Documentation
¶
Index ¶
- Constants
- Variables
- func NewAuthManager(authenticators []security.Authenticator) security.AuthManager
- func NewAuthResource(authManager security.AuthManager, tokenGenerator security.TokenGenerator, ...) api.Resource
- func NewJwtAuthenticator(jwt *security.Jwt) security.Authenticator
- func NewJwtRefreshAuthenticator(jwt *security.Jwt, userLoader security.UserLoader) security.Authenticator
- func NewJwtTokenGenerator(jwt *security.Jwt, securityConfig *config.SecurityConfig) security.TokenGenerator
- func NewOpenApiAuthenticator(loader security.ExternalAppLoader) security.Authenticator
- func NewPasswordAuthenticator(loader security.UserLoader, encoder password.Encoder) security.Authenticator
- func NewRbacDataPermissionResolver(loader security.RolePermissionsLoader) security.DataPermissionResolver
- func NewRbacPermissionChecker(loader security.RolePermissionsLoader) security.PermissionChecker
- type AuthResource
- type AuthenticatorAuthManager
- type JwtRefreshAuthenticator
- type JwtTokenAuthenticator
- type JwtTokenGenerator
- type LoginParams
- type OpenApiAuthenticator
- type PasswordAuthenticator
- type RbacDataPermissionResolver
- type RbacPermissionChecker
- type RefreshParams
Constants ¶
View Source
const (
AuthTypeOpenApi = "openapi"
)
View Source
const (
AuthTypePassword = "password"
)
View Source
const (
AuthTypeRefresh = "refresh"
)
View Source
const (
AuthTypeToken = "token"
)
Variables ¶
View Source
var Module = fx.Module( "vef:security", fx.Decorate( fx.Annotate( func(loader security.RolePermissionsLoader, bus event.Bus) security.RolePermissionsLoader { if loader == nil { return nil } return security.NewCachedRolePermissionsLoader(loader, bus) }, fx.ParamTags(`optional:"true"`), ), ), fx.Decorate( fx.Annotate( func(encoder password.Encoder) password.Encoder { if encoder == nil { return password.NewBcryptEncoder() } return encoder }, fx.ParamTags(`optional:"true"`), ), ), fx.Provide( fx.Annotate( func(config *config.AppConfig) (*security.Jwt, error) { return security.NewJwt(&security.JwtConfig{ Audience: lo.SnakeCase(config.Name), }) }, ), fx.Annotate( NewJwtAuthenticator, fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewJwtRefreshAuthenticator, fx.ParamTags(``, `optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), NewJwtTokenGenerator, fx.Annotate( NewOpenApiAuthenticator, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewPasswordAuthenticator, fx.ParamTags(`optional:"true"`, `optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewAuthManager, fx.ParamTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewRbacPermissionChecker, fx.ParamTags(`optional:"true"`), ), fx.Annotate( NewRbacDataPermissionResolver, fx.ParamTags(`optional:"true"`), ), fx.Annotate( NewAuthResource, fx.ParamTags(``, ``, `optional:"true"`), fx.ResultTags(`group:"vef:api:resources"`), ), ), )
Functions ¶
func NewAuthManager ¶
func NewAuthManager(authenticators []security.Authenticator) security.AuthManager
func NewAuthResource ¶
func NewAuthResource(authManager security.AuthManager, tokenGenerator security.TokenGenerator, userInfoLoader security.UserInfoLoader, publisher event.Publisher) api.Resource
NewAuthResource creates a new authentication resource with the provided auth manager and token generator.
func NewJwtAuthenticator ¶ added in v0.6.0
func NewJwtAuthenticator(jwt *security.Jwt) security.Authenticator
func NewJwtRefreshAuthenticator ¶ added in v0.6.0
func NewJwtRefreshAuthenticator(jwt *security.Jwt, userLoader security.UserLoader) security.Authenticator
func NewJwtTokenGenerator ¶ added in v0.6.0
func NewJwtTokenGenerator(jwt *security.Jwt, securityConfig *config.SecurityConfig) security.TokenGenerator
func NewOpenApiAuthenticator ¶ added in v0.6.0
func NewOpenApiAuthenticator(loader security.ExternalAppLoader) security.Authenticator
func NewPasswordAuthenticator ¶
func NewPasswordAuthenticator( loader security.UserLoader, encoder password.Encoder, ) security.Authenticator
func NewRbacDataPermissionResolver ¶ added in v0.8.4
func NewRbacDataPermissionResolver(loader security.RolePermissionsLoader) security.DataPermissionResolver
NewRbacDataPermissionResolver creates a new RBAC data permission resolver. loader: The strategy for loading role permissions.
func NewRbacPermissionChecker ¶ added in v0.6.0
func NewRbacPermissionChecker(loader security.RolePermissionsLoader) security.PermissionChecker
Types ¶
type AuthResource ¶
AuthResource handles authentication-related Api endpoints.
func (*AuthResource) GetUserInfo ¶ added in v0.6.0
GetUserInfo retrieves user information via UserInfoLoader. Requires a UserInfoLoader implementation to be provided.
func (*AuthResource) Login ¶
func (a *AuthResource) Login(ctx fiber.Ctx, params LoginParams) error
Login authenticates a user and returns token credentials.
func (*AuthResource) Logout ¶
func (a *AuthResource) Logout(ctx fiber.Ctx) error
Logout returns success immediately. Token invalidation should be handled on the client side by removing stored tokens.
func (*AuthResource) Refresh ¶
func (a *AuthResource) Refresh(ctx fiber.Ctx, params RefreshParams) error
Refresh refreshes the access token using a valid refresh token. User data reload logic is handled by JwtRefreshAuthenticator.
type AuthenticatorAuthManager ¶
type AuthenticatorAuthManager struct {
// contains filtered or unexported fields
}
func (*AuthenticatorAuthManager) Authenticate ¶
func (am *AuthenticatorAuthManager) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
type JwtRefreshAuthenticator ¶ added in v0.6.0
type JwtRefreshAuthenticator struct {
// contains filtered or unexported fields
}
func (*JwtRefreshAuthenticator) Authenticate ¶ added in v0.6.0
func (j *JwtRefreshAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
func (*JwtRefreshAuthenticator) Supports ¶ added in v0.6.0
func (j *JwtRefreshAuthenticator) Supports(authType string) bool
type JwtTokenAuthenticator ¶ added in v0.6.0
type JwtTokenAuthenticator struct {
// contains filtered or unexported fields
}
func (*JwtTokenAuthenticator) Authenticate ¶ added in v0.6.0
func (ja *JwtTokenAuthenticator) Authenticate(_ context.Context, authentication security.Authentication) (*security.Principal, error)
func (*JwtTokenAuthenticator) Supports ¶ added in v0.6.0
func (*JwtTokenAuthenticator) Supports(authType string) bool
type JwtTokenGenerator ¶ added in v0.6.0
type JwtTokenGenerator struct {
// contains filtered or unexported fields
}
func (*JwtTokenGenerator) Generate ¶ added in v0.6.0
func (g *JwtTokenGenerator) Generate(principal *security.Principal) (*security.AuthTokens, error)
type LoginParams ¶
type LoginParams struct {
api.P
// Authentication contains user credentials
security.Authentication
}
LoginParams represents the request parameters for user login.
type OpenApiAuthenticator ¶ added in v0.6.0
type OpenApiAuthenticator struct {
// contains filtered or unexported fields
}
OpenApiAuthenticator validates HMAC-based signatures for external app authentication. Credentials format: "<signatureHex>@<timestamp>@<bodySha256Base64>". Signature: hex(HMAC-SHA256(secret, appId + "\n" + timestamp + "\n" + bodySha256Base64)).
func (*OpenApiAuthenticator) Authenticate ¶ added in v0.6.0
func (a *OpenApiAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
func (*OpenApiAuthenticator) Supports ¶ added in v0.6.0
func (*OpenApiAuthenticator) Supports(authType string) bool
type PasswordAuthenticator ¶
type PasswordAuthenticator struct {
// contains filtered or unexported fields
}
PasswordAuthenticator verifies username/password credentials with optional decryption support for scenarios where clients encrypt passwords before transmission.
func (*PasswordAuthenticator) Authenticate ¶
func (p *PasswordAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
func (*PasswordAuthenticator) Supports ¶
func (*PasswordAuthenticator) Supports(authType string) bool
type RbacDataPermissionResolver ¶ added in v0.8.4
type RbacDataPermissionResolver struct {
// contains filtered or unexported fields
}
RbacDataPermissionResolver implements role-based data permission resolution. It delegates role permissions loading to a RolePermissionsLoader implementation.
func (*RbacDataPermissionResolver) ResolveDataScope ¶ added in v0.8.4
func (r *RbacDataPermissionResolver) ResolveDataScope( ctx context.Context, principal *security.Principal, permToken string, ) (security.DataScope, error)
ResolveDataScope resolves the applicable DataScope for the given principal and permission token. When a user has multiple roles with the same permission token but different data scopes, this method collects all matching scopes and returns the one with the highest priority. Returns nil if no matching permission is found.
type RbacPermissionChecker ¶ added in v0.6.0
type RbacPermissionChecker struct {
// contains filtered or unexported fields
}
func (*RbacPermissionChecker) HasPermission ¶ added in v0.6.0
func (c *RbacPermissionChecker) HasPermission( ctx context.Context, principal *security.Principal, permissionToken string, ) (bool, error)
HasPermission uses sequential role loading rather than parallel to optimize for common case (1-3 roles).
type RefreshParams ¶
RefreshParams represents the request parameters for token refresh operation.
Source Files
Click to show internal directories.
Click to hide internal directories.