConfig returns sensible defaults

type TOTPGenerator added in v0.1.0 

type TOTPGenerator struct {
	// contains filtered or unexported fields
}

TOTPGenerator handles TOTP secret generation and code verification

func NewTOTPGenerator added in v0.1.0 

func NewTOTPGenerator(config *TOTPConfig) *TOTPGenerator

NewTOTPGenerator creates a new TOTP generator with the given config

func (*TOTPGenerator) GenerateCode added in v0.1.0 

func (t *TOTPGenerator) GenerateCode(secret string, timestamp int64) (string, error)

GenerateCode generates a TOTP code for the given secret at the specified time

func (*TOTPGenerator) GenerateSecret added in v0.1.0 

func (t *TOTPGenerator) GenerateSecret() (string, error)

GenerateSecret creates a new random TOTP secret Returns base32-encoded secret (RFC 4648, no padding)

func (*TOTPGenerator) GetProvisioningURI added in v0.1.0 

func (t *TOTPGenerator) GetProvisioningURI(secret, username string) string

GetProvisioningURI returns the otpauth:// URI for QR code generation Format: otpauth://totp/{issuer}:{username}?secret={secret}&issuer={issuer}&digits={digits}&period={period}

func (*TOTPGenerator) NewTOTP added in v0.1.0 

func (t *TOTPGenerator) NewTOTP(secret string) *gotp.TOTP

NewTOTP creates a gotp.TOTP instance with the configured parameters

func (*TOTPGenerator) Now added in v0.1.0 

func (t *TOTPGenerator) Now(secret string) (string, error)

Now generates the current TOTP code

func (*TOTPGenerator) ValidateSecret added in v0.1.0 

func (t *TOTPGenerator) ValidateSecret(secret string) bool

ValidateSecret checks if a secret is valid base32

func (*TOTPGenerator) VerifyCode added in v0.1.0 

func (t *TOTPGenerator) VerifyCode(secret, code string) (ok bool)

VerifyCode verifies a TOTP code against a secret Checks current time and adjacent windows based on config.Window

func (*TOTPGenerator) VerifyCodeAtTime added in v0.1.0 

func (t *TOTPGenerator) VerifyCodeAtTime(secret, code string, timestamp int64) bool

VerifyCodeAtTime verifies a TOTP code at a specific timestamp

type TokenClaims 

type TokenClaims struct {
	Service string `json:"svc"`
	jwt.RegisteredClaims
}

type VerifiedToken added in v0.1.0 

type VerifiedToken struct {
	Service string
	JTI     string
	Expiry  time.Time
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.