Documentation
¶
Overview ¶
Package auth bridges the spamoor web UI to a remote authenticatoor service. When --auth-provider-url is configured, tokens are validated against that service's JWKS. When it's not set, the API runs open — authentication is the operator's responsibility (network policy / upstream proxy).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
Handler validates incoming bearer tokens. When verifier is nil the API is treated as open (no authentication required); CheckAuthToken always returns a non-nil "valid" token.
func NewAuthHandler ¶
NewAuthHandler returns a Handler. When authProviderURL is empty the returned handler operates in open mode (no token verification, all calls allowed). When set, it bootstraps a JWKS verifier from the service's OIDC discovery doc, falling back to <url>/jwks.json. The verifier is configured to gate on this binary's serviceName via the token's "services" claim, and to bind tokens to the request host via the "scope" claim (set per-request in CheckAuthToken).
func (*Handler) CheckAuthToken ¶
CheckAuthToken validates a bearer token (with or without the "Bearer " prefix) for a request bound to host. In open mode it always returns a valid token; in remote mode it delegates to the JWKS verifier and returns nil on any failure (signature, exp, iss, aud, scope/host, services). host should be the request's Host header stripped of any port — the verifier matches it against the token's "scope" claim.
func (*Handler) GetTokenSubject ¶ added in v1.1.17
GetTokenSubject extracts the user identity (email) from a verified token. Returns "" when the token is missing/invalid or the handler is in open mode (no upstream identity to extract).