Documentation
¶
Index ¶
- Constants
- Variables
- func NewAuthManager(authenticators []security.Authenticator) security.AuthManager
- func NewAuthResource(params AuthResourceParams) api.Resource
- func NewJWTAuthenticator(jwt *security.JWT) security.Authenticator
- func NewJWTRefreshAuthenticator(jwt *security.JWT, userLoader security.UserLoader) security.Authenticator
- func NewJWTTokenGenerator(jwt *security.JWT, securityConfig *config.SecurityConfig) security.TokenGenerator
- func NewPasswordAuthenticator(loader security.UserLoader, encoder password.Encoder) security.Authenticator
- func NewRBACDataPermissionResolver(loader security.RolePermissionsLoader) security.DataPermissionResolver
- func NewRBACPermissionChecker(loader security.RolePermissionsLoader) security.PermissionChecker
- func NewSignatureAuthenticator(loader security.ExternalAppLoader, nonceStore security.NonceStore) security.Authenticator
- type AuthResource
- func (a *AuthResource) GetUserInfo(ctx fiber.Ctx, principal *security.Principal, params api.Params) error
- func (a *AuthResource) Login(ctx fiber.Ctx, params LoginParams) error
- func (*AuthResource) Logout(ctx fiber.Ctx) error
- func (a *AuthResource) Refresh(ctx fiber.Ctx, params RefreshParams) error
- func (a *AuthResource) ResolveChallenge(ctx fiber.Ctx, params ResolveChallengeParams) error
- type AuthResourceParams
- type AuthenticatorAuthManager
- type JWTRefreshAuthenticator
- type JWTTokenAuthenticator
- type JWTTokenGenerator
- type LoginParams
- type PasswordAuthenticator
- type RBACDataPermissionResolver
- type RBACPermissionChecker
- type RefreshParams
- type ResolveChallengeParams
- type SignatureAuthenticator
Constants ¶
View Source
const (
AccessTokenExpires = time.Minute * 30
)
View Source
const (
AuthTypePassword = "password"
)
View Source
const (
AuthTypeRefresh = "refresh"
)
View Source
const AuthTypeSignature = "signature"
AuthTypeSignature is the authentication type for signature-based authentication.
View Source
const (
AuthTypeToken = "token"
)
Variables ¶
View Source
var Module = fx.Module( "vef:security", fx.Decorate(func(cfg *config.SecurityConfig) *config.SecurityConfig { if cfg.RefreshNotBefore <= 0 { cfg.RefreshNotBefore = AccessTokenExpires / 2 } if cfg.LoginRateLimit <= 0 { cfg.LoginRateLimit = 6 } if cfg.RefreshRateLimit <= 0 { cfg.RefreshRateLimit = 1 } return cfg }), fx.Decorate( fx.Annotate( func(loader security.RolePermissionsLoader, bus event.Bus) security.RolePermissionsLoader { if loader == nil { return nil } return security.NewCachedRolePermissionsLoader(loader, bus) }, fx.ParamTags(`optional:"true"`), ), ), fx.Provide( password.NewBcryptEncoder, func(config *config.AppConfig) (*security.JWT, error) { return security.NewJWT(&security.JWTConfig{ Audience: lo.SnakeCase(config.Name), }) }, fx.Annotate( NewJWTAuthenticator, fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewJWTRefreshAuthenticator, fx.ParamTags(``, `optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), NewJWTTokenGenerator, security.NewJWTChallengeTokenStore, fx.Annotate( NewSignatureAuthenticator, fx.ParamTags(`optional:"true"`, `optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewPasswordAuthenticator, fx.ParamTags(`optional:"true"`, `optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewAuthManager, fx.ParamTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewRBACPermissionChecker, fx.ParamTags(`optional:"true"`), ), fx.Annotate( NewRBACDataPermissionResolver, fx.ParamTags(`optional:"true"`), ), fx.Annotate( NewAuthResource, fx.ResultTags(`group:"vef:api:resources"`), ), ), )
Functions ¶
func NewAuthManager ¶
func NewAuthManager(authenticators []security.Authenticator) security.AuthManager
func NewAuthResource ¶
func NewAuthResource(params AuthResourceParams) api.Resource
NewAuthResource creates a new authentication resource with the provided auth manager and token generator.
func NewJWTAuthenticator ¶
func NewJWTAuthenticator(jwt *security.JWT) security.Authenticator
func NewJWTRefreshAuthenticator ¶
func NewJWTRefreshAuthenticator(jwt *security.JWT, userLoader security.UserLoader) security.Authenticator
func NewJWTTokenGenerator ¶
func NewJWTTokenGenerator(jwt *security.JWT, securityConfig *config.SecurityConfig) security.TokenGenerator
func NewPasswordAuthenticator ¶
func NewPasswordAuthenticator( loader security.UserLoader, encoder password.Encoder, ) security.Authenticator
func NewRBACDataPermissionResolver ¶
func NewRBACDataPermissionResolver(loader security.RolePermissionsLoader) security.DataPermissionResolver
NewRBACDataPermissionResolver creates a new RBAC data permission resolver.
func NewRBACPermissionChecker ¶
func NewRBACPermissionChecker(loader security.RolePermissionsLoader) security.PermissionChecker
func NewSignatureAuthenticator ¶
func NewSignatureAuthenticator( loader security.ExternalAppLoader, nonceStore security.NonceStore, ) security.Authenticator
NewSignatureAuthenticator creates a new signature authenticator.
Types ¶
type AuthResource ¶
AuthResource handles authentication-related API endpoints.
func (*AuthResource) GetUserInfo ¶
func (a *AuthResource) GetUserInfo(ctx fiber.Ctx, principal *security.Principal, params api.Params) error
GetUserInfo retrieves user information via UserInfoLoader. Requires a UserInfoLoader implementation to be provided.
func (*AuthResource) Login ¶
func (a *AuthResource) Login(ctx fiber.Ctx, params LoginParams) error
Login authenticates a user and returns a LoginResult. When challenge providers are configured and applicable, the result contains a challenge token and pending challenges instead of auth tokens.
func (*AuthResource) Logout ¶
func (*AuthResource) Logout(ctx fiber.Ctx) error
Logout returns success immediately. Token invalidation should be handled on the client side by removing stored tokens.
func (*AuthResource) Refresh ¶
func (a *AuthResource) Refresh(ctx fiber.Ctx, params RefreshParams) error
Refresh refreshes the access token using a valid refresh token. User data reload logic is handled by JwtRefreshAuthenticator.
func (*AuthResource) ResolveChallenge ¶
func (a *AuthResource) ResolveChallenge(ctx fiber.Ctx, params ResolveChallengeParams) error
ResolveChallenge validates a user's response to a login challenge. On success, either issues real auth tokens (all challenges resolved) or evaluates the next challenge sequentially.
type AuthResourceParams ¶
type AuthResourceParams struct {
fx.In
AuthManager security.AuthManager
TokenGenerator security.TokenGenerator
ChallengeTokenStore security.ChallengeTokenStore
UserInfoLoader security.UserInfoLoader `optional:"true"`
ChallengeProviders []security.ChallengeProvider `group:"vef:security:challenge_providers"`
Publisher event.Publisher
SecurityConfig *config.SecurityConfig
}
AuthResourceParams holds the dependencies for AuthResource construction.
type AuthenticatorAuthManager ¶
type AuthenticatorAuthManager struct {
// contains filtered or unexported fields
}
func (*AuthenticatorAuthManager) Authenticate ¶
func (am *AuthenticatorAuthManager) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
type JWTRefreshAuthenticator ¶
type JWTRefreshAuthenticator struct {
// contains filtered or unexported fields
}
func (*JWTRefreshAuthenticator) Authenticate ¶
func (j *JWTRefreshAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
func (*JWTRefreshAuthenticator) Supports ¶
func (*JWTRefreshAuthenticator) Supports(authType string) bool
type JWTTokenAuthenticator ¶
type JWTTokenAuthenticator struct {
// contains filtered or unexported fields
}
func (*JWTTokenAuthenticator) Authenticate ¶
func (ja *JWTTokenAuthenticator) Authenticate(_ context.Context, authentication security.Authentication) (*security.Principal, error)
func (*JWTTokenAuthenticator) Supports ¶
func (*JWTTokenAuthenticator) Supports(authType string) bool
type JWTTokenGenerator ¶
type JWTTokenGenerator struct {
// contains filtered or unexported fields
}
func (*JWTTokenGenerator) Generate ¶
func (g *JWTTokenGenerator) Generate(principal *security.Principal) (*security.AuthTokens, error)
type LoginParams ¶
type LoginParams struct {
api.P
Type string `json:"type" validate:"required" label_i18n:"auth_type"`
Principal string `json:"principal" validate:"required" label_i18n:"auth_principal"`
Credentials any `json:"credentials" validate:"required" label_i18n:"auth_credentials"`
}
LoginParams represents the request parameters for user login.
type PasswordAuthenticator ¶
type PasswordAuthenticator struct {
// contains filtered or unexported fields
}
PasswordAuthenticator verifies username/password credentials with optional decryption support for scenarios where clients encrypt passwords before transmission.
func (*PasswordAuthenticator) Authenticate ¶
func (p *PasswordAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
func (*PasswordAuthenticator) Supports ¶
func (*PasswordAuthenticator) Supports(authType string) bool
type RBACDataPermissionResolver ¶
type RBACDataPermissionResolver struct {
// contains filtered or unexported fields
}
RBACDataPermissionResolver implements role-based data permission resolution.
func (*RBACDataPermissionResolver) ResolveDataScope ¶
func (r *RBACDataPermissionResolver) ResolveDataScope( ctx context.Context, principal *security.Principal, permToken string, ) (security.DataScope, error)
ResolveDataScope resolves the applicable DataScope for the given principal and permission token. When a user has multiple roles with the same permission token but different data scopes, the scope with the highest priority wins. Returns nil if no matching permission is found.
type RBACPermissionChecker ¶
type RBACPermissionChecker struct {
// contains filtered or unexported fields
}
func (*RBACPermissionChecker) HasPermission ¶
func (c *RBACPermissionChecker) HasPermission( ctx context.Context, principal *security.Principal, permissionToken string, ) (bool, error)
HasPermission uses sequential role loading rather than parallel to optimize for common case (1-3 roles).
type RefreshParams ¶
type RefreshParams struct {
api.P
RefreshToken string `json:"refreshToken" validate:"required" label_i18n:"auth_refresh_token"`
}
RefreshParams represents the request parameters for token refresh operation.
type ResolveChallengeParams ¶
type ResolveChallengeParams struct {
api.P
ChallengeToken string `json:"challengeToken" validate:"required" label_i18n:"auth_challenge_token"`
Type string `json:"type" validate:"required" label_i18n:"auth_challenge_type"`
Response any `json:"response" validate:"required" label_i18n:"auth_challenge_response"`
}
ResolveChallengeParams represents the request for resolving a login challenge.
type SignatureAuthenticator ¶
type SignatureAuthenticator struct {
// contains filtered or unexported fields
}
SignatureAuthenticator validates HMAC-based signatures for external app authentication.
func (*SignatureAuthenticator) Authenticate ¶
func (a *SignatureAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
func (*SignatureAuthenticator) Supports ¶
func (*SignatureAuthenticator) Supports(authType string) bool
Source Files
Click to show internal directories.
Click to hide internal directories.