Documentation
¶
Index ¶
- Variables
- func CountUsers() (int, error)
- func DeleteUser(id string) error
- func DisableMfa(userID string) error
- func HandleCreateUser(w http.ResponseWriter, r *http.Request)
- func HandleDeleteUser(w http.ResponseWriter, r *http.Request)
- func HandleGetUser(w http.ResponseWriter, r *http.Request)
- func HandleListUsers(w http.ResponseWriter, r *http.Request)
- func HandleUnlockUser(w http.ResponseWriter, r *http.Request)
- func HandleUpdateUser(w http.ResponseWriter, r *http.Request)
- func HardDeleteUser(id string) error
- func SaveTotpSecret(userID, secret string) error
- func SetRegisteredAt(id string) error
- func StoreTotpSecretPending(userID, secret string) error
- func UnlockUser(id string) error
- func UpdateUser(id string, req UserUpdateRequest) error
- func UserExistsByEmail(email string) bool
- func ValidatePasskeyUserCreateRequest(input PasskeyUserCreateRequest) error
- func ValidateUserCreateRequest(input UserCreateRequest) error
- func ValidateUserUpdateRequest(input UserUpdateRequest) error
- type ApiUserResponse
- type PasskeyUserCreateRequest
- type User
- type UserCreateRequest
- type UserResponse
- type UserUpdateRequest
Constants ¶
This section is empty.
Variables ¶
var ErrAccountLocked = errors.New("account is temporarily locked due to too many failed login attempts")
ErrAccountLocked is returned when the account is temporarily locked due to too many failed login attempts.
Functions ¶
func CountUsers ¶ added in v1.0.0
CountUsers returns the total number of users in the database.
func DeleteUser ¶
func DisableMfa ¶ added in v1.3.2
DisableMfa clears the TOTP secret and marks MFA as disabled.
func HandleCreateUser ¶
func HandleCreateUser(w http.ResponseWriter, r *http.Request)
HandleCreateUser godoc @Summary Create a new user @Description Registers a new user in the system (admin only) @Tags users-admin @Accept json @Produce json @Param user body UserCreateRequest true "User creation payload" @Security BearerAuth @Success 201 {object} UserResponse @Failure 400 {object} model.ApiError @Failure 500 {object} model.ApiError @Router /admin/api/users [post]
func HandleDeleteUser ¶ added in v1.0.0
func HandleDeleteUser(w http.ResponseWriter, r *http.Request)
HandleDeleteUser godoc @Summary Delete a user @Tags users-admin @Produce json @Param id path string true "User ID" @Security BearerAuth @Success 200 {object} map[string]string @Failure 400 {object} model.ApiError @Failure 500 {object} model.ApiError @Router /admin/api/users/{id} [delete]
func HandleGetUser ¶ added in v1.0.0
func HandleGetUser(w http.ResponseWriter, r *http.Request)
HandleGetUser godoc @Summary Get a user by ID @Tags users-admin @Produce json @Param id path string true "User ID" @Security BearerAuth @Success 200 {object} UserResponse @Failure 400 {object} model.ApiError @Failure 404 {object} model.ApiError @Router /admin/api/users/{id} [get]
func HandleListUsers ¶ added in v1.0.0
func HandleListUsers(w http.ResponseWriter, r *http.Request)
HandleListUsers godoc @Summary List all users @Tags users-admin @Produce json @Security BearerAuth @Success 200 {array} UserResponse @Failure 500 {object} model.ApiError @Router /admin/api/users [get]
func HandleUnlockUser ¶ added in v1.0.0
func HandleUnlockUser(w http.ResponseWriter, r *http.Request)
HandleUnlockUser unlocks a user account after multiple failed login attempts. @Summary Unlock user account @Description Resets the failed login attempts and clears the lockout time for a user. @Tags users-admin @Produce json @Param id path string true "User ID" @Security BearerAuth @Success 200 {object} UserResponse @Router /admin/api/users/{id}/unlock [post]
func HandleUpdateUser ¶ added in v1.0.0
func HandleUpdateUser(w http.ResponseWriter, r *http.Request)
HandleUpdateUser godoc @Summary Update a user @Tags users-admin @Accept json @Produce json @Param id path string true "User ID" @Param user body UserUpdateRequest true "User update payload" @Security BearerAuth @Success 200 {object} UserResponse @Failure 400 {object} model.ApiError @Failure 500 {object} model.ApiError @Router /admin/api/users/{id} [put]
func HardDeleteUser ¶ added in v1.3.2
HardDeleteUser permanently removes a user and all cascade-deleted related records. Use only for users that were never fully activated (e.g. failed passkey registration).
func SaveTotpSecret ¶ added in v1.0.0
func SetRegisteredAt ¶ added in v1.4.0
SetRegisteredAt marks the user's registration as complete by stamping registered_at.
func StoreTotpSecretPending ¶ added in v1.3.2
StoreTotpSecretPending stores the TOTP secret without marking it as verified. Used during the setup flow — call SaveTotpSecret after the user confirms the code.
func UnlockUser ¶ added in v1.0.0
func UpdateUser ¶
func UpdateUser(id string, req UserUpdateRequest) error
func UserExistsByEmail ¶ added in v1.3.2
UserExistsByEmail returns true if any non-deactivated user has the given email, regardless of email verification status. Used to prevent duplicate email assignment.
func ValidatePasskeyUserCreateRequest ¶ added in v1.3.2
func ValidatePasskeyUserCreateRequest(input PasskeyUserCreateRequest) error
func ValidateUserCreateRequest ¶
func ValidateUserCreateRequest(input UserCreateRequest) error
func ValidateUserUpdateRequest ¶ added in v1.0.0
func ValidateUserUpdateRequest(input UserUpdateRequest) error
Types ¶
type ApiUserResponse ¶
type ApiUserResponse struct {
Data *UserResponse `json:"data,omitempty"`
Error *model.ApiError `json:"error,omitempty"`
}
ApiUserResponse is used for Swagger documentation
type PasskeyUserCreateRequest ¶ added in v1.3.2
type User ¶
type User struct {
ID string
Username string
Password string
Email string
CreatedAt time.Time
Role string
FailedLoginAttempts int
LockedUntil *time.Time
TotpSecret string
TotpVerified bool
IsEmailVerified bool
DeactivatedAt *time.Time
RegisteredAt *time.Time
UpdatedAt time.Time
// OIDC standard profile claims
GivenName string
FamilyName string
MiddleName string
Nickname string
Website string
Gender string
Birthdate string
ProfileURL string
PhoneNumber string
PhoneNumberVerified bool
Picture string
Locale string
Zoneinfo string
AddressStreet string
AddressLocality string
AddressRegion string
AddressPostalCode string
AddressCountry string
}
func AuthenticateUser ¶
AuthenticateUser checks if the provided username and password match a user in the database. It enforces account lockout after repeated failed attempts when configured.
func GetUserFromRequest ¶ added in v1.3.2
GetUserFromRequest extracts the user and role from the Authorization header
func UserByEmail ¶ added in v1.1.2
UserByEmail returns the user with the given verified email address. Only returns users with is_email_verified = TRUE and no deactivated_at.
func UserByUsername ¶ added in v1.0.0
func (*User) ToResponse ¶ added in v1.0.0
func (u *User) ToResponse() UserResponse
type UserCreateRequest ¶
type UserResponse ¶
type UserResponse struct {
ID string `json:"id"`
Username string `json:"username"`
Email string `json:"email"`
CreatedAt time.Time `json:"created_at"`
Role string `json:"role"`
FailedLoginAttempts int `json:"failed_login_attempts"`
LockedUntil *time.Time `json:"locked_until,omitempty"`
IsEmailVerified bool `json:"is_email_verified"`
TotpVerified bool `json:"totp_verified"`
// OIDC standard profile claims
GivenName string `json:"given_name,omitempty"`
FamilyName string `json:"family_name,omitempty"`
MiddleName string `json:"middle_name,omitempty"`
Nickname string `json:"nickname,omitempty"`
Website string `json:"website,omitempty"`
Gender string `json:"gender,omitempty"`
Birthdate string `json:"birthdate,omitempty"`
ProfileURL string `json:"profile,omitempty"`
PhoneNumber string `json:"phone_number,omitempty"`
PhoneNumberVerified bool `json:"phone_number_verified,omitempty"`
Picture string `json:"picture,omitempty"`
Locale string `json:"locale,omitempty"`
Zoneinfo string `json:"zoneinfo,omitempty"`
AddressStreet string `json:"address_street,omitempty"`
AddressLocality string `json:"address_locality,omitempty"`
AddressRegion string `json:"address_region,omitempty"`
AddressPostalCode string `json:"address_postal_code,omitempty"`
AddressCountry string `json:"address_country,omitempty"`
}
func CreatePasskeyUser ¶ added in v1.3.2
func CreatePasskeyUser(username, email string) (*UserResponse, error)
CreatePasskeyUser creates a user with a NULL password for passkey-only authentication.
func CreateUser ¶
func CreateUser(username, password, email string) (*UserResponse, error)
type UserUpdateRequest ¶ added in v1.0.0
type UserUpdateRequest struct {
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
Email string `json:"email,omitempty"`
Role string `json:"role,omitempty"`
IsEmailVerified *bool `json:"is_email_verified,omitempty"`
TotpVerified *bool `json:"totp_verified,omitempty"`
// OIDC standard profile claims
GivenName string `json:"given_name,omitempty"`
FamilyName string `json:"family_name,omitempty"`
MiddleName string `json:"middle_name,omitempty"`
Nickname string `json:"nickname,omitempty"`
Website string `json:"website,omitempty"`
Gender string `json:"gender,omitempty"`
Birthdate string `json:"birthdate,omitempty"`
ProfileURL string `json:"profile,omitempty"`
PhoneNumber string `json:"phone_number,omitempty"`
PhoneNumberVerified *bool `json:"phone_number_verified,omitempty"`
Picture string `json:"picture,omitempty"`
Locale string `json:"locale,omitempty"`
Zoneinfo string `json:"zoneinfo,omitempty"`
AddressStreet string `json:"address_street,omitempty"`
AddressLocality string `json:"address_locality,omitempty"`
AddressRegion string `json:"address_region,omitempty"`
AddressPostalCode string `json:"address_postal_code,omitempty"`
AddressCountry string `json:"address_country,omitempty"`
}
Source Files