auth

package
v0.149.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package auth defines the backend's identity model -- roles with capability checks, the TokenVerifier seam, multi-issuer dispatch, and the HTTP middleware guarding staff routes. Concrete verifiers live in subpackages: auth/oidc (external SSO issuers) and auth/local (built-in users); either or both may be configured, so a deployment can start with local users and add an IdP later without touching handlers.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrUnauthorized = errors.New("auth: missing or invalid token") // 401
	ErrForbidden    = errors.New("auth: insufficient role")        // 403
)

Sentinel errors mapped to HTTP statuses by the middleware.

Functions

func Require

func Require(v TokenVerifier, role Role) func(http.Handler) http.Handler

Require wraps next so it only runs for callers whose bearer token verifies and whose roles include role (or higher). The identity lands in the request context for handlers.

func WithIdentity

func WithIdentity(ctx context.Context, id Identity) context.Context

WithIdentity returns ctx carrying id; tests and middleware use it.

Types

type Identity

type Identity struct {
	// Subject is the issuer-scoped stable id (OIDC sub / local user id).
	Subject string
	Email   string
	Name    string
	Roles   []Role
	// Issuer identifies which configured verifier accepted the token.
	Issuer string
}

Identity is a verified caller.

func FromContext

func FromContext(ctx context.Context) (Identity, bool)

FromContext returns the verified identity a Require middleware stored.

func (Identity) CanAdmin

func (id Identity) CanAdmin() bool

CanAdmin reports administrative capability.

func (Identity) CanModerate

func (id Identity) CanModerate() bool

CanModerate reports queue-triage capability.

func (Identity) CanPublish

func (id Identity) CanPublish() bool

CanPublish reports graph-publishing (cataloger) capability.

func (Identity) Has

func (id Identity) Has(role Role) bool

Has reports whether the identity holds role or a higher-ranked one.

type Multi

type Multi struct {
	// contains filtered or unexported fields
}

Multi dispatches verification by the token's (unverified) issuer claim to the verifier configured for that issuer, which then performs the real signature and claim checks. Unknown issuers are rejected.

func NewMulti

func NewMulti(verifiers map[string]TokenVerifier) *Multi

NewMulti maps issuer URLs to their verifiers.

func (*Multi) Verify

func (m *Multi) Verify(ctx context.Context, raw string) (Identity, error)

Verify routes the token to its issuer's verifier.

type Role

type Role string

Role is a caller's privilege tier. Roles are ranked; holding a role grants every capability of the ranks below it.

const (
	// RolePatron is an authenticated end user with no staff capability.
	RolePatron Role = "patron"
	// RoleModerator triages the review queue but cannot publish to the
	// graph, add manual terms, or read the audit log.
	RoleModerator Role = "moderator"
	// RoleLibrarian catalogs: publishes, edits records, runs exports.
	RoleLibrarian Role = "librarian"
	// RoleAdmin additionally manages users, configuration, and enrichment.
	RoleAdmin Role = "admin"
)

func (Role) Valid

func (r Role) Valid() bool

Valid reports whether r is a known role.

type TokenVerifier

type TokenVerifier interface {
	Verify(ctx context.Context, raw string) (Identity, error)
}

TokenVerifier validates a raw bearer token and returns the caller. Implementations return ErrUnauthorized (possibly wrapped) for tokens they reject.

Directories

Path Synopsis
Package local is the backend's built-in user management -- the auth path for deployments without an external IdP, coexisting with auth/oidc behind auth.Multi.
Package local is the backend's built-in user management -- the auth path for deployments without an external IdP, coexisting with auth/oidc behind auth.Multi.
Package oidc verifies bearer tokens from an external OIDC issuer -- the pluggable-SSO half of the backend's auth (auth/local is the built-in half).
Package oidc verifies bearer tokens from an external OIDC issuer -- the pluggable-SSO half of the backend's auth (auth/local is the built-in half).
Package sitegate is a reusable login gate for a statically hosted site behind CloudFront: authorization code + PKCE against an OIDC issuer as a public client, id_token verification through auth/oidc (JWKS signature, issuer, audience, expiry), a ranked-role check, then CloudFront signed cookies (custom policy) that unlock every other path on the distribution.
Package sitegate is a reusable login gate for a statically hosted site behind CloudFront: authorization code + PKCE against an OIDC issuer as a public client, id_token verification through auth/oidc (JWKS signature, issuer, audience, expiry), a ranked-role check, then CloudFront signed cookies (custom policy) that unlock every other path on the distribution.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL