auth

package
v1.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package auth bridges the spamoor web UI to a remote authenticatoor service. When --auth-provider-url is configured, tokens are validated against that service's JWKS. When it's not set, the API runs open — authentication is the operator's responsibility (network policy / upstream proxy).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func StripPort added in v1.2.3

func StripPort(host string) string

StripPort removes a trailing ":port" from a request Host header value so it can be passed to CheckAuthToken. Handles bracketed IPv6 hosts.

Types

type Handler

type Handler struct {
	// contains filtered or unexported fields
}

Handler validates incoming bearer tokens. When verifier is nil the API is treated as open (no authentication required); CheckAuthToken always returns a non-nil "valid" token.

func NewAuthHandler

func NewAuthHandler(ctx context.Context, authProviderURL string) (*Handler, error)

NewAuthHandler returns a Handler. When authProviderURL is empty the returned handler operates in open mode (no token verification, all calls allowed). When set, it bootstraps a JWKS verifier from the service's OIDC discovery doc, falling back to <url>/jwks.json. The verifier is configured to gate on this binary's serviceName via the token's "services" claim, and to bind tokens to the request host via the "scope" claim (set per-request in CheckAuthToken).

func (*Handler) CheckAuthToken

func (h *Handler) CheckAuthToken(tokenStr, host string) *jwt.Token

CheckAuthToken validates a bearer token (with or without the "Bearer " prefix) for a request bound to host. In open mode it always returns a valid token; in remote mode it delegates to the JWKS verifier and returns nil on any failure (signature, exp, iss, aud, scope/host, services). host should be the request's Host header stripped of any port — the verifier matches it against the token's "scope" claim.

func (*Handler) GetTokenSubject added in v1.1.17

func (h *Handler) GetTokenSubject(authHeader, host string) string

GetTokenSubject extracts the user identity (email) from a verified token. Returns "" when the token is missing/invalid or the handler is in open mode (no upstream identity to extract).

func (*Handler) IsOpen added in v1.2.3

func (h *Handler) IsOpen() bool

IsOpen reports whether this handler is running in open mode (no auth provider configured).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL