auth

package
v0.39.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	InboundSchemeNone      = "none"
	InboundSchemeIP        = "ip"
	InboundSchemeHTTPBasic = "http_basic"
	InboundSchemeBearer    = "bearer"
	InboundSchemeHeader    = "header"
	InboundSchemeQuery     = "query"
	InboundSchemeSignature = "signature"
	InboundSchemeScript    = "script"
)

Built-in inbound scheme names. They mirror the outbound vocabulary — the same name verifies the wire format its outbound counterpart sends; ip is inbound-only because a source address is only verifiable on receive.

View Source
const (
	OutboundSchemeNone      = "none"
	OutboundSchemeHTTPBasic = "http_basic"
	OutboundSchemeBearer    = "bearer"
	OutboundSchemeHeader    = "header"
	OutboundSchemeQuery     = "query"
	OutboundSchemeSignature = "signature"
	OutboundSchemeScript    = "script"
)

Built-in outbound scheme names. They mirror the inbound vocabulary — the same name authenticates the same wire format in the opposite direction; ip stays inbound-only because a source address is only verifiable on receive.

Variables

View Source
var ErrMissingParam = errors.New("integration auth: missing parameter")

ErrMissingParam indicates a required auth parameter is absent or empty.

View Source
var ErrSigningScriptReturn = errors.New("integration auth: signing script must return a header object")

ErrSigningScriptReturn rejects a signing script whose return value is not a header object.

View Source
var ErrVerificationFailed = errors.New("integration inbound auth: verification failed")

ErrVerificationFailed is the uniform inbound credential rejection. Schemes return it (or wrap it) for every mismatch so callers cannot probe which part of a credential was wrong; configuration faults use ErrMissingParam instead and classify as config, not auth.

Functions

func InboundRequestBinding

func InboundRequestBinding(req *integration.InboundRequest) map[string]any

InboundRequestBinding is the read-only view of the request exposed to verification and adapter scripts.

func ValidateInboundAuth

func ValidateInboundAuth(registry *InboundRegistry, cfg *integration.InboundAuthConfig) error

ValidateInboundAuth rejects an inbound auth config referencing an unknown scheme, a script scheme without a compilable verification body, or a verification body on a scheme that will never run one. Params must already be in their submitted form — the check runs before encryption.

func ValidateOutboundAuth

func ValidateOutboundAuth(cfg *integration.OutboundAuthConfig) error

ValidateOutboundAuth rejects a signing body on an outbound scheme that will never run one, mirroring the inbound structural check. Scheme existence and parameter validation stay in definition.ValidateSystem, which exercises the scheme's Apply against the decrypted config.

Types

type InboundRegistry

type InboundRegistry struct {
	// contains filtered or unexported fields
}

InboundRegistry resolves inbound auth schemes by name: the built-in schemes overlaid by application-provided ones (group "vef:integration:inbound_auth_schemes"). An application scheme whose name matches a built-in replaces it.

func NewInboundRegistry

func NewInboundRegistry(engine *js.Engine, cfg *config.IntegrationConfig, nonceStore security.NonceStore, appSchemes []integration.InboundAuthScheme) *InboundRegistry

NewInboundRegistry builds the registry from the built-in schemes and the application-provided overlays. The engine powers the built-in script scheme's verification runtimes.

func (*InboundRegistry) Get

Get returns the scheme registered under name.

func (*InboundRegistry) Resolve

Resolve returns the scheme for cfg. Unlike the outbound registry there is no implicit default: inbound delivery is fail-closed, so a nil config or a blank scheme name resolves to nothing and the caller denies.

type OutboundAuthError

type OutboundAuthError struct {
	// contains filtered or unexported fields
}

OutboundAuthError marks a failure inside an outbound auth scheme's request hook (signing script, signature computation). The invoker classifies it as a configuration fault — the system's auth definition is broken — rather than a transport failure of the upstream.

func (*OutboundAuthError) Error

func (e *OutboundAuthError) Error() string

func (*OutboundAuthError) Unwrap

func (e *OutboundAuthError) Unwrap() error

type OutboundRegistry

type OutboundRegistry struct {
	// contains filtered or unexported fields
}

OutboundRegistry resolves auth schemes by name: the built-in schemes overlaid by application-provided ones (group "vef:integration:outbound_auth_schemes"). An application scheme whose name matches a built-in replaces it.

func NewOutboundRegistry

func NewOutboundRegistry(engine *js.Engine, cfg *config.IntegrationConfig, appSchemes []integration.OutboundAuthScheme) *OutboundRegistry

NewOutboundRegistry builds the registry from the built-in schemes and the application-provided overlays. The engine powers the script scheme's signing runtimes.

func (*OutboundRegistry) Get

Get returns the scheme registered under name.

func (*OutboundRegistry) Resolve

Resolve returns the scheme for cfg: the none scheme for a nil config, else the scheme cfg names. An unknown name reports ok=false.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL