auth

package
v0.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package auth provides authentication and JWT token handling.

Package auth provides authentication utilities for GoatFlow.

Package auth provides authentication utilities for GoatFlow.

Index

Constants

View Source 
const (
	AuditTOTPSetupStarted   = "2FA_SETUP_STARTED"
	AuditTOTPSetupCompleted = "2FA_SETUP_COMPLETED"
	AuditTOTPSetupFailed    = "2FA_SETUP_FAILED"
	AuditTOTPDisabled       = "2FA_DISABLED"
	AuditTOTPVerifySuccess  = "2FA_VERIFY_SUCCESS"
	AuditTOTPVerifyFailed   = "2FA_VERIFY_FAILED"
	AuditTOTPSessionCreated = "2FA_SESSION_CREATED"
	AuditTOTPSessionExpired = "2FA_SESSION_EXPIRED"
	AuditTOTPSessionLocked  = "2FA_SESSION_LOCKED"
	AuditTOTPRecoveryUsed   = "2FA_RECOVERY_CODE_USED"
)

TOTP audit event types

View Source 
const (
	// MaxTOTPAttempts before session is invalidated
	MaxTOTPAttempts = 5
	// TOTPSessionTTL is how long a pending session lasts
	TOTPSessionTTL = 5 * time.Minute
	// CleanupInterval for expired sessions
	CleanupInterval = 1 * time.Minute
)

Variables

View Source 
var (
	ErrInvalidCredentials = errors.New("invalid credentials")
	ErrUserNotFound       = errors.New("user not found")
	ErrUserDisabled       = errors.New("user account is disabled")
	ErrAuthBackendFailed  = errors.New("authentication backend failed")
)

Common errors.

View Source 
var (
	ErrInvalidToken = errors.New("invalid token")
	ErrExpiredToken = errors.New("token has expired")
)
View Source 
var DefaultLoginRateLimiter = NewLoginRateLimiter(5, 300, 2*time.Second, 60*time.Second)

DefaultLoginRateLimiter is the global instance for login rate limiting.

Functions

func ListProviders 

func ListProviders() []string

ListProviders returns registered provider names.

func LogTOTPAuditEvent 

func LogTOTPAuditEvent(event TOTPAuditEvent)

LogTOTPAuditEvent logs a 2FA security event. V8 FIX: Provides audit trail for 2FA events.

func LogTOTPDisabled 

func LogTOTPDisabled(userID int, userLogin string, isCustomer bool, clientIP string)

LogTOTPDisabled logs when 2FA is disabled.

func LogTOTPRecoveryCodeUsed 

func LogTOTPRecoveryCodeUsed(userID int, userLogin string, isCustomer bool, clientIP string, codesRemaining int)

LogTOTPRecoveryCodeUsed logs when a recovery code is used instead of TOTP.

func LogTOTPSessionLocked 

func LogTOTPSessionLocked(userID int, userLogin string, isCustomer bool, clientIP string)

LogTOTPSessionLocked logs when a 2FA session is locked due to too many failures.

func LogTOTPSetupCompleted 

func LogTOTPSetupCompleted(userID int, userLogin string, isCustomer bool, clientIP string)

LogTOTPSetupCompleted logs when 2FA setup is successfully completed.

func LogTOTPSetupStarted 

func LogTOTPSetupStarted(userID int, userLogin string, isCustomer bool, clientIP string)

LogTOTPSetupStarted logs when a user starts 2FA setup.

func LogTOTPVerifyFailed 

func LogTOTPVerifyFailed(userID int, userLogin string, isCustomer bool, clientIP string, attemptsRemaining int)

LogTOTPVerifyFailed logs a failed 2FA verification attempt.

func LogTOTPVerifySuccess 

func LogTOTPVerifySuccess(userID int, userLogin string, isCustomer bool, clientIP string)

LogTOTPVerifySuccess logs a successful 2FA verification.

func RegisterProvider 

func RegisterProvider(name string, factory ProviderFactory) error

RegisterProvider registers a provider factory by name (lowercase unique key).

