Documentation
¶
Overview ¶
Package auth provides authentication primitives and middleware components. It supports token abstraction, extraction from HTTP/gRPC requests, validation via Firebase, and context injection.
Key components: - Token: Represents an authentication token with claims. - Authenticator: Validates tokens (currently supports Firebase ID tokens). - TokenExtractor: Extracts tokens from requests (HTTP headers or gRPC metadata). - ContextInjector: Injects validated tokens into the context for usage by services.
Index ¶
- Constants
- func FxModule() fx.Option
- func InjectTokenInCtx(ctx context.Context, token Token) context.Context
- func MustOrgID(ctx context.Context) (string, error)
- func NewBaseAuthenticator[R any](tokenExtractor TokenExtractor[R], contextInjector ContextInjector, ...) *baseAuthenticator[R]
- func NewGrpcAuthenticator(params GrpcAuthenticatorParams) *grpcAuthenticator
- func NewGrpcTokenExtractor() *grpcTokenExtractor
- func NewHTTPTokenExtractor() *httpTokenExtractor
- func NewHttpAuthenticator(tokenExtractor TokenExtractor[*http.Request], contextInjector ContextInjector, ...) *httpAuthenticator
- func NewToken(value string, typ TokenType, claims TokenClaims) (*token, error)
- func NewTokenContextInjector() *tokenContextInjector
- func OrgIDFromCtx(ctx context.Context) (string, bool)
- func OrgRoleFromCtx(ctx context.Context) (string, bool)
- type ContextInjector
- type GrpcAuthenticatorParams
- type HmacCredentials
- type Token
- type TokenClaims
- type TokenExtractor
- type TokenType
Constants ¶
View Source
const ( AuthorizationHeader = "Authorization" BearerPrefix = "Bearer " )
View Source
const ( // SystemAccountID is a fixed UUID for system-internal calls to allow easy identification SystemAccountID = "ffffffff-ffff-ffff-ffff-ffffffffffff" SystemUsername = "system" )
View Source
const ( ClaimOrgID = "org_id" ClaimOrgRole = "org_role" )
Active-organization claims carried by the access token (set by the identity service at issuance). Consumers read these to scope tenant data.
Variables ¶
This section is empty.
Functions ¶
func MustOrgID ¶ added in v0.6.0
MustOrgID returns the active organization id or an Unauthorized error when the request carries no active org — the fail-closed default for tenant-scoped repositories.
func NewBaseAuthenticator ¶
func NewBaseAuthenticator[R any]( tokenExtractor TokenExtractor[R], contextInjector ContextInjector, firebaseClient firebase.Client, hmacValidator jwt.Validator, ) *baseAuthenticator[R]
func NewGrpcAuthenticator ¶
func NewGrpcAuthenticator(params GrpcAuthenticatorParams) *grpcAuthenticator
func NewGrpcTokenExtractor ¶
func NewGrpcTokenExtractor() *grpcTokenExtractor
func NewHTTPTokenExtractor ¶
func NewHTTPTokenExtractor() *httpTokenExtractor
func NewHttpAuthenticator ¶
func NewHttpAuthenticator( tokenExtractor TokenExtractor[*http.Request], contextInjector ContextInjector, firebaseClient firebase.Client, hmacValidator jwt.Validator, ) *httpAuthenticator
func NewTokenContextInjector ¶
func NewTokenContextInjector() *tokenContextInjector
func OrgIDFromCtx ¶ added in v0.6.0
OrgIDFromCtx returns the active organization id from the request token, and false when no token or no active org is present.
Types ¶
type ContextInjector ¶
type GrpcAuthenticatorParams ¶
type GrpcAuthenticatorParams struct {
fx.In
TokenExtractor TokenExtractor[metadata.MD]
ContextInjector ContextInjector
FirebaseClient firebase.Client `optional:"true"`
HmacValidator jwt.Validator
}
type HmacCredentials ¶
type HmacCredentials struct {
// contains filtered or unexported fields
}
HmacCredentials implements credentials.PerRPCCredentials
func NewHmacCredentials ¶
func NewHmacCredentials(issuer jwt.Issuer) *HmacCredentials
func (*HmacCredentials) GetRequestMetadata ¶
func (*HmacCredentials) RequireTransportSecurity ¶
func (c *HmacCredentials) RequireTransportSecurity() bool
type Token ¶
type Token interface {
Claims() TokenClaims
Value() string
Type() TokenType
}
func TokenFromCtx ¶
type TokenClaims ¶
type TokenExtractor ¶
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package authtest provides test fixtures (stub authenticators, signed JWTs, etc.) that downstream services use to exercise auth-protected HTTP / gRPC handlers without spinning up a real identity provider.
|
Package authtest provides test fixtures (stub authenticators, signed JWTs, etc.) that downstream services use to exercise auth-protected HTTP / gRPC handlers without spinning up a real identity provider. |
|
Package jwt provides JWT-based authentication primitives — signing helpers, HMAC + RSA verifiers, claims parsing — used by the kit/auth HTTP + gRPC interceptors.
|
Package jwt provides JWT-based authentication primitives — signing helpers, HMAC + RSA verifiers, claims parsing — used by the kit/auth HTTP + gRPC interceptors. |
|
Package oidc is a minimal OIDC *client*: discovery, an authorization-code + PKCE redirect, code→token exchange, and ID-token verification.
|
Package oidc is a minimal OIDC *client*: discovery, an authorization-code + PKCE redirect, code→token exchange, and ID-token verification. |
|
Package password hashes and verifies passwords with argon2id (PHC-encoded).
|
Package password hashes and verifies passwords with argon2id (PHC-encoded). |
|
Package provider defines the IdentityProvider interface that the HTTP + gRPC authenticators delegate to.
|
Package provider defines the IdentityProvider interface that the HTTP + gRPC authenticators delegate to. |
Click to show internal directories.
Click to hide internal directories.