Documentation
¶
Index ¶
- Constants
- Variables
- func NewAuthManager(authenticators []security.Authenticator) security.AuthManager
- func NewAuthResource(authManager security.AuthManager, tokenGenerator security.TokenGenerator) api.Resource
- func NewJWTAuthenticator(jwt *security.JWT) security.Authenticator
- func NewJWTRefreshAuthenticator(jwt *security.JWT, userLoader security.UserLoader) security.Authenticator
- func NewJWTTokenGenerator(jwt *security.JWT, securityConfig *config.SecurityConfig) security.TokenGenerator
- func NewOpenAPIAuthenticator(loader security.ExternalAppLoader) security.Authenticator
- func NewPasswordAuthenticator(loader security.UserLoader, decryptor security.PasswordDecryptor) security.Authenticator
- func NewRBACDataPermResolver(loader security.RolePermissionsLoader) security.DataPermissionResolver
- func NewRBACPermissionChecker(loader security.RolePermissionsLoader) security.PermissionChecker
- type AuthResource
- type AuthenticatorAuthManager
- type JWTRefreshAuthenticator
- type JWTTokenAuthenticator
- type JWTTokenGenerator
- type LoginParams
- type OpenapiAuthenticator
- type PasswordAuthenticator
- type RBACDataPermResolver
- type RBACPermissionChecker
- type RefreshParams
Constants ¶
const (
// OpenAPI authentication type.
AuthTypeOpenAPI = "openapi"
)
const (
// Password authentication type.
AuthTypePassword = "password"
)
const (
// Refresh authentication type.
AuthTypeRefresh = "refresh"
)
const (
// Token authentication type.
AuthTypeToken = "token"
)
Variables ¶
var Module = fx.Module( "vef:security", fx.Provide( fx.Annotate( func(config *config.AppConfig) (*security.JWT, error) { return security.NewJWT(&security.JWTConfig{ Audience: lo.SnakeCase(config.Name), }) }, ), fx.Annotate( NewJWTAuthenticator, fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewJWTRefreshAuthenticator, fx.ParamTags(``, `optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), NewJWTTokenGenerator, fx.Annotate( NewOpenAPIAuthenticator, fx.ParamTags(`optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewPasswordAuthenticator, fx.ParamTags(`optional:"true"`, `optional:"true"`), fx.ResultTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewAuthManager, fx.ParamTags(`group:"vef:security:authenticators"`), ), fx.Annotate( NewRBACPermissionChecker, fx.ParamTags(`optional:"true"`), ), fx.Annotate( NewRBACDataPermResolver, fx.ParamTags(`optional:"true"`), ), fx.Annotate( NewAuthResource, fx.ResultTags(`group:"vef:api:resources"`), ), ), fx.Invoke(func() { logger.Info("Security module initialized") }), )
Module provides the security-related dependencies for the application.
Functions ¶
func NewAuthManager ¶
func NewAuthManager(authenticators []security.Authenticator) security.AuthManager
NewAuthManager creates a new authentication manager with the provided authenticators.
func NewAuthResource ¶
func NewAuthResource(authManager security.AuthManager, tokenGenerator security.TokenGenerator) api.Resource
NewAuthResource creates a new authentication resource with the provided auth manager and token generator.
func NewJWTAuthenticator ¶
func NewJWTAuthenticator(jwt *security.JWT) security.Authenticator
NewJWTAuthenticator creates a new JWT authenticator.
func NewJWTRefreshAuthenticator ¶
func NewJWTRefreshAuthenticator(jwt *security.JWT, userLoader security.UserLoader) security.Authenticator
func NewJWTTokenGenerator ¶
func NewJWTTokenGenerator(jwt *security.JWT, securityConfig *config.SecurityConfig) security.TokenGenerator
NewJWTTokenGenerator creates a new JWT token generator.
func NewOpenAPIAuthenticator ¶
func NewOpenAPIAuthenticator(loader security.ExternalAppLoader) security.Authenticator
NewOpenAPIAuthenticator creates a new OpenAPI authenticator with the given loader.
func NewPasswordAuthenticator ¶
func NewPasswordAuthenticator(loader security.UserLoader, decryptor security.PasswordDecryptor) security.Authenticator
NewPasswordAuthenticator creates a new password authenticator with the given user loader. The decryptor parameter is optional; pass nil if passwords are transmitted in plaintext.
func NewRBACDataPermResolver ¶
func NewRBACDataPermResolver(loader security.RolePermissionsLoader) security.DataPermissionResolver
NewRBACDataPermResolver creates a new RBAC data permission resolver. loader: The strategy for loading role permissions.
func NewRBACPermissionChecker ¶
func NewRBACPermissionChecker(loader security.RolePermissionsLoader) security.PermissionChecker
NewRBACPermissionChecker creates a new RBAC permission checker. loader: The strategy for loading role permissions.
Types ¶
type AuthResource ¶
AuthResource handles authentication-related API endpoints.
func (*AuthResource) Login ¶
func (a *AuthResource) Login(ctx fiber.Ctx, params LoginParams) error
Login authenticates a user and returns token credentials. It validates the provided credentials and generates access tokens upon successful authentication.
func (*AuthResource) Logout ¶
func (a *AuthResource) Logout(ctx fiber.Ctx) error
Logout logs out the authenticated user and invalidates their session. This is a client-side logout implementation that returns success immediately. Token invalidation should be handled on the client side by removing stored tokens.
func (*AuthResource) Refresh ¶
func (a *AuthResource) Refresh(ctx fiber.Ctx, params RefreshParams) error
Refresh refreshes the access token using a valid refresh token. It validates the refresh token and generates new access tokens. Note: The user data reload logic is now handled by JWTRefreshAuthenticator.
type AuthenticatorAuthManager ¶
type AuthenticatorAuthManager struct {
// contains filtered or unexported fields
}
AuthenticatorAuthManager implements the AuthManager interface. It manages multiple authenticators and delegates authentication requests to the appropriate one.
func (*AuthenticatorAuthManager) Authenticate ¶
func (am *AuthenticatorAuthManager) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
Authenticate attempts to authenticate the provided authentication information. It finds the appropriate authenticator and delegates the authentication request.
type JWTRefreshAuthenticator ¶
type JWTRefreshAuthenticator struct {
// contains filtered or unexported fields
}
func (*JWTRefreshAuthenticator) Authenticate ¶
func (j *JWTRefreshAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
func (*JWTRefreshAuthenticator) Supports ¶
func (j *JWTRefreshAuthenticator) Supports(authType string) bool
type JWTTokenAuthenticator ¶
type JWTTokenAuthenticator struct {
// contains filtered or unexported fields
}
JWTTokenAuthenticator implements the Authenticator interface for JWT token authentication. It validates JWT tokens and extracts principal information from them.
func (*JWTTokenAuthenