middleware

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 24, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package middleware holds the goravel-authkit HTTP middleware: the session guard (Authenticated) and the login rate-limiter (RateLimitAuth).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Authenticated

func Authenticated(guard string, users repositories.UsersRepository) contractshttp.Middleware

Authenticated guards routes behind the named session guard. It:

  1. resolves the session's user id (401 on no session) and loads the user from the instance's table (401 on a deleted user),
  2. compares the login-stamped password_changed_at with the DB value — a mismatch means the password changed after this session was issued, so this (older) session is logged out (401),
  3. injects the user id into the request context (helpers.CtxAuthUserID).

func FormatPasswordTimestamp

func FormatPasswordTimestamp(t time.Time) string

FormatPasswordTimestamp renders a password_changed_at value in the canonical form stored in the session. Exported so the login handler stamps it in the same format Authenticated compares against.

func RateLimitAuth

func RateLimitAuth(maxAttempts int, window time.Duration) contractshttp.Middleware

RateLimitAuth limits the login endpoint to maxAttempts per window per IP. Recommended: 5/min. Pass a large maxAttempts in local/dev env to relax it.

Each call builds its OWN limiter, captured in the returned middleware closure, so two authkit instances mounted in one app never share a single IP-keyed bucket (a client login failure must not count against the admin limit).

func RememberLogin

func RememberLogin(guard, rememberCookieName string, users repositories.UsersRepository, remember *services.Remember, audit *services.Audit, sessions *services.Sessions) contractshttp.Middleware

RememberLogin re-establishes a session from a valid "remember me" cookie when the request has no live session. It must run BEFORE Authenticated (so the freshly-logged-in user is seen) and only matters on guarded routes. When the cookie is missing, already-authenticated, or invalid it is a transparent no-op (invalid cookies are cleared). On success it logs the user in via the native session guard, stamps password_changed_at, rotates the session id, re-issues the rotated remember cookie, and audits the silent login. A disabled account is refused and its remember tokens revoked. Pass a nil audit to skip the audit write.

func RequireRole

func RequireRole(guard string, users repositories.UsersRepository, allowed ...string) contractshttp.Middleware

RequireRole rejects authenticated users whose role is not in allowed. It must run AFTER Authenticated. The /users routes are always mounted with a non-empty allow-list (defaulting to "admin", fail-closed), so this gate is real for them. An empty allowed list is a defensive no-op; callers should never pass one for a route that must be protected.

func TrackSession

func TrackSession(guard string, sessions *services.Sessions) contractshttp.Middleware

TrackSession enforces the active-session list: it refreshes the current session's last-active time and, when the row is gone, treats the session as terminated (signs it out). It must run AFTER Authenticated (a live session is assumed). Rows are created at login, not here — so a missing row means the session was terminated remotely (or predates the feature). A DB error fails open so a transient outage doesn't lock everyone out.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL