Documentation
¶
Index ¶
- Variables
- func NewAPIKey(loader security.APIKeyLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
- func NewBearer(authenticators []TokenAuthenticator) api.AuthStrategy
- func NewHTTPBasic(loader security.BasicAccountLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
- func NewIP(loader security.IPWhitelistLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
- func NewNone() api.AuthStrategy
- func NewRegistry(strategies ...api.AuthStrategy) api.AuthStrategyRegistry
- func NewSignature(authManager security.AuthManager) api.AuthStrategy
- type APIKeyStrategy
- type AccessTokenAuthenticator
- type BearerStrategy
- type HTTPBasicStrategy
- type IPStrategy
- type NoneStrategy
- type Registry
- type SignatureStrategy
- type TokenAuthenticator
Constants ¶
This section is empty.
Variables ¶
var Module = fx.Module( "vef:api:auth", fx.Provide( fx.Private, fx.Annotate( NewAccessTokenAuthenticator, fx.ResultTags(`group:"vef:api:bearer_authenticators"`), ), fx.Annotate( NewNone, fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewBearer, fx.ParamTags(`group:"vef:api:bearer_authenticators"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewSignature, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewIP, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewAPIKey, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), fx.Annotate( NewHTTPBasic, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:api:auth_strategies"`), ), ), fx.Provide( fx.Annotate( NewRegistry, fx.ParamTags(`group:"vef:api:auth_strategies"`), ), ), )
Functions ¶
func NewAPIKey ¶ added in v0.39.0
func NewAPIKey(loader security.APIKeyLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
NewAPIKey creates a new API key authentication strategy. The loader is optional: when the application registers no security.APIKeyLoader, the strategy falls back to the configuration-backed loader serving vef.security.api_keys (whose construction validates the configured keys eagerly and fails start-up on a fault).
func NewBearer ¶
func NewBearer(authenticators []TokenAuthenticator) api.AuthStrategy
NewBearer creates a new Bearer token authentication strategy.
func NewHTTPBasic ¶ added in v0.39.0
func NewHTTPBasic(loader security.BasicAccountLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
NewHTTPBasic creates a new HTTP Basic authentication strategy. The loader is optional: when the application registers no security.BasicAccountLoader, the strategy falls back to the configuration-backed loader serving vef.security.basic_accounts (whose construction validates the configured accounts eagerly and fails start-up on a fault).
func NewIP ¶ added in v0.34.0
func NewIP(loader security.IPWhitelistLoader, cfg *config.SecurityConfig) (api.AuthStrategy, error)
NewIP creates a new source-IP whitelist authentication strategy. The loader is optional: when the application registers no security.IPWhitelistLoader, the strategy falls back to the configuration-backed loader serving vef.security.ip_whitelists (whose construction validates the configured whitelists eagerly and fails start-up on a fault).
func NewRegistry ¶
func NewRegistry(strategies ...api.AuthStrategy) api.AuthStrategyRegistry
NewRegistry creates a new authentication strategy registry.
func NewSignature ¶
func NewSignature(authManager security.AuthManager) api.AuthStrategy
NewSignature creates a new signature authentication strategy. The authManager is used to delegate the actual authentication to SignatureAuthenticator.
Types ¶
type APIKeyStrategy ¶ added in v0.39.0
type APIKeyStrategy struct {
// contains filtered or unexported fields
}
APIKeyStrategy implements api.AuthStrategy for static API key authentication: the request presents a key in a header (HeaderXAPIKey by default, overridable per operation via api.APIKeyAuth(header)) and the strategy resolves it through the security.APIKeyLoader.
Every authentication failure denies with security.ErrAPIKeyInvalid (fail closed) and configuration faults are additionally logged server-side, so the 401 stays opaque to the caller. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.
func (*APIKeyStrategy) Authenticate ¶ added in v0.39.0
func (s *APIKeyStrategy) Authenticate(ctx fiber.Ctx, options map[string]any) (*security.Principal, error)
Authenticate resolves the key presented in the configured header through the loader and returns the principal it maps to.
func (*APIKeyStrategy) Name ¶ added in v0.39.0
func (*APIKeyStrategy) Name() string
Name returns the strategy name.
type AccessTokenAuthenticator ¶
type AccessTokenAuthenticator struct {
// contains filtered or unexported fields
}
AccessTokenAuthenticator delegates incoming API-token authentication to the security.AuthManager, dispatching the deployment's configured token mechanism (jwt_token or opaque_token) so the matching authenticator handles it.
func (*AccessTokenAuthenticator) Authenticate ¶
type BearerStrategy ¶
type BearerStrategy struct {
// contains filtered or unexported fields
}
BearerStrategy implements api.AuthStrategy for Bearer token authentication.
func (*BearerStrategy) Authenticate ¶
Authenticate validates the bearer token and returns the principal.
type HTTPBasicStrategy ¶ added in v0.39.0
type HTTPBasicStrategy struct {
// contains filtered or unexported fields
}
HTTPBasicStrategy implements api.AuthStrategy for HTTP Basic authentication (RFC 7617): the request presents "Authorization: Basic base64(user:pass)" and the strategy resolves the username through the security.BasicAccountLoader, comparing the stored secret in constant time.