Types

type AuthProvider 

type AuthProvider interface {
	// Authenticate attempts to authenticate a user with the given credentials
	// Returns the authenticated user and nil error on success
	Authenticate(ctx context.Context, username, password string) (*models.User, error)

	// GetUser retrieves user details by username/email
	GetUser(ctx context.Context, identifier string) (*models.User, error)

	// ValidateToken validates an existing session/token
	ValidateToken(ctx context.Context, token string) (*models.User, error)

	// Name returns the name of this auth provider
	Name() string

	// Priority returns the priority of this provider (lower = higher priority)
	Priority() int
}

AuthProvider defines the interface for authentication providers.

func CreateProvider 

func CreateProvider(name string, deps ProviderDependencies) (AuthProvider, error)

CreateProvider instantiates a provider by name.

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator manages multiple authentication providers.

func NewAuthenticator 

func NewAuthenticator(providers ...AuthProvider) *Authenticator

NewAuthenticator creates a new authenticator with the given providers.

func (*Authenticator) AddProvider 

func (a *Authenticator) AddProvider(provider AuthProvider)

AddProvider adds a new authentication provider.

func (*Authenticator) Authenticate 

func (a *Authenticator) Authenticate(ctx context.Context, username, password string) (*models.User, error)

Authenticate attempts to authenticate using all configured providers.

func (*Authenticator) GetProviders 

func (a *Authenticator) GetProviders() []string

GetProviders returns the list of configured providers.

func (*Authenticator) GetUser 

func (a *Authenticator) GetUser(ctx context.Context, identifier string) (*models.User, error)

GetUser retrieves user information from the primary provider.

func (*Authenticator) ValidateToken 

func (a *Authenticator) ValidateToken(ctx context.Context, token string) (*models.User, error)

ValidateToken validates a token using the primary provider.

type Claims 

type Claims struct {
	UserID   uint   `json:"user_id"`
	Email    string `json:"email"`
	Login    string `json:"login,omitempty"`
	Role     string `json:"role"`
	IsAdmin  bool   `json:"is_admin,omitempty"` // User is in admin group (for nav display)
	TenantID uint   `json:"tenant_id,omitempty"`
	jwt.RegisteredClaims
}

type DatabaseAuthProvider 

type DatabaseAuthProvider struct {
	// contains filtered or unexported fields
}

DatabaseAuthProvider provides authentication against the database.

func NewDatabaseAuthProvider 

func NewDatabaseAuthProvider(db *sql.DB) *DatabaseAuthProvider

NewDatabaseAuthProvider creates a new database authentication provider.

func (*DatabaseAuthProvider) Authenticate 

func (p *DatabaseAuthProvider) Authenticate(ctx context.Context, username, password string) (*models.User, error)

Authenticate authenticates a user against the database.

func (*DatabaseAuthProvider) GetUser 

func (p *DatabaseAuthProvider) GetUser(ctx context.Context, identifier string) (*models.User, error)

GetUser retrieves user details by username or email.

func (*DatabaseAuthProvider) Name 

func (p *DatabaseAuthProvider) Name() string

Name returns the name of this auth provider.

func (*DatabaseAuthProvider) Priority 

func (p *DatabaseAuthProvider) Priority() int

Priority returns the priority of this provider.

func (*DatabaseAuthProvider) ValidateToken 

func (p *DatabaseAuthProvider) ValidateToken(ctx context.Context, token string) (*models.User, error)

ValidateToken validates a session token (for future implementation).

type JWTManager 

type JWTManager struct {
	// contains filtered or unexported fields
}

func NewJWTManager 

func NewJWTManager(secretKey string, tokenDuration time.Duration) *JWTManager

func (*JWTManager) GenerateRefreshToken 

func (m *JWTManager) GenerateRefreshToken(userID uint, email string) (string, error)

func (*JWTManager) GenerateToken 

func (m *JWTManager) GenerateToken(userID uint, email, role string, tenantID uint) (string, error)

func (*JWTManager) GenerateTokenWithAdmin 

func (m *JWTManager) GenerateTokenWithAdmin(userID uint, email, role string, isAdmin bool, tenantID uint) (string, error)

GenerateTokenWithAdmin creates a JWT with explicit isAdmin flag.

func (*JWTManager) GenerateTokenWithDuration added in v0.7.0 

func (m *JWTManager) GenerateTokenWithDuration(userID uint, login, email, role string, isAdmin bool, tenantID uint, duration time.Duration) (string, error)

GenerateTokenWithDuration creates a JWT with a specific duration. If duration is 0, the system default is used.

func (*JWTManager) GenerateTokenWithLogin 

func (m *JWTManager) GenerateTokenWithLogin(userID uint, login, email, role string, isAdmin bool, tenantID uint) (string, error)

GenerateTokenWithLogin creates a JWT with explicit login and email values.

func (*JWTManager) SetRefreshTokenDuration added in v0.7.0 

func (m *JWTManager) SetRefreshTokenDuration(d time.Duration)

SetRefreshTokenDuration sets the refresh token TTL.

func (*JWTManager) TokenDuration 

func (m *JWTManager) TokenDuration() time.Duration

func (*JWTManager) ValidateRefreshToken 

func (m *JWTManager) ValidateRefreshToken(tokenString string) (*jwt.RegisteredClaims, error)

func (*JWTManager) ValidateToken 

func (m *JWTManager) ValidateToken(tokenString string) (*Claims, error)

type LDAPAuthProvider 

type LDAPAuthProvider struct {
	// contains filtered or unexported fields
}

LDAPAuthProvider provides authentication against LDAP.

func NewLDAPAuthProvider 

func NewLDAPAuthProvider(config *LDAPConfig) *LDAPAuthProvider

NewLDAPAuthProvider creates a new LDAP authentication provider.

func (*LDAPAuthProvider) Authenticate 

func (p *LDAPAuthProvider) Authenticate(ctx context.Context, username, password string) (*models.User, error)

Authenticate authenticates a user against LDAP.

func (*LDAPAuthProvider) GetUser 

func (p *LDAPAuthProvider) GetUser(ctx context.Context, identifier string) (*models.User, error)

GetUser retrieves user details from LDAP.

func (*LDAPAuthProvider) Name 

func (p *LDAPAuthProvider) Name() string

Name returns the name of this auth provider.

func (*LDAPAuthProvider) Priority 

func (p *LDAPAuthProvider) Priority() int

Priority returns the priority of this provider.

func (*LDAPAuthProvider) ValidateToken 

func (p *LDAPAuthProvider) ValidateToken(ctx context.Context, token string) (*models.User, error)

ValidateToken validates a session token.

type LDAPConfig 

type LDAPConfig struct {
	Server     string
	Port       int
	BaseDN     string
	BindDN     string
	BindPass   string
	UserFilter string
	TLS        bool
}

LDAPConfig holds LDAP server configuration.

type LoginRateLimiter 

type LoginRateLimiter struct {
	// contains filtered or unexported fields
}

LoginRateLimiter implements fail2ban-style rate limiting for login attempts. It tracks failed attempts by IP and username, applying exponential backoff.

func NewLoginRateLimiter 

func NewLoginRateLimiter(maxAttempts, windowSeconds int, baseBackoff, maxBackoff time.Duration) *LoginRateLimiter

maxBackoff: maximum backoff duration.

func (*LoginRateLimiter) IsBlocked 

func (rl *LoginRateLimiter) IsBlocked(ip, username string) (bool, time.Duration)

IsBlocked checks if an IP+username combination is currently blocked.

func (*LoginRateLimiter) RecordFailure 

func (rl *LoginRateLimiter) RecordFailure(ip, username string)

RecordFailure records a failed login attempt.

func (*LoginRateLimiter) RecordSuccess 

func (rl *LoginRateLimiter) RecordSuccess(ip, username string)

RecordSuccess clears the failure record for successful login.

func (*LoginRateLimiter) Stats 

func (rl *LoginRateLimiter) Stats() map[string]interface{}

Stats returns current rate limiter statistics (for monitoring).

type PasswordHashType 

type PasswordHashType string

PasswordHashType represents the hashing algorithm to use. 

const (
	HashTypeBcrypt PasswordHashType = "bcrypt"
	HashTypeSHA256 PasswordHashType = "sha256"
	HashTypeSHA512 PasswordHashType = "sha512"
	HashTypeMD5    PasswordHashType = "md5"
	HashTypeAuto   PasswordHashType = "auto" // Auto-detect from hash format
)

type PasswordHasher 

type PasswordHasher struct {
	// contains filtered or unexported fields
}

PasswordHasher handles password hashing and verification.

func NewPasswordHasher 

func NewPasswordHasher() *PasswordHasher

NewPasswordHasher creates a new password hasher.

func (*PasswordHasher) HashPassword 

func (h *PasswordHasher) HashPassword(password string) (string, error)

HashPassword hashes a password using the configured algorithm.

func (*PasswordHasher) MigratePasswordHash 

func (h *PasswordHasher) MigratePasswordHash(password, oldHash string, targetType PasswordHashType) (string, error)

MigratePasswordHash optionally upgrades password hash on successful login.

func (*PasswordHasher) VerifyPassword 

func (h *PasswordHasher) VerifyPassword(password, hash string) bool

VerifyPassword checks if a password matches the hash.

type PendingTOTPSession 

type PendingTOTPSession struct {
	Token       string    // Random token (cookie value)
	UserID      int       // For agents (numeric)
	UserLogin   string    // For customers (email) - stored here, not in cookie
	Username    string    // Display name
	IsCustomer  bool      // true for customer, false for agent
	CreatedAt   time.Time // Session creation time
	ExpiresAt   time.Time // Expiration (5 minutes)
	Attempts    int       // Failed attempt count
	MaxAttempts int       // Max allowed (default 5)
	ClientIP    string    // Bind to IP for security
	UserAgent   string    // Bind to User-Agent
}

PendingTOTPSession tracks a pending 2FA verification.

type Permission 

type Permission string
const (
	// Ticket permissions.
	PermissionTicketCreate Permission = "ticket:create"
	PermissionTicketRead   Permission = "ticket:read"
	PermissionTicketUpdate Permission = "ticket:update"
	PermissionTicketDelete Permission = "ticket:delete"
	PermissionTicketAssign Permission = "ticket:assign"
	PermissionTicketClose  Permission = "ticket:close"

	// User permissions.
	PermissionUserCreate Permission = "user:create"
	PermissionUserRead   Permission = "user:read"
	PermissionUserUpdate Permission = "user:update"
	PermissionUserDelete Permission = "user:delete"

	// Admin permissions.
	PermissionAdminAccess  Permission = "admin:access"
	PermissionSystemConfig Permission = "system:config"

	// Report permissions.
	PermissionReportView   Permission = "report:view"
	PermissionReportCreate Permission = "report:create"

	// Entity deletion permissions.
	PermissionEntityHardDelete Permission = "entity:hard_delete"

	// Customer permissions.
	PermissionOwnTicketRead   Permission = "own:ticket:read"
	PermissionOwnTicketCreate Permission = "own:ticket:create"
)

type ProviderDependencies 

type ProviderDependencies struct {
	DB *sql.DB
}

ProviderDependencies bundles common resources providers may need.

type ProviderFactory 

type ProviderFactory func(deps ProviderDependencies) (AuthProvider, error)

ProviderFactory builds an AuthProvider given dependencies.

type RBAC 

type RBAC struct {
	// contains filtered or unexported fields
}

func NewRBAC 

func NewRBAC() *RBAC

func (*RBAC) CanAccessAdminPanel 

func (r *RBAC) CanAccessAdminPanel(role string) bool

func (*RBAC) CanAccessTicket 

func (r *RBAC) CanAccessTicket(role string, ticketOwnerID, userID uint) bool

func (*RBAC) CanAssignTicket 

func (r *RBAC) CanAssignTicket(role string) bool

func (*RBAC) CanCloseTicket 

func (r *RBAC) CanCloseTicket(role string) bool

func (*RBAC) CanModifyUser 

func (r *RBAC) CanModifyUser(actorRole string, targetUserRole string) bool

func (*RBAC) CanViewReports 

func (r *RBAC) CanViewReports(role string) bool

func (*RBAC) GetRolePermissions 

func (r *RBAC) GetRolePermissions(role string) []Permission

func (*RBAC) HasPermission 

func (r *RBAC) HasPermission(role string, permission Permission) bool

type StaticAuthProvider 

type StaticAuthProvider struct {
	// contains filtered or unexported fields
}

StaticAuthProvider offers simple in-memory users for demos/tests.

func NewStaticAuthProvider 

func NewStaticAuthProvider(specs []string) *StaticAuthProvider

static user spec env format: user:password:Role(Agent|Customer|Admin) Multiple separated by commas.

func (*StaticAuthProvider) Authenticate 

func (p *StaticAuthProvider) Authenticate(ctx context.Context, username, password string) (*models.User, error)

func (*StaticAuthProvider) GetUser 

func (p *StaticAuthProvider) GetUser(ctx context.Context, identifier string) (*models.User, error)

func (*StaticAuthProvider) Name 

func (p *StaticAuthProvider) Name() string

func (*StaticAuthProvider) Priority 

func (p *StaticAuthProvider) Priority() int

func (*StaticAuthProvider) ValidateToken 

func (p *StaticAuthProvider) ValidateToken(ctx context.Context, token string) (*models.User, error)

type TOTPAuditEvent 

type TOTPAuditEvent struct {
	Timestamp  time.Time
	EventType  string
	UserID     int
	UserLogin  string
	IsCustomer bool
	ClientIP   string
	UserAgent  string
	Success    bool
	Details    string
}

TOTPAuditEvent represents a 2FA-related security event.

type TOTPSessionManager 

type TOTPSessionManager struct {
	// contains filtered or unexported fields
}

TOTPSessionManager handles pending 2FA sessions with security controls. Addresses: V3 (rate limiting), V5 (HMAC verification), V7 (session invalidation). 

var (
	// DefaultTOTPSessionManager is the global instance
	DefaultTOTPSessionManager *TOTPSessionManager
)

func GetTOTPSessionManager 

func GetTOTPSessionManager() *TOTPSessionManager

GetTOTPSessionManager returns the singleton instance.

func NewTOTPSessionManager 

func NewTOTPSessionManager(secret []byte) *TOTPSessionManager

NewTOTPSessionManager creates a new session manager with the given HMAC secret.

func (*TOTPSessionManager) CreateAgentSession 

func (m *TOTPSessionManager) CreateAgentSession(userID int, username, clientIP, userAgent string) (string, error)

CreateAgentSession creates a pending 2FA session for an agent. Returns the token to store in cookie.

func (*TOTPSessionManager) CreateCustomerSession 

func (m *TOTPSessionManager) CreateCustomerSession(userLogin, clientIP, userAgent string) (string, error)

CreateCustomerSession creates a pending 2FA session for a customer. Returns the token to store in cookie. Login is stored server-side, NOT in cookie (V4 fix).

func (*TOTPSessionManager) GenerateHMAC 

func (m *TOTPSessionManager) GenerateHMAC(data string) string

GenerateHMAC creates an HMAC signature for session data (V5).

func (*TOTPSessionManager) GetRemainingAttempts 

func (m *TOTPSessionManager) GetRemainingAttempts(token string) int

GetRemainingAttempts returns how many attempts are left for a session.

func (*TOTPSessionManager) InvalidateSession 

func (m *TOTPSessionManager) InvalidateSession(token string)

InvalidateSession removes a session (after successful auth or too many failures).

func (*TOTPSessionManager) RecordFailedAttempt 

func (m *TOTPSessionManager) RecordFailedAttempt(token string) int

RecordFailedAttempt increments the attempt counter (V3 + V7). Returns remaining attempts, or 0 if session is now invalid.

func (*TOTPSessionManager) Stats 

func (m *TOTPSessionManager) Stats() map[string]int

Stats returns current session manager statistics.

func (*TOTPSessionManager) ValidateAndGetSession 

func (m *TOTPSessionManager) ValidateAndGetSession(token, clientIP, userAgent string) *PendingTOTPSession

ValidateAndGetSession checks if a token is valid and returns the session. Returns nil if invalid, expired, or too many attempts. Security: Enforces strict IP binding to prevent session hijacking during 2FA.

func (*TOTPSessionManager) VerifyHMAC 

func (m *TOTPSessionManager) VerifyHMAC(data, signature string) bool

VerifyHMAC checks if an HMAC signature is valid (V5).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.