Documentation
¶
Overview ¶
Package sitegate is a reusable login gate for a statically hosted site behind CloudFront: authorization code + PKCE against an OIDC issuer as a public client, id_token verification through auth/oidc (JWKS signature, issuer, audience, expiry), a ranked-role check, then CloudFront signed cookies (custom policy) that unlock every other path on the distribution. Unauthenticated visitors hit the distribution's 403 custom error page ({prefix}/gate), which bounces them into the flow and back to the page they asked for.
The handler speaks plain net/http, so a Lambda deployment wraps it with backend/awslambda.Handler (Function URLs share the API Gateway v2 payload shape) and a container or VM deployment mounts it directly.
Example ¶
Example is the whole of an adopter's Function-URL Lambda main: load config, wrap the gate with the API-Gateway-v2 adapter (Function URLs share its payload shape), start. Compiled but not executed (no Output comment).
package main
import (
"context"
"log"
"os"
"github.com/aws/aws-lambda-go/lambda"
"github.com/freeeve/libcat/backend/auth/sitegate"
"github.com/freeeve/libcat/backend/awslambda"
)
func main() {
gate, err := sitegate.New(context.Background(), sitegate.Config{
Issuer: os.Getenv("GATE_ISSUER"),
ClientID: os.Getenv("GATE_CLIENT_ID"),
SiteDomain: os.Getenv("GATE_SITE_DOMAIN"),
KeyPairID: os.Getenv("GATE_KEY_PAIR_ID"),
PrivateKeyPEM: os.Getenv("GATE_CF_PRIVATE_KEY_PEM"),
})
if err != nil {
log.Fatal(err)
}
lambda.Start(awslambda.Handler(gate))
}
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Issuer is the OIDC issuer URL; the gate is a public client of it.
Issuer string
// ClientID is the public OIDC client id; the id_token's aud must match.
ClientID string
// SiteDomain is the site's host, e.g. "opac.example.org" -- it scopes
// the CloudFront cookies and forms the redirect_uri
// (https://{SiteDomain}{PathPrefix}/callback).
SiteDomain string
// KeyPairID is the CloudFront public key id (K...) of the signer whose
// public half is registered in the distribution's trusted key group.
KeyPairID string
// PrivateKeyPEM is the CloudFront signer's RSA private key (PKCS#1 or
// PKCS#8 PEM).
PrivateKeyPEM string
// MinRole is the lowest role admitted; higher-ranked roles pass too.
// Default auth.RoleLibrarian.
MinRole auth.Role
// RoleClaim and RoleMap configure how the id_token's roles are read;
// both pass through to oidc.Config.
RoleClaim string
RoleMap map[string]auth.Role
// JWKSURL overrides key discovery (passes through to oidc.Config).
JWKSURL string
// Scopes overrides the requested scopes. Default openid, email, profile.
Scopes []string
// SiteName titles the interstitial gate page. Default SiteDomain.
SiteName string
// PathPrefix is where the distribution routes the gate. Default "/_auth".
PathPrefix string
// SessionTTL bounds the signed cookies; revocation is expiry. Default 12h.
SessionTTL time.Duration
// HTTPClient overrides the client used against the issuer (tests).
HTTPClient *http.Client
}
Config describes one gated site.
type Gate ¶
type Gate struct {
// contains filtered or unexported fields
}
Gate is the http.Handler serving {PathPrefix}/{login,callback,logout,gate}.