hooks

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 8, 2026 License: AGPL-3.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	GrantTypeClientCredentials string = "client_credentials"
	GrantTypeJWTBearer         string = "urn:ietf:params:oauth:grant-type:jwt-bearer"
)

Variables

View Source 
var ErrTooBusy = errors.New("worker pool is full")

ErrTooBusy is returned by ProcessRequest when the worker pool queue is full.

Functions

This section is empty.

Types

type API 

type API struct {
	// contains filtered or unexported fields
}

func NewAPI 

func NewAPI(
	service ServiceInterface,
	middleware *AuthMiddleware,
	tracer tracing.TracingInterface,
	monitor monitoring.MonitorInterface,
	logger logging.LoggerInterface,
) *API

NewAPI creates a new API handler for the Hydra token hook endpoint.

func (*API) RegisterEndpoints 

func (a *API) RegisterEndpoints(mux *chi.Mux)

RegisterEndpoints registers the Hydra token hook endpoint on the given router.

type AuthMiddleware 

type AuthMiddleware struct {
	// contains filtered or unexported fields
}

func NewAuthMiddleware 

func NewAuthMiddleware(token string, tracer tracing.TracingInterface, logger logging.LoggerInterface) *AuthMiddleware

func (*AuthMiddleware) AuthMiddleware 

func (m *AuthMiddleware) AuthMiddleware(next http.Handler) http.Handler

type AuthorizerInterface added in v1.0.2 

type AuthorizerInterface interface {
	CanAccess(context.Context, string, string, []string) (bool, error)
	BatchCanAccess(context.Context, string, []string, []string) (bool, error)
}

type ClientInterface 

type ClientInterface interface {
	FetchUserGroups(context.Context, User) ([]*types.Group, error)
}

type DatabaseInterface added in v1.0.2 

type DatabaseInterface interface {
	GetGroupsForUser(context.Context, string) ([]*types.Group, error)
}

type HookContext added in v1.3.0 

type HookContext struct {
	// Groups is the list of groups the user belongs to.
	Groups []*types.Group
	// TenantID is the tenant the request is scoped to, or empty if none.
	TenantID string
}

HookContext contains the enriched result of processing an OAuth token hook request. It is returned by ProcessRequest on success.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

func NewService 

func NewService(
	clients []ClientInterface,
	authz AuthorizerInterface,
	tenantValidator TenantValidatorInterface,
	wpool pool.WorkerPoolInterface,
	tracer tracing.TracingInterface,
	monitor monitoring.MonitorInterface,
	logger logging.LoggerInterface,
) *Service

func (*Service) AuthorizeRequest added in v1.0.2 

func (s *Service) AuthorizeRequest(
	ctx context.Context,
	user User,
	req oauth2.TokenHookRequest,
	groups []*types.Group,
) (bool, error)

This implements deny by default TODO: we should make this configurable

func (*Service) FetchUserGroups 

func (s *Service) FetchUserGroups(ctx context.Context, user User) ([]*types.Group, error)

func (*Service) ProcessRequest added in v1.3.0 

func (s *Service) ProcessRequest(ctx context.Context, user User, req oauth2.TokenHookRequest) (*HookContext, error)

ProcessRequest orchestrates an OAuth token hook request. FetchUserGroups and (when a tenant is present) ValidateMembership are dispatched to the worker pool concurrently. AuthorizeRequest is gated only on FetchUserGroups, so tenant validation proceeds in parallel with authorization. Returns ErrTooBusy when the pool queue is full; all other errors indicate an authorization failure.

type ServiceInterface 

type ServiceInterface interface {
	ProcessRequest(context.Context, User, oauth2.TokenHookRequest) (*HookContext, error)
}

type StorageHookGroupsClient added in v1.0.2 

type StorageHookGroupsClient struct {
	// contains filtered or unexported fields
}

func NewLocalStorageClient added in v1.0.2 

func NewLocalStorageClient(db DatabaseInterface, tracer tracing.TracingInterface, monitor monitoring.MonitorInterface, logger logging.LoggerInterface) *StorageHookGroupsClient

NewLocalStorageClient creates a new StorageHookGroupsClient.

func (*StorageHookGroupsClient) FetchUserGroups added in v1.0.2 

func (c *StorageHookGroupsClient) FetchUserGroups(ctx context.Context, user User) ([]*types.Group, error)

FetchUserGroups retrieves user groups from the local storage database.

type TenantValidatorInterface added in v1.3.0 

type TenantValidatorInterface interface {
	ValidateMembership(ctx context.Context, identityID, tenantID string) error
}

TenantValidatorInterface validates that a user is an active member of a tenant. See internal/tenants for the real and noop implementations.

type User 

type User struct {
	SubjectId string
	ClientId  string
	Email     string
}

func NewUserFromHookRequest 

func NewUserFromHookRequest(r *oauth2.TokenHookRequest, logger logging.LoggerInterface) *User

func (*User) GetUserId 

func (u *User) GetUserId() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.