sitegate

package
v0.167.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2026 License: MIT Imports: 20 Imported by: 0

Documentation

Overview

Package sitegate is a reusable login gate for a statically hosted site behind CloudFront: authorization code + PKCE against an OIDC issuer as a public client, id_token verification through auth/oidc (JWKS signature, issuer, audience, expiry), a ranked-role check, then CloudFront signed cookies (custom policy) that unlock every other path on the distribution. Unauthenticated visitors hit the distribution's 403 custom error page ({prefix}/gate), which bounces them into the flow and back to the page they asked for.

The handler speaks plain net/http, so a Lambda deployment wraps it with backend/awslambda.Handler (Function URLs share the API Gateway v2 payload shape) and a container or VM deployment mounts it directly.

Example

Example is the whole of an adopter's Function-URL Lambda main: load config, wrap the gate with the API-Gateway-v2 adapter (Function URLs share its payload shape), start. Compiled but not executed (no Output comment).

package main

import (
	"context"
	"log"
	"os"

	"github.com/aws/aws-lambda-go/lambda"

	"github.com/freeeve/libcat/backend/auth/sitegate"
	"github.com/freeeve/libcat/backend/awslambda"
)

func main() {
	gate, err := sitegate.New(context.Background(), sitegate.Config{
		Issuer:        os.Getenv("GATE_ISSUER"),
		ClientID:      os.Getenv("GATE_CLIENT_ID"),
		SiteDomain:    os.Getenv("GATE_SITE_DOMAIN"),
		KeyPairID:     os.Getenv("GATE_KEY_PAIR_ID"),
		PrivateKeyPEM: os.Getenv("GATE_CF_PRIVATE_KEY_PEM"),
	})
	if err != nil {
		log.Fatal(err)
	}
	lambda.Start(awslambda.Handler(gate))
}

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	// Issuer is the OIDC issuer URL; the gate is a public client of it.
	Issuer string
	// ClientID is the public OIDC client id; the id_token's aud must match.
	ClientID string
	// SiteDomain is the site's host, e.g. "opac.example.org" -- it scopes
	// the CloudFront cookies and forms the redirect_uri
	// (https://{SiteDomain}{PathPrefix}/callback).
	SiteDomain string
	// KeyPairID is the CloudFront public key id (K...) of the signer whose
	// public half is registered in the distribution's trusted key group.
	KeyPairID string
	// PrivateKeyPEM is the CloudFront signer's RSA private key (PKCS#1 or
	// PKCS#8 PEM).
	PrivateKeyPEM string
	// MinRole is the lowest role admitted; higher-ranked roles pass too.
	// Default auth.RoleLibrarian.
	MinRole auth.Role
	// RoleClaim and RoleMap configure how the id_token's roles are read;
	// both pass through to oidc.Config.
	RoleClaim string
	RoleMap   map[string]auth.Role
	// JWKSURL overrides key discovery (passes through to oidc.Config).
	JWKSURL string
	// Scopes overrides the requested scopes. Default openid, email, profile.
	Scopes []string
	// SiteName titles the interstitial gate page. Default SiteDomain.
	SiteName string
	// PathPrefix is where the distribution routes the gate. Default "/_auth".
	PathPrefix string
	// SessionTTL bounds the signed cookies; revocation is expiry. Default 12h.
	SessionTTL time.Duration
	// HTTPClient overrides the client used against the issuer (tests).
	HTTPClient *http.Client
}

Config describes one gated site.

type Gate

type Gate struct {
	// contains filtered or unexported fields
}

Gate is the http.Handler serving {PathPrefix}/{login,callback,logout,gate}.

func New

func New(ctx context.Context, cfg Config) (*Gate, error)

New validates cfg, parses the CloudFront signer key, and wires the id_token verifier (JWKS fetching is cached and auto-refreshed by auth/oidc). Endpoint discovery happens lazily on the first login, so an issuer outage does not fail construction.

func (*Gate) ServeHTTP

func (g *Gate) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP routes the four gate paths; everything else is 404.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL