credentials

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const IntentRegisterPasskey = "register_passkey"
View Source 
const IntentSetPassword = "set_password"

Variables

View Source 
var ErrChallengeNotFound = errors.New("webauthn: challenge not found or expired")

ErrChallengeNotFound is returned when a challenge id is missing, expired, or belongs to a different session.

View Source 
var ErrEnrollmentConsumed = errors.New("credentials: enrollment token already used")
View Source 
var ErrEnrollmentExpired = errors.New("credentials: enrollment token expired")
View Source 
var ErrEnrollmentInvalid = errors.New("credentials: enrollment token invalid")
View Source 
var ErrPasskeyUnknown = errors.New("credentials: passkey unknown")
View Source 
var ErrSignCountRegression = errors.New("credentials: passkey sign-count regression")
View Source 
var ErrTokenExpired = errors.New("credentials: token expired")
View Source 
var ErrTokenInvalid = errors.New("credentials: token invalid")
View Source 
var ErrTokenRevoked = errors.New("credentials: token revoked")

Functions

This section is empty.

Types

type Argon2idParams 

type Argon2idParams struct {
	Time        uint32
	MemoryKiB   uint32
	Parallelism uint8
}

func DefaultArgon2idParams 

func DefaultArgon2idParams() Argon2idParams

type ChallengeStore 

type ChallengeStore struct {
	// contains filtered or unexported fields
}

ChallengeStore holds per-session WebAuthn challenges between StartWebAuthnChallenge and Login. In-process only; expiry by TTL.

func NewChallengeStore 

func NewChallengeStore(ttl time.Duration) *ChallengeStore

NewChallengeStore creates a new store with the given TTL per challenge.

func (*ChallengeStore) Consume 

func (s *ChallengeStore) Consume(_ context.Context, sessionID, id string) ([]byte, error)

Consume retrieves and removes a challenge. Returns ErrChallengeNotFound on any mismatch (session, id, or expiry) so the caller cannot distinguish missing from expired (timing safe).

func (*ChallengeStore) Store 

func (s *ChallengeStore) Store(_ context.Context, sessionID string, payload []byte) (string, error)

Store records a challenge against a session id and returns an opaque id the client echoes back on Login.

type Enrollment 

type Enrollment struct {
	// contains filtered or unexported fields
}

func NewEnrollment 

func NewEnrollment(db *sql.DB) *Enrollment

func (*Enrollment) Mint 

func (e *Enrollment) Mint(ctx context.Context, userSlug, intent string, ttl time.Duration) (string, error)

func (*Enrollment) Redeem 

func (e *Enrollment) Redeem(ctx context.Context, plaintext string) (EnrollmentLookup, error)

func (*Enrollment) Sweep 

func (e *Enrollment) Sweep(ctx context.Context, cutoff time.Time) error

type EnrollmentLookup 

type EnrollmentLookup struct {
	UserSlug string
	Intent   string
}

type IssueTokenInput 

type IssueTokenInput struct {
	UserSlug string
	Label    string
	IssuedBy string
	Scope    []byte
	TTL      time.Duration // 0 = never expires; negative = born-expired (for testing)
}

type ListedToken 

type ListedToken struct {
	TokenID    string
	UserSlug   string
	Label      string
	IssuedAt   time.Time
	IssuedBy   string
	ExpiresAt  *time.Time
	RevokedAt  *time.Time
	LastUsedAt *time.Time
	Scope      []byte
}

type Lookup 

type Lookup struct {
	TokenID  string
	UserSlug string
	Label    string
	Scope    []byte
	IssuedBy string
}

type Passkey 

type Passkey struct {
	CredentialID []byte
	UserSlug     string
	PublicKey    []byte
	SignCount    uint32
	Label        string
	RegisteredAt time.Time
	LastUsedAt   *time.Time
}

type Passkeys 

type Passkeys struct {
	// contains filtered or unexported fields
}

func NewPasskeys 

func NewPasskeys(db *sql.DB, w *wa.WebAuthn) *Passkeys

func (*Passkeys) BeginLogin 

func (p *Passkeys) BeginLogin(ctx context.Context) (*protocol.CredentialAssertion, *wa.SessionData, error)

BeginLogin starts a discoverable (resident-key) login ceremony.

func (*Passkeys) BeginRegistration 

func (p *Passkeys) BeginRegistration(ctx context.Context, slug, displayName string) (*protocol.CredentialCreation, *wa.SessionData, error)

BeginRegistration starts a registration ceremony for a slug, returning the creation options to send to the client and session data to persist for the finish step.

func (*Passkeys) FinishLogin 

func (p *Passkeys) FinishLogin(ctx context.Context, sd *wa.SessionData, response *protocol.ParsedCredentialAssertionData) (string, error)

FinishLogin validates the parsed assertion against the stored credential, enforces sign-count regression, and bumps last_used_at + sign_count. Returns the user slug owning the credential.

func (*Passkeys) FinishRegistration 

func (p *Passkeys) FinishRegistration(ctx context.Context, slug, label string, sd *wa.SessionData, response *protocol.ParsedCredentialCreationData) (Passkey, error)

FinishRegistration verifies the parsed registration response, persists the resulting credential, and returns the stored Passkey.

func (*Passkeys) List 

func (p *Passkeys) List(ctx context.Context, slug string) ([]Passkey, error)

List returns every Passkey registered for slug, oldest first.

func (*Passkeys) Remove 

func (p *Passkeys) Remove(ctx context.Context, credID []byte) error

Remove deletes the passkey with the given credential ID. It is not an error if no such row exists.

type Password 

type Password struct {
	// contains filtered or unexported fields
}

func NewPassword 

func NewPassword(db *sql.DB, p Argon2idParams) *Password

func (*Password) Delete 

func (p *Password) Delete(ctx context.Context, userSlug string) error

func (*Password) Set 

func (p *Password) Set(ctx context.Context, userSlug, plaintext, setBy string) error

Set stores or replaces the user's password hash. setBy carries audit provenance ("self", "admin:<slug>", "system:bootstrap").

func (*Password) Verify 

func (p *Password) Verify(ctx context.Context, userSlug, plaintext string) (bool, bool, error)

Verify returns (ok, needsRehash, err). ok is false on missing user, missing hash, or wrong password — indistinguishable to the caller (no enumeration). needsRehash is true when the stored hash uses parameters that differ from the current target.

type Tokens 

type Tokens struct {
	// contains filtered or unexported fields
}

func NewTokens 

func NewTokens(db *sql.DB) *Tokens

func (*Tokens) Issue 

func (t *Tokens) Issue(ctx context.Context, in IssueTokenInput) (plaintext, tokenID string, err error)

func (*Tokens) List 

func (t *Tokens) List(ctx context.Context, userSlug string) ([]ListedToken, error)

func (*Tokens) Revoke 

func (t *Tokens) Revoke(ctx context.Context, tokenID, byPrincipal string) error

func (*Tokens) TouchLastUsed 

func (t *Tokens) TouchLastUsed(ctx context.Context, tokenID string) error

func (*Tokens) Verify 

func (t *Tokens) Verify(ctx context.Context, plaintext string) (Lookup, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.