Documentation
¶
Index ¶
- Variables
- func NewBearer(authenticators []TokenAuthenticator) api.AuthStrategy
- func NewIP(loader security.IPWhitelistLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
- func NewNone() api.AuthStrategy
- func NewRegistry(strategies ...api.AuthStrategy) api.AuthStrategyRegistry
- func NewSignature(authManager security.AuthManager) api.AuthStrategy
- type AccessTokenAuthenticator
- type BearerStrategy
- type IPStrategy
- type NoneStrategy
- type Registry
- type SignatureStrategy
- type TokenAuthenticator
Constants ¶
This section is empty.
Variables ¶
var Module = fx.Module( "vef:api:auth", fx.Provide( fx.Private, fx.Annotate( NewAccessTokenAuthenticator, fx.ResultTags(`group:"vef:api:bearer_authenticators"`), ), fx.Annotate( NewNone, fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewBearer, fx.ParamTags(`group:"vef:api:bearer_authenticators"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewSignature, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewIP, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), ), fx.Provide( fx.Annotate( NewRegistry, fx.ParamTags(`group:"vef:api:auth_strategies"`), ), ), )
Functions ¶
func NewBearer ¶
func NewBearer(authenticators []TokenAuthenticator) api.AuthStrategy
NewBearer creates a new Bearer token authentication strategy.
func NewIP ¶ added in v0.34.0
func NewIP(loader security.IPWhitelistLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
NewIP creates a new source-IP whitelist authentication strategy. The loader is optional: when the application registers no security.IPWhitelistLoader, the strategy falls back to the configuration-backed loader serving vef.security.ip_whitelists (whose construction validates the configured whitelists eagerly and fails start-up on a fault).
func NewRegistry ¶
func NewRegistry(strategies ...api.AuthStrategy) api.AuthStrategyRegistry
NewRegistry creates a new authentication strategy registry.
func NewSignature ¶
func NewSignature(authManager security.AuthManager) api.AuthStrategy
NewSignature creates a new signature authentication strategy. The authManager is used to delegate the actual authentication to SignatureAuthenticator.
Types ¶
type AccessTokenAuthenticator ¶
type AccessTokenAuthenticator struct {
// contains filtered or unexported fields
}
AccessTokenAuthenticator delegates incoming API-token authentication to the security.AuthManager, dispatching the deployment's configured token mechanism (jwt_token or opaque_token) so the matching authenticator handles it.
func (*AccessTokenAuthenticator) Authenticate ¶
type BearerStrategy ¶
type BearerStrategy struct {
// contains filtered or unexported fields
}
BearerStrategy implements api.AuthStrategy for Bearer token authentication.
func (*BearerStrategy) Authenticate ¶
Authenticate validates the bearer token and returns the principal.
type IPStrategy ¶ added in v0.34.0
type IPStrategy struct {
// contains filtered or unexported fields
}
IPStrategy implements api.AuthStrategy for source-IP whitelist authentication: the client IP is the credential. An operation opts in with api.IPAuth(name); the strategy resolves that name through the security.IPWhitelistLoader and matches the Fiber-resolved client IP against the returned entries. The validator is rebuilt per request because loader data may change between requests; loaders needing to amortize expensive lookups cache on their side.
Every authentication failure denies with security.ErrIPNotAllowed (fail closed) and configuration faults are additionally logged server-side, so the 401 stays opaque to the caller. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.
func (*IPStrategy) Authenticate ¶ added in v0.34.0
func (s *IPStrategy) Authenticate(ctx fiber.Ctx, options map[string]any) (*security.Principal, error)
Authenticate matches the client IP against the whitelist named in the operation's auth options and, on success, returns a synthesized external-app principal ("ip:<whitelist>") so audit logs carry a readable identity and permission checks still apply when the operation declares one.
func (*IPStrategy) Name ¶ added in v0.34.0
func (*IPStrategy) Name() string
Name returns the strategy name.
type NoneStrategy ¶
type NoneStrategy struct{}
NoneStrategy implements api.AuthStrategy for public endpoints.
func (*NoneStrategy) Authenticate ¶
Authenticate returns a fresh anonymous principal for this request.
type Registry ¶
type Registry struct {
// contains filtered or unexported fields
}
Registry implements api.AuthStrategyRegistry using a concurrent map.
func (*Registry) Get ¶
func (r *Registry) Get(name string) (api.AuthStrategy, bool)
Get retrieves a strategy by name.
func (*Registry) Register ¶
func (r *Registry) Register(strategy api.AuthStrategy)
Register adds a strategy to the registry.
type SignatureStrategy ¶
type SignatureStrategy struct {
// contains filtered or unexported fields
}
SignatureStrategy implements api.AuthStrategy for HMAC signature authentication. It extracts credentials from HTTP headers and delegates authentication to the security.AuthManager, following the Spring Security pattern.
Required headers:
- X-App-ID: Application identifier (used as Principal)
- X-Timestamp: Unix timestamp in seconds
- X-Nonce: Random string for replay attack prevention
- X-Signature: HMAC signature in hex encoding
func (*SignatureStrategy) Authenticate ¶
func (s *SignatureStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)
Authenticate extracts credentials from request headers and delegates authentication to the AuthManager. Headers are extracted and formatted as: Principal=AppID, Credentials="timestamp:nonce:signature".
func (*SignatureStrategy) Name ¶
func (*SignatureStrategy) Name() string
Name returns the strategy name.
type TokenAuthenticator ¶
type TokenAuthenticator interface {
// Authenticate validates the bearer token and returns the authenticated principal, or an error if invalid.
Authenticate(ctx context.Context, token string) (*security.Principal, error)
}
TokenAuthenticator validates a token and returns the principal.
func NewAccessTokenAuthenticator ¶
func NewAccessTokenAuthenticator(manager security.AuthManager, cfg *config.SecurityConfig) TokenAuthenticator
NewAccessTokenAuthenticator creates a new access token authenticator.