Every authentication failure denies with security.ErrBasicCredentialsInvalid (fail closed) without revealing whether the username or the password was wrong. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.
func (*HTTPBasicStrategy) Authenticate ¶ added in v0.39.0
func (s *HTTPBasicStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)
Authenticate decodes the Basic credentials, resolves the username through the loader, and compares the stored secret in constant time.
func (*HTTPBasicStrategy) Name ¶ added in v0.39.0
func (*HTTPBasicStrategy) Name() string
Name returns the strategy name.
type IPStrategy ¶ added in v0.34.0
type IPStrategy struct {
// contains filtered or unexported fields
}
IPStrategy implements api.AuthStrategy for source-IP whitelist authentication: the client IP is the credential. An operation opts in with api.IPAuth(name); the strategy resolves that name through the security.IPWhitelistLoader and matches the Fiber-resolved client IP against the returned entries. The validator is rebuilt per request because loader data may change between requests; loaders needing to amortize expensive lookups cache on their side.
Every authentication failure denies with security.ErrIPNotAllowed (fail closed) and configuration faults are additionally logged server-side, so the 401 stays opaque to the caller. Loader errors propagate as-is: an unavailable backing store is an infrastructure fault, not a credential rejection.
func (*IPStrategy) Authenticate ¶ added in v0.34.0
func (s *IPStrategy) Authenticate(ctx fiber.Ctx, options map[string]any) (*security.Principal, error)
Authenticate matches the client IP against the whitelist named in the operation's auth options and, on success, returns a synthesized external-app principal ("ip:<whitelist>") so audit logs carry a readable identity and permission checks still apply when the operation declares one.
func (*IPStrategy) Name ¶ added in v0.34.0
func (*IPStrategy) Name() string
Name returns the strategy name.
type NoneStrategy ¶
type NoneStrategy struct{}
NoneStrategy implements api.AuthStrategy for public endpoints.
func (*NoneStrategy) Authenticate ¶
Authenticate returns a fresh anonymous principal for this request.
type Registry ¶
type Registry struct {
// contains filtered or unexported fields
}
Registry implements api.AuthStrategyRegistry using a concurrent map.
func (*Registry) Get ¶
func (r *Registry) Get(name string) (api.AuthStrategy, bool)
Get retrieves a strategy by name.
func (*Registry) Register ¶
func (r *Registry) Register(strategy api.AuthStrategy)
Register adds a strategy to the registry.
type SignatureStrategy ¶
type SignatureStrategy struct {
// contains filtered or unexported fields
}
SignatureStrategy implements api.AuthStrategy for HMAC signature authentication. It extracts credentials from HTTP headers and delegates authentication to the security.AuthManager, following the Spring Security pattern.
Required headers:
- X-App-ID: Application identifier (used as Principal)
- X-Timestamp: Unix timestamp in seconds
- X-Nonce: Random string for replay attack prevention
- X-Signature: HMAC signature in hex encoding
func (*SignatureStrategy) Authenticate ¶
func (s *SignatureStrategy) Authenticate(ctx fiber.Ctx, _ map[string]any) (*security.Principal, error)
Authenticate extracts credentials from request headers and delegates authentication to the AuthManager. Headers are extracted and formatted as: Principal=AppID, Credentials="timestamp:nonce:signature".
func (*SignatureStrategy) Name ¶
func (*SignatureStrategy) Name() string
Name returns the strategy name.
type TokenAuthenticator ¶
type TokenAuthenticator interface {
// Authenticate validates the bearer token and returns the authenticated principal, or an error if invalid.
Authenticate(ctx context.Context, token string) (*security.Principal, error)
}
TokenAuthenticator validates a token and returns the principal.
func NewAccessTokenAuthenticator ¶
func NewAccessTokenAuthenticator(manager security.AuthManager, cfg *config.SecurityConfig) TokenAuthenticator
NewAccessTokenAuthenticator creates a new access token authenticator.