Documentation
¶
Overview ¶
Package local is the backend's built-in user management -- the auth path for deployments without an external IdP, coexisting with auth/oidc behind auth.Multi. Users live in the document store (argon2id password hashes); access tokens are short-lived Ed25519-signed JWTs from the service's own issuer; refresh tokens are opaque, stored hashed with TTL, and rotate on every use.
Index ¶
- Variables
- type Service
- func (s *Service) Bootstrap(ctx context.Context, spec string) (restored bool, err error)
- func (s *Service) CreateUser(ctx context.Context, email, name, password string, roles []auth.Role) error
- func (s *Service) DeleteUser(ctx context.Context, email string) error
- func (s *Service) GetUser(ctx context.Context, email string) (UserInfo, error)
- func (s *Service) Issuer() string
- func (s *Service) ListUsers(ctx context.Context) ([]UserInfo, error)
- func (s *Service) Login(ctx context.Context, email, password string) (Tokens, error)
- func (s *Service) Logout(ctx context.Context, refreshToken string) error
- func (s *Service) Refresh(ctx context.Context, refreshToken string) (Tokens, error)
- func (s *Service) SetClock(now func() time.Time)
- func (s *Service) SetPassword(ctx context.Context, email, password string) error
- func (s *Service) SetRoles(ctx context.Context, email string, roles []auth.Role) error
- func (s *Service) Verify(ctx context.Context, raw string) (auth.Identity, error)
- type Tokens
- type UserInfo
Constants ¶
This section is empty.
Variables ¶
var ErrBadCredentials = errors.New("local: bad credentials")
ErrBadCredentials covers unknown user and wrong password identically, so login responses cannot be used to probe for accounts.
var ErrLastAdmin = errors.New("local: cannot remove the last admin")
ErrLastAdmin refuses removing the deployment's only admin -- by demotion or deletion -- because no supported path could restore administration afterwards (tasks/207).
var ErrRateLimited = errors.New("local: rate limited")
ErrRateLimited reports too many recent login failures for the account.
var ErrUserExists = errors.New("local: user exists")
ErrUserExists reports a create against an existing email.
var ErrUserNotFound = errors.New("local: user not found")
ErrUserNotFound reports an operation on an unknown email.
Functions ¶
This section is empty.
Types ¶
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service implements built-in users and auth.TokenVerifier for its own issued tokens.
func New ¶
New wires the service. issuer must be unique among the deployment's configured issuers (auth.Multi dispatches on it); key signs access tokens.
func (*Service) Bootstrap ¶
Bootstrap ensures a first admin exists, from a "email:password" spec (LCATD_BOOTSTRAP_ADMIN). Safe to run on every boot: an existing user is a no-op UNLESS they lack the admin role, in which case admin is re-granted (restored=true) -- the documented recovery hatch must actually recover a demoted bootstrap admin, not silently do nothing (tasks/207).
func (*Service) CreateUser ¶
func (s *Service) CreateUser(ctx context.Context, email, name, password string, roles []auth.Role) error
CreateUser adds a user with the given roles.
func (*Service) DeleteUser ¶
DeleteUser removes a user (their refresh tokens die at next use). Deleting the deployment's only admin is refused (tasks/207).
func (*Service) Login ¶
Login checks credentials and issues tokens. Failures count toward a per-account hourly cap.
func (*Service) Refresh ¶
Refresh rotates a refresh token: the presented token is retired and a new pair is issued. A reused (already-rotated) token fails.
func (*Service) SetPassword ¶
SetPassword replaces a user's password.
func (*Service) SetRoles ¶
SetRoles replaces a user's roles. Removing admin from the deployment's only admin is refused (tasks/207); the read-then-write window between two concurrent demotions of two different admins is accepted -- the guard targets the fat-fingered single request, not a coordinated race.