auth

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 26, 2026 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrMissingKeyFunc indicates verifier misconfiguration.
	ErrMissingKeyFunc = errors.New("auth: missing jwt keyfunc")

	// ErrInvalidToken indicates token is malformed, signature invalid, or claims invalid.
	// Do not expose underlying parsing details to clients.
	ErrInvalidToken = errors.New("auth: invalid token")

	// ErrMissingSubject indicates the token has no "sub".
	ErrMissingSubject = errors.New("auth: missing subject")

	// ErrMissingTenantID indicates the token has no tenant_id.
	ErrMissingTenantID = errors.New("auth: missing tenant_id")
)

Functions

func Has 

func Has(scopes []string, required Scope) bool

Has reports whether scopes contains the required scope. Matching is exact after TrimSpace normalization.

func HasAll 

func HasAll(scopes []string, required ...Scope) bool

HasAll reports whether scopes contains all required scopes. Empty required values are ignored. If no non-empty required scopes are provided, returns true.

func HasAny 

func HasAny(scopes []string, required ...Scope) bool

HasAny reports whether scopes contains any of the required scopes. Empty required values are ignored. If no non-empty required scopes are provided, returns false.

func ParseBearer 

func ParseBearer(authorization string) (string, error)

ParseBearer extracts the raw JWT from an Authorization header value. Accepts "Bearer <token>" (case-insensitive). Returns ErrInvalidToken on invalid format.

Types

type Claims 

type Claims struct {
	TenantID string   `json:"tenant_id"`
	Scopes   []string `json:"scopes,omitempty"`
	jwt.RegisteredClaims
}

type Decision 

type Decision int

Decision represents the result of a policy evaluation. 

const (
	// DecisionDeny means access is not allowed.
	DecisionDeny Decision = iota
	// DecisionAllow means access is allowed.
	DecisionAllow
)

func (Decision) IsAllow 

func (d Decision) IsAllow() bool

IsAllow reports whether decision is DecisionAllow.

type PolicyChecker 

type PolicyChecker interface {
	Check(ctx context.Context, req PolicyRequest) (Decision, error)
}

PolicyChecker is implemented by a service adapter (HTTP/gRPC) that knows how to evaluate RBAC/ABAC rules (e.g. by calling Identity/Core).

type PolicyRequest 

type PolicyRequest struct {
	SubjectID string
	TenantID  string
	Scopes    []string

	Action   string
	Resource string
}

PolicyRequest is a normalized policy check input. Action/Resource should be stable strings, e.g. "tenant.members.invite", "orders.create".

type Scope 

type Scope string

Scope represents an authorization scope (permission string) attached to an identity.

func (Scope) String 

func (s Scope) String() string

type Verifier 

type Verifier struct {
	// KeyFunc is used to provide the verification key based on token header (kid, alg, etc).
	KeyFunc jwt.Keyfunc
	Config  VerifyConfig
}

func (Verifier) Verify 

func (v Verifier) Verify(token string) (*Claims, error)

type VerifyConfig 

type VerifyConfig struct {
	// AllowedMethods defaults to HS256, RS256, ES256 if empty.
	AllowedMethods []string

	// Leeway allows small clock skew.
	Leeway time.Duration

	// Optional issuer/audience checks.
	Issuer          string
	RequireIssuer   bool
	Audience        string
	RequireAudience bool
}

VerifyConfig controls optional JWT validation rules.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.