auth

package
v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2026 License: MIT Imports: 16 Imported by: 0

Documentation

Overview

Package auth provides simplified GitHub-based OAuth for local product edges.

This implements a minimal OAuth 2.1 authorization server that: - Delegates identity verification to GitHub - Issues signed bearer tokens with proper resource (audience) binding per RFC 8707 - Validates bearer tokens on protected endpoints

Two client flows are supported: 1. PKCE authorization code flow (local browser callback) 2. Device authorization grant (RFC 8628, for SSH/headless environments)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthUser 

type AuthUser struct {
	Subject     string
	Username    string
	Groups      []string
	GitHubLogin string
	GitHubID    int64
	Orgs        []string
}

AuthUser is the authenticated user info attached to request context.

func GetAuthUser 

func GetAuthUser(ctx context.Context) *AuthUser

GetAuthUser returns the authenticated user from context.

type Config 

type Config struct {
	Enabled         bool               `yaml:"enabled"`
	IssuerURL       string             `yaml:"issuer_url,omitempty"`
	GitHub          *GitHubConfig      `yaml:"github,omitempty"`
	AllowedOrgs     []string           `yaml:"allowed_orgs,omitempty"`
	Tokens          TokensConfig       `yaml:"tokens"`
	AccessTokenTTL  time.Duration      `yaml:"access_token_ttl,omitempty"`
	RefreshTokenTTL time.Duration      `yaml:"refresh_token_ttl,omitempty"`
	SuccessPage     *SuccessPageConfig `yaml:"success_page,omitempty"`
}

Config holds OAuth server configuration for a local product edge.

type GitHubConfig 

type GitHubConfig struct {
	ClientID     string `yaml:"client_id"`
	ClientSecret string `yaml:"client_secret"`
}

GitHubConfig holds GitHub OAuth configuration.

type SimpleService 

type SimpleService interface {
	Start(ctx context.Context) error
	Stop() error
	Enabled() bool
	Middleware() func(http.Handler) http.Handler
	MountRoutes(r chi.Router)
}

SimpleService is the simplified auth service interface.

func NewSimpleService 

func NewSimpleService(log logrus.FieldLogger, cfg Config) (SimpleService, error)

NewSimpleService creates a new simplified auth service. A fixed issuer URL is required so token metadata and validation do not trust inbound Host or X-Forwarded-* headers.

type SuccessPageConfig added in v0.2.0 

type SuccessPageConfig struct {
	Rules   []SuccessPageRule   `yaml:"rules,omitempty" json:"rules,omitempty"`
	Default *SuccessPageDisplay `yaml:"default,omitempty" json:"default,omitempty"`
}

SuccessPageConfig defines rules for customizing the OAuth success page. Rules are evaluated in order; the first match wins.

func (*SuccessPageConfig) Resolve added in v0.2.0 

func (c *SuccessPageConfig) Resolve(login string, orgs []string) SuccessPageDisplay

Resolve evaluates rules against the given user and returns the display configuration for the first matching rule, or the default.

type SuccessPageDisplay added in v0.2.0 

type SuccessPageDisplay struct {
	Tagline string            `yaml:"tagline,omitempty" json:"tagline,omitempty"`
	Media   *SuccessPageMedia `yaml:"media,omitempty" json:"media,omitempty"`
}

SuccessPageDisplay holds the customizable content shown on the success page.

type SuccessPageMatch added in v0.2.0 

type SuccessPageMatch struct {
	Orgs  []string `yaml:"orgs,omitempty" json:"orgs,omitempty"`
	Users []string `yaml:"users,omitempty" json:"users,omitempty"`
}

SuccessPageMatch defines the conditions under which a rule applies. All specified fields must match (AND logic).

type SuccessPageMedia added in v0.2.0 

type SuccessPageMedia struct {
	// Type is "gif" or "ascii".
	Type string `yaml:"type" json:"type"`
	// URL is the image source when Type is "gif".
	URL string `yaml:"url,omitempty" json:"url,omitempty"`
	// ASCIIArtBase64 is base64-encoded ASCII art when Type is "ascii".
	ASCIIArtBase64 string `yaml:"ascii_art_base64,omitempty" json:"ascii_art_base64,omitempty"`
}

SuccessPageMedia defines the media block shown on the success page.

type SuccessPageRule added in v0.2.0 

type SuccessPageRule struct {
	Match              SuccessPageMatch `yaml:"match" json:"match"`
	SuccessPageDisplay `yaml:",inline"`
}

SuccessPageRule pairs a match condition with display content.

type TokensConfig 

type TokensConfig struct {
	SecretKey string `yaml:"secret_key"`
}

TokensConfig holds signed access token configuration.

Source Files

View all Source files

Directories

Path Synopsis
Package client provides an OAuth PKCE client for local authentication.
 Package client provides an OAuth PKCE client for local authentication.
Package github provides GitHub OAuth integration.
 Package github provides GitHub OAuth integration.
Package store provides local credential storage for OAuth tokens.
 Package store provides local credential storage for OAuth tokens.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.