Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthProvider ¶
type AuthProvider interface {
Authenticate(ctx context.Context, username, password string) (*AuthResult, error)
Name() string
}
AuthProvider is the interface that password-based authentication backends must implement.
type AuthResult ¶
type AuthResult struct {
Username string
ExternalID string // External user ID (e.g., LDAP DN, API user ID)
Email string // Optional
FullName string // Optional
Success bool
}
AuthResult holds the outcome of an authentication attempt.
type Cache ¶
type Cache[T any] interface { // Get retrieves a single value from cache. // Returns ErrCacheMiss if the key does not exist or has expired. Get(ctx context.Context, key string) (T, error) // Set stores a single value in cache with TTL Set(ctx context.Context, key string, value T, ttl time.Duration) error // MGet retrieves multiple values from cache. // Returns a map of key->value for keys that exist and have not expired. MGet(ctx context.Context, keys []string) (map[string]T, error) // MSet stores multiple values in cache with TTL MSet(ctx context.Context, values map[string]T, ttl time.Duration) error // Delete removes a key from cache Delete(ctx context.Context, key string) error // Close closes the cache connection Close() error // Health checks if the cache is healthy Health(ctx context.Context) error // GetWithFetch retrieves a value using the cache-aside pattern. // On cache miss, fetchFunc is called and the result is stored in cache. // Implementations may provide stampede protection (e.g. RueidisAsideCache). GetWithFetch( ctx context.Context, key string, ttl time.Duration, fetchFunc func(ctx context.Context, key string) (T, error), ) (T, error) }
Cache[T] defines the primitive operations for a key-value cache. T is the type of value stored in the cache (e.g. int64, string, or a struct).
type IDTokenParams ¶
type IDTokenParams struct {
Issuer string
Subject string // UserID
Audience string // ClientID
AuthTime time.Time
Nonce string
Expiry time.Duration
AtHash string // base64url(SHA-256(access_token)[:16]) – optional
// Scope-gated profile claims (include when "profile" scope was granted)
Name string
PreferredUsername string
Picture string
UpdatedAt *time.Time
// Scope-gated email claims (include when "email" scope was granted)
Email string
EmailVerified bool
}
IDTokenParams holds all data needed to generate an OIDC ID Token (OIDC Core 1.0 §2).
type IDTokenProvider ¶
type IDTokenProvider interface {
GenerateIDToken(params IDTokenParams) (string, error)
}
IDTokenProvider is an optional capability of a TokenProvider. Only LocalTokenProvider implements it; HTTP API providers cannot produce OIDC ID tokens.
type MetricsStore ¶
type MetricsStore interface {
CountActiveTokensByCategory(category string) (int64, error)
CountTotalDeviceCodes() (int64, error)
CountPendingDeviceCodes() (int64, error)
}
MetricsStore defines the DB operations needed by CacheWrapper.
type Recorder ¶
type Recorder interface {
// OAuth Device Flow
RecordOAuthDeviceCodeGenerated(success bool)
RecordOAuthDeviceCodeAuthorized(authorizationTime time.Duration)
RecordOAuthDeviceCodeValidation(result string)
// Token Operations
RecordTokenIssued(tokenType, grantType string, generationTime time.Duration, provider string)
RecordTokenRevoked(tokenType, reason string)
RecordTokenRefresh(success bool)
RecordTokenValidation(result string, duration time.Duration, provider string)
// Authentication
RecordAuthAttempt(method string, success bool, duration time.Duration)
RecordLogin(authSource string, success bool)
RecordLogout(sessionDuration time.Duration)
RecordOAuthCallback(provider string, success bool)
RecordExternalAPICall(provider string, duration time.Duration)
// Session Management
RecordSessionExpired(reason string, duration time.Duration)
RecordSessionInvalidated(reason string)
// Gauge Setters (for periodic updates)
SetActiveTokensCount(tokenType string, count int)
SetActiveDeviceCodesCount(total, pending int)
SetActiveSessionsCount(count int)
// Database Operations
RecordDatabaseQueryError(operation string)
}
Recorder defines the interface for recording application metrics. Implementations include Metrics (Prometheus-based) and NoopMetrics (no-op).
type TokenProvider ¶
type TokenProvider interface {
GenerateToken(ctx context.Context, userID, clientID, scopes string) (*TokenResult, error)
GenerateRefreshToken(ctx context.Context, userID, clientID, scopes string) (*TokenResult, error)
// GenerateClientCredentialsToken generates a token for the client_credentials grant.
// HTTP API provider delegates to GenerateToken; local provider may apply
// a different expiry or claim set.
GenerateClientCredentialsToken(
ctx context.Context,
userID, clientID, scopes string,
) (*TokenResult, error)
ValidateToken(ctx context.Context, tokenString string) (*TokenValidationResult, error)
RefreshAccessToken(
ctx context.Context,
refreshToken string,
enableRotation bool,
) (*TokenRefreshResult, error)
Name() string
}
TokenProvider is the interface that token-generation backends must implement. Both LocalTokenProvider and HTTPTokenProvider satisfy this interface.
type TokenRefreshResult ¶
type TokenRefreshResult struct {
AccessToken *TokenResult // required
RefreshToken *TokenResult // non-nil only in rotation mode
Success bool
}
TokenRefreshResult is the outcome of a refresh-token exchange.
Source Files
Click to show internal directories.
Click to hide internal directories.