auth

package
v0.39.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var Module = fx.Module(
	"vef:api:auth",
	fx.Provide(
		fx.Private,
		fx.Annotate(
			NewAccessTokenAuthenticator,
			fx.ResultTags(`group:"vef:api:bearer_authenticators"`),
		),
		fx.Annotate(
			NewNone,
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewBearer,
			fx.ParamTags(`group:"vef:api:bearer_authenticators"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewSignature,
			fx.ParamTags(`optional:"true"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewIP,
			fx.ParamTags(`optional:"true"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewAPIKey,
			fx.ParamTags(`optional:"true"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
		fx.Annotate(
			NewHTTPBasic,
			fx.ParamTags(`optional:"true"`),
			fx.ResultTags(`group:"vef:api:auth_strategies"`),
		),
	),
	fx.Provide(
		fx.Annotate(
			NewRegistry,
			fx.ParamTags(`group:"vef:api:auth_strategies"`),
		),
	),
)

Functions

func NewAPIKey added in v0.39.0

func NewAPIKey(loader security.APIKeyLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)

NewAPIKey creates a new API key authentication strategy. The loader is optional: when the application registers no security.APIKeyLoader, the strategy falls back to the configuration-backed loader serving vef.security.api_keys (whose construction validates the configured keys eagerly and fails start-up on a fault).

func NewBearer

func NewBearer(authenticators []TokenAuthenticator) api.AuthStrategy

NewBearer creates a new Bearer token authentication strategy.

func NewHTTPBasic added in v0.39.0

NewHTTPBasic creates a new HTTP Basic authentication strategy. The loader is optional: when the application registers no security.BasicAccountLoader, the strategy falls back to the configuration-backed loader serving vef.security.basic_accounts (whose construction validates the configured accounts eagerly and fails start-up on a fault).

func NewIP added in v0.34.0

NewIP creates a new source-IP whitelist authentication strategy. The loader is optional: when the application registers no security.IPWhitelistLoader, the strategy falls back to the configuration-backed loader serving vef.security.ip_whitelists (whose construction validates the configured whitelists eagerly and fails start-up on a fault).

func NewNone

func NewNone() api.AuthStrategy

NewNone creates a new none authentication strategy.

func NewRegistry

func NewRegistry(strategies ...api.AuthStrategy) api.AuthStrategyRegistry

NewRegistry creates a new authentication strategy registry.

func NewSignature

func NewSignature(authManager security.AuthManager) api.AuthStrategy

NewSignature creates a new signature authentication strategy. The authManager is used to delegate the actual authentication to SignatureAuthenticator.

Types

type APIKeyStrategy added in v0.39.0

type APIKeyStrategy struct {
	// contains filtered or unexported fields
}

APIKeyStrategy implements api.AuthStrategy for static API key authentication: the request presents a key in a header (HeaderXAPIKey by default, overridable per operation via api.APIKeyAuth(header)) and the strategy resolves it through the security.APIKeyLoader.

Every authentication failure denies with security.ErrAPIKeyInvalid (fail closed) and configuration faults are additionally logged server-side, so the 401 stays opaque to the caller. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.

func (*APIKeyStrategy) Authenticate added in v0.39.0

func (s *APIKeyStrategy) Authenticate(ctx fiber.Ctx, options map[string]any) (*security.Principal, error)

Authenticate resolves the key presented in the configured header through the loader and returns the principal it maps to.

func (*APIKeyStrategy) Name added in v0.39.0

func (*APIKeyStrategy) Name() string

Name returns the strategy name.

type AccessTokenAuthenticator

type AccessTokenAuthenticator struct {
	// contains filtered or unexported fields
}

AccessTokenAuthenticator delegates incoming API-token authentication to the security.AuthManager, dispatching the deployment's configured token mechanism (jwt_token or opaque_token) so the matching authenticator handles it.

func (*AccessTokenAuthenticator) Authenticate

func (a *AccessTokenAuthenticator) Authenticate(ctx context.Context, token string) (*security.Principal, error)

type BearerStrategy

type BearerStrategy struct {
	// contains filtered or unexported fields
}

BearerStrategy implements api.AuthStrategy for Bearer token authentication.

func (*BearerStrategy) Authenticate

func (s *BearerStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)

Authenticate validates the bearer token and returns the principal.

func (*BearerStrategy) Name

func (*BearerStrategy) Name() string

Name returns the strategy name.

type HTTPBasicStrategy added in v0.39.0

type HTTPBasicStrategy struct {
	// contains filtered or unexported fields
}

HTTPBasicStrategy implements api.AuthStrategy for HTTP Basic authentication (RFC 7617): the request presents "Authorization: Basic base64(user:pass)" and the strategy resolves the username through the security.BasicAccountLoader, comparing the stored secret in constant time.

Every authentication failure denies with security.ErrBasicCredentialsInvalid (fail closed) without revealing whether the username or the password was wrong. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.

func (*HTTPBasicStrategy) Authenticate added in v0.39.0

func (s *HTTPBasicStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)

Authenticate decodes the Basic credentials, resolves the username through the loader, and compares the stored secret in constant time.

func (*HTTPBasicStrategy) Name added in v0.39.0

func (*HTTPBasicStrategy) Name() string

Name returns the strategy name.

type IPStrategy added in v0.34.0

type IPStrategy struct {
	// contains filtered or unexported fields
}

IPStrategy implements api.AuthStrategy for source-IP whitelist authentication: the client IP is the credential. An operation opts in with api.IPAuth(name); the strategy resolves that name through the security.IPWhitelistLoader and matches the Fiber-resolved client IP against the returned entries. The validator is rebuilt per request because loader data may change between requests; loaders needing to amortize expensive lookups cache on their side.

Every authentication failure denies with security.ErrIPNotAllowed (fail closed) and configuration faults are additionally logged server-side, so the 401 stays opaque to the caller. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.

func (*IPStrategy) Authenticate added in v0.34.0

func (s *IPStrategy) Authenticate(ctx fiber.Ctx, options map[string]any) (*security.Principal, error)

Authenticate matches the client IP against the whitelist named in the operation's auth options and, on success, returns a synthesized external-app principal ("ip:<whitelist>") so audit logs carry a readable identity and permission checks still apply when the operation declares one.

func (*IPStrategy) Name added in v0.34.0

func (*IPStrategy) Name() string

Name returns the strategy name.

type NoneStrategy

type NoneStrategy struct{}

NoneStrategy implements api.AuthStrategy for public endpoints.

func (*NoneStrategy) Authenticate

func (*NoneStrategy) Authenticate(fiber.Ctx, map[string]any) (*security.Principal, error)

Authenticate returns a fresh anonymous principal for this request.

func (*NoneStrategy) Name

func (*NoneStrategy) Name() string

Name returns the strategy name.

type Registry

type Registry struct {
	// contains filtered or unexported fields
}

Registry implements api.AuthStrategyRegistry using a concurrent map.

func (*Registry) Get

func (r *Registry) Get(name string) (api.AuthStrategy, bool)

Get retrieves a strategy by name.

func (*Registry) Names

func (r *Registry) Names() []string

Names returns all registered strategy names.

func (*Registry) Register

func (r *Registry) Register(strategy api.AuthStrategy)

Register adds a strategy to the registry.

type SignatureStrategy

type SignatureStrategy struct {
	// contains filtered or unexported fields
}

SignatureStrategy implements api.AuthStrategy for HMAC signature authentication. It extracts credentials from HTTP headers and delegates authentication to the security.AuthManager, following the Spring Security pattern.

Required headers:

  • X-App-ID: Application identifier (used as Principal)
  • X-Timestamp: Unix timestamp in seconds
  • X-Nonce: Random string for replay attack prevention
  • X-Signature: HMAC signature in hex encoding

func (*SignatureStrategy) Authenticate

func (s *SignatureStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)

Authenticate extracts credentials from request headers and delegates authentication to the AuthManager. Headers are extracted and formatted as: Principal=AppID, Credentials="timestamp:nonce:signature".

func (*SignatureStrategy) Name

func (*SignatureStrategy) Name() string

Name returns the strategy name.

type TokenAuthenticator

type TokenAuthenticator interface {
	// Authenticate validates the bearer token and returns the authenticated principal, or an error if invalid.
	Authenticate(ctx context.Context, token string) (*security.Principal, error)
}

TokenAuthenticator validates a token and returns the principal.

func NewAccessTokenAuthenticator

func NewAccessTokenAuthenticator(manager security.AuthManager, cfg *config.SecurityConfig) TokenAuthenticator

NewAccessTokenAuthenticator creates a new access token authenticator.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL