auth

package
v0.64.20 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 23, 2026 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BearerMiddleware added in v0.49.0 

func BearerMiddleware(h *HydraClient) func(http.Handler) http.Handler

BearerMiddleware authenticates TUI / agent CLI requests via OAuth Bearer token, using Hydra introspection. The web app does NOT use this — it goes through Middleware (cookie auth). Token must be Active and have a non-empty Subject (= user ID), which is then injected into request context under the same key Middleware uses.

func ClearTokenCookie added in v0.64.20 

func ClearTokenCookie(w http.ResponseWriter, r *http.Request)

ClearTokenCookie writes an expired Set-Cookie with the same Name/Path/ Domain attributes SetTokenCookie used, so the browser actually drops it.

func ContextWithUserID added in v0.47.0 

func ContextWithUserID(ctx context.Context, userID string) context.Context

ContextWithUserID returns a copy of ctx with userID injected under the same key that Middleware uses. Intended for use in tests that bypass the real auth middleware.

func SetTokenCookie 

func SetTokenCookie(w http.ResponseWriter, r *http.Request, token string)

func UserIDFromContext 

func UserIDFromContext(ctx context.Context) string

UserIDFromContext extracts the user ID set by Middleware.

Types

type AcceptConsentBody added in v0.33.0 

type AcceptConsentBody struct {
	GrantScope  []string       `json:"grant_scope"`
	Session     ConsentSession `json:"session"`
	Remember    bool           `json:"remember,omitempty"`
	RememberFor int            `json:"remember_for,omitempty"`
}

type AcceptDeviceBody added in v0.34.10 

type AcceptDeviceBody struct {
	UserCode string `json:"user_code"`
}

type AcceptLoginBody added in v0.33.0 

type AcceptLoginBody struct {
	Subject     string `json:"subject"`
	Remember    bool   `json:"remember"`
	RememberFor int    `json:"remember_for,omitempty"`
}

type Auth 

type Auth struct {
	// contains filtered or unexported fields
}

func New 

func New(database *db.DB) *Auth

func (*Auth) DB 

func (a *Auth) DB() *db.DB

DB returns the underlying database for use by other auth subsystems.

func (*Auth) GetUserByEmail added in v0.23.0 

func (a *Auth) GetUserByEmail(email string) (*db.User, error)

GetUserByEmail returns user info by email.

func (*Auth) GetUserByID 

func (a *Auth) GetUserByID(id string) (*db.User, error)

GetUserByID returns user info by ID.

func (*Auth) InvalidateToken added in v0.64.17 

func (a *Auth) InvalidateToken(token string) error

InvalidateToken removes the token row so the same cookie value cannot re-authenticate even if the browser fails to clear the cookie.

func (*Auth) IssueToken 

func (a *Auth) IssueToken(userID string) (string, error)

IssueToken generates a random token, stores it, and returns it.

func (*Auth) Login 

func (a *Auth) Login(email, password string) (string, string, bool)

Login verifies credentials by email and returns a token.

func (*Auth) Middleware 

func (a *Auth) Middleware(next http.Handler) http.Handler

Middleware authenticates web requests via session cookie. The TUI / agent CLI does NOT use this — it goes through BearerMiddleware on /api/agents/*.

func (*Auth) Register 

func (a *Auth) Register(id, email, password string) error

Register creates a new user with a bcrypt-hashed password.

func (*Auth) ValidateRequest 

func (a *Auth) ValidateRequest(r *http.Request) (string, bool)

ValidateRequest checks whether a request has a valid auth cookie and returns the user ID.

func (*Auth) ValidateToken 

func (a *Auth) ValidateToken(token string) (string, bool)

ValidateToken checks the token against the database and returns the user ID.

type ConsentRequest added in v0.33.0 

type ConsentRequest struct {
	Challenge      string   `json:"challenge"`
	Subject        string   `json:"subject"`
	RequestedScope []string `json:"requested_scope"`
	Client         struct {
		ClientID string `json:"client_id"`
	} `json:"client"`
}

type ConsentSession added in v0.33.0 

type ConsentSession struct {
	AccessToken map[string]interface{} `json:"access_token,omitempty"`
	IDToken     map[string]interface{} `json:"id_token,omitempty"`
}

type GenericOIDCProvider 

type GenericOIDCProvider struct {
	// contains filtered or unexported fields
}

func NewGenericOIDCProvider 

func NewGenericOIDCProvider(ctx context.Context, issuerURL, clientID, clientSecret, redirectURL string) (*GenericOIDCProvider, error)

func (*GenericOIDCProvider) GetIdentity 

func (g *GenericOIDCProvider) GetIdentity(ctx context.Context, token *oauth2.Token) (string, string, string, string, string, error)

func (*GenericOIDCProvider) Name 

func (g *GenericOIDCProvider) Name() string

func (*GenericOIDCProvider) OAuth2Config 

func (g *GenericOIDCProvider) OAuth2Config() *oauth2.Config

type GitHubProvider 

type GitHubProvider struct {
	// contains filtered or unexported fields
}

func NewGitHubProvider 

func NewGitHubProvider(clientID, clientSecret, redirectURL string) *GitHubProvider

func (*GitHubProvider) GetIdentity 

func (g *GitHubProvider) GetIdentity(ctx context.Context, token *oauth2.Token) (string, string, string, string, string, error)

func (*GitHubProvider) Name 

func (g *GitHubProvider) Name() string

func (*GitHubProvider) OAuth2Config 

func (g *GitHubProvider) OAuth2Config() *oauth2.Config

type HydraClient added in v0.33.0 

type HydraClient struct {
	AdminURL  string // e.g. "http://hydra:4445"
	PublicURL string // e.g. "https://auth.example.com"
	// contains filtered or unexported fields
}

HydraClient talks to the Ory Hydra Admin API.

func NewHydraClient added in v0.33.0 

func NewHydraClient(adminURL, publicURL string) *HydraClient

NewHydraClient creates a client for the given Hydra Admin URL.

func (*HydraClient) AcceptConsent added in v0.33.0 

func (h *HydraClient) AcceptConsent(challenge string, body AcceptConsentBody) (string, error)

func (*HydraClient) AcceptDeviceChallenge added in v0.34.10 

func (h *HydraClient) AcceptDeviceChallenge(challenge string, body AcceptDeviceBody) (string, error)

func (*HydraClient) AcceptLogin added in v0.33.0 

func (h *HydraClient) AcceptLogin(challenge string, body AcceptLoginBody) (string, error)

func (*HydraClient) GetConsentRequest added in v0.33.0 

func (h *HydraClient) GetConsentRequest(challenge string) (*ConsentRequest, error)

func (*HydraClient) GetLoginRequest added in v0.33.0 

func (h *HydraClient) GetLoginRequest(challenge string) (*LoginRequest, error)

func (*HydraClient) IntrospectToken added in v0.33.0 

func (h *HydraClient) IntrospectToken(token string) (*IntrospectionResult, error)

func (*HydraClient) RejectConsent added in v0.33.0 

func (h *HydraClient) RejectConsent(challenge string, body RejectBody) (string, error)

func (*HydraClient) RejectLogin added in v0.33.0 

func (h *HydraClient) RejectLogin(challenge string, body RejectBody) (string, error)

type IntrospectionResult added in v0.33.0 

type IntrospectionResult struct {
	Active   bool                   `json:"active"`
	Subject  string                 `json:"sub"`
	Scope    string                 `json:"scope"`
	ClientID string                 `json:"client_id"`
	Extra    map[string]interface{} `json:"ext"`
}

func (*IntrospectionResult) HasScope added in v0.33.0 

func (r *IntrospectionResult) HasScope(scope string) bool

HasScope checks if the introspection result includes the given scope.

type LoginRequest added in v0.33.0 

type LoginRequest struct {
	Challenge      string   `json:"challenge"`
	Subject        string   `json:"subject"`
	Skip           bool     `json:"skip"`
	RequestedScope []string `json:"requested_scope"`
	Client         struct {
		ClientID string `json:"client_id"`
	} `json:"client"`
}

type OIDCManager 

type OIDCManager struct {
	OnUserCreated func(userID string) // called when a brand-new user is created via OIDC
	// contains filtered or unexported fields
}

OIDCManager orchestrates multiple OIDC/OAuth2 providers.

func NewOIDCManager 

func NewOIDCManager(baseURL string, authSvc *Auth) *OIDCManager

NewOIDCManager creates a new manager. baseURL is the external redirect base (e.g. "https://app.example.com").

func (*OIDCManager) HandleCallback 

func (m *OIDCManager) HandleCallback(w http.ResponseWriter, r *http.Request, providerName string)

HandleCallback processes the IdP callback, resolves/creates the user, and sets the auth cookie.

func (*OIDCManager) HandleLogin 

func (m *OIDCManager) HandleLogin(w http.ResponseWriter, r *http.Request, providerName string)

HandleLogin redirects the user to the IdP authorization endpoint. If the request carries `?next=<safe-relative-path>`, the path is stashed in a short-lived cookie so HandleCallback can bounce there after login.

func (*OIDCManager) ProviderNamesForHost added in v0.24.0 

func (m *OIDCManager) ProviderNamesForHost(host string) []string

ProviderNamesForHost returns provider names available for the given request host.

func (*OIDCManager) RegisterProvider 

func (m *OIDCManager) RegisterProvider(p Provider)

RegisterProvider adds a provider available on all domains.

func (*OIDCManager) RegisterProviderWithDomains added in v0.24.0 

func (m *OIDCManager) RegisterProviderWithDomains(p Provider, domains []string)

RegisterProviderWithDomains adds a provider restricted to specific base domains. If domains is empty, the provider is available on all domains.

type Provider 

type Provider interface {
	Name() string
	OAuth2Config() *oauth2.Config
	// GetIdentity returns the identity from the provider.
	// Returns: subject, email, displayName, login (preferred username), avatarURL, error.
	// login and avatarURL may be empty if the provider doesn't support them.
	GetIdentity(ctx context.Context, token *oauth2.Token) (subject, email, displayName, login, avatarURL string, err error)
}

Provider abstracts an OAuth2/OIDC identity provider.

type RedirectResponse added in v0.33.0 

type RedirectResponse struct {
	RedirectTo string `json:"redirect_to"`
}

type RejectBody added in v0.33.0 

type RejectBody struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.