auth

package
v0.38.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var Module = fx.Module(
	"vef:api:auth",
	fx.Provide(
		fx.Private,
		fx.Annotate(
			NewAccessTokenAuthenticator,
			fx.ResultTags(`group:"vef:api:bearer_authenticators"`),
		),
		fx.Annotate(
			NewNone,
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewBearer,
			fx.ParamTags(`group:"vef:api:bearer_authenticators"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewSignature,
			fx.ParamTags(`optional:"true"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewIP,
			fx.ParamTags(`optional:"true"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
	),
	fx.Provide(
		fx.Annotate(
			NewRegistry,
			fx.ParamTags(`group:"vef:api:auth_strategies"`),
		),
	),
)

Functions

func NewBearer

func NewBearer(authenticators []TokenAuthenticator) api.AuthStrategy

NewBearer creates a new Bearer token authentication strategy.

func NewIP added in v0.34.0

NewIP creates a new source-IP whitelist authentication strategy. The loader is optional: when the application registers no security.IPWhitelistLoader, the strategy falls back to the configuration-backed loader serving vef.security.ip_whitelists (whose construction validates the configured whitelists eagerly and fails start-up on a fault).

func NewNone

func NewNone() api.AuthStrategy

NewNone creates a new none authentication strategy.

func NewRegistry

func NewRegistry(strategies ...api.AuthStrategy) api.AuthStrategyRegistry

NewRegistry creates a new authentication strategy registry.

func NewSignature

func NewSignature(authManager security.AuthManager) api.AuthStrategy

NewSignature creates a new signature authentication strategy. The authManager is used to delegate the actual authentication to SignatureAuthenticator.

Types

type AccessTokenAuthenticator

type AccessTokenAuthenticator struct {
	// contains filtered or unexported fields
}

AccessTokenAuthenticator delegates incoming API-token authentication to the security.AuthManager, dispatching the deployment's configured token mechanism (jwt_token or opaque_token) so the matching authenticator handles it.

func (*AccessTokenAuthenticator) Authenticate

func (a *AccessTokenAuthenticator) Authenticate(ctx context.Context, token string) (*security.Principal, error)

type BearerStrategy

type BearerStrategy struct {
	// contains filtered or unexported fields
}

BearerStrategy implements api.AuthStrategy for Bearer token authentication.

func (*BearerStrategy) Authenticate

func (s *BearerStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)

Authenticate validates the bearer token and returns the principal.

func (*BearerStrategy) Name

func (*BearerStrategy) Name() string

Name returns the strategy name.

type IPStrategy added in v0.34.0

type IPStrategy struct {
	// contains filtered or unexported fields
}

IPStrategy implements api.AuthStrategy for source-IP whitelist authentication: the client IP is the credential. An operation opts in with api.IPAuth(name); the strategy resolves that name through the security.IPWhitelistLoader and matches the Fiber-resolved client IP against the returned entries. The validator is rebuilt per request because loader data may change between requests; loaders needing to amortize expensive lookups cache on their side.

Every authentication failure denies with security.ErrIPNotAllowed (fail closed) and configuration faults are additionally logged server-side, so the 401 stays opaque to the caller. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.

func (*IPStrategy) Authenticate added in v0.34.0

func (s *IPStrategy) Authenticate(ctx fiber.Ctx, options map[string]any) (*security.Principal, error)

Authenticate matches the client IP against the whitelist named in the operation's auth options and, on success, returns a synthesized external-app principal ("ip:<whitelist>") so audit logs carry a readable identity and permission checks still apply when the operation declares one.

func (*IPStrategy) Name added in v0.34.0

func (*IPStrategy) Name() string

Name returns the strategy name.

type NoneStrategy

type NoneStrategy struct{}

NoneStrategy implements api.AuthStrategy for public endpoints.

func (*NoneStrategy) Authenticate

func (*NoneStrategy) Authenticate(fiber.Ctx, map[string]any) (*security.Principal, error)

Authenticate returns a fresh anonymous principal for this request.

func (*NoneStrategy) Name

func (*NoneStrategy) Name() string

Name returns the strategy name.

type Registry

type Registry struct {
	// contains filtered or unexported fields
}

Registry implements api.AuthStrategyRegistry using a concurrent map.

func (*Registry) Get

func (r *Registry) Get(name string) (api.AuthStrategy, bool)

Get retrieves a strategy by name.

func (*Registry) Names

func (r *Registry) Names() []string

Names returns all registered strategy names.

func (*Registry) Register

func (r *Registry) Register(strategy api.AuthStrategy)

Register adds a strategy to the registry.

type SignatureStrategy

type SignatureStrategy struct {
	// contains filtered or unexported fields
}

SignatureStrategy implements api.AuthStrategy for HMAC signature authentication. It extracts credentials from HTTP headers and delegates authentication to the security.AuthManager, following the Spring Security pattern.

Required headers:

  • X-App-ID: Application identifier (used as Principal)
  • X-Timestamp: Unix timestamp in seconds
  • X-Nonce: Random string for replay attack prevention
  • X-Signature: HMAC signature in hex encoding

func (*SignatureStrategy) Authenticate

func (s *SignatureStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)

Authenticate extracts credentials from request headers and delegates authentication to the AuthManager. Headers are extracted and formatted as: Principal=AppID, Credentials="timestamp:nonce:signature".

func (*SignatureStrategy) Name

func (*SignatureStrategy) Name() string

Name returns the strategy name.

type TokenAuthenticator

type TokenAuthenticator interface {
	// Authenticate validates the bearer token and returns the authenticated principal, or an error if invalid.
	Authenticate(ctx context.Context, token string) (*security.Principal, error)
}

TokenAuthenticator validates a token and returns the principal.

func NewAccessTokenAuthenticator

func NewAccessTokenAuthenticator(manager security.AuthManager, cfg *config.SecurityConfig) TokenAuthenticator

NewAccessTokenAuthenticator creates a new access token authenticator.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL