auth

package
v1.43.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2026 License: MIT Imports: 11 Imported by: 0

Documentation

Overview

Package auth — JWT validation against IAM JWKS. Used by RequireIdentity middleware to mint identity headers from validated tokens. Mirrors the pattern in hanzoai/gateway: TTL-cached JWKS, fail-stale, exact issuer and audience checks.

Package auth — identity-header middleware. The trust boundary is the IAM JWT: tasksd validates every Authorization: Bearer <jwt> against JWKS, mints X-Org-Id / X-User-Id / X-User-Email from validated claims, and unconditionally strips any client-supplied identity headers. There is no header-pass-through trust path; client-supplied identity headers are never honored.

In dev / embedded use, set TASKSD_REQUIRE_IDENTITY=false (the default) — requests without a token pass through with empty identity context. In production, set TASKSD_REQUIRE_IDENTITY=true so unauthenticated requests get 401.

Index

Constants

View Source 
const (
	HeaderOrgID     = "X-Org-Id"
	HeaderUserID    = "X-User-Id"
	HeaderUserEmail = "X-User-Email"

	HeaderAuthorization = "Authorization"
)

Variables

This section is empty.

Functions

func OrgID 

func OrgID(ctx context.Context) string

OrgID returns the org id minted from a validated JWT, or "".

func RequireIdentity 

func RequireIdentity(v *Validator, require bool) func(http.Handler) http.Handler

RequireIdentity returns middleware that:

  1. Strips any client-supplied X-Org-Id / X-User-Id / X-User-Email.
  2. If a Bearer JWT is present, validates it via v and mints fresh identity headers + ctx values from the claims.
  3. If require=true and no validated identity emerged, returns 401.

When v is nil (JWT disabled, embedded/dev mode) and require=false, every request passes through with empty identity ctx — useful for tests and the in-process embedder. When v is nil and require=true, every request is rejected (closed-by-default).

func UserEmail 

func UserEmail(ctx context.Context) string

UserEmail returns the user email minted from a validated JWT, or "".

func UserID 

func UserID(ctx context.Context) string

UserID returns the user id minted from a validated JWT, or "".

Types

type IAMClaims 

type IAMClaims struct {
	jwt.Claims

	Owner             string `json:"owner"`
	Email             string `json:"email"`
	PreferredUsername string `json:"preferred_username"`
	Name              string `json:"name"`
}

IAMClaims is the subset of Casdoor/hanzo.id claims tasksd cares about. `owner` is the org slug (X-Org-Id), `sub` is the user id (X-User-Id), `email` is the user email (X-User-Email).

type JWTConfig 

type JWTConfig struct {
	JWKSURL  string        // e.g. https://hanzo.id/.well-known/jwks
	Issuer   string        // e.g. https://hanzo.id
	Audience string        // optional; "" → audience check skipped
	TTL      time.Duration // JWKS cache TTL; 0 → 5 min
}

JWTConfig configures the validator. Zero values disable JWT validation (auth.RequireIdentity falls back to header-pass-through, gated by the require flag).

type Validator 

type Validator struct {
	// contains filtered or unexported fields
}

Validator verifies bearer tokens against JWKS and returns claims.

func NewValidator 

func NewValidator(cfg JWTConfig) *Validator

NewValidator returns nil when cfg is empty (JWT disabled).

func (*Validator) Validate 

func (v *Validator) Validate(ctx context.Context, bearer string) (*IAMClaims, error)

Validate parses and verifies the bearer token. Returns the IAM claims on success, or an error describing the failure mode.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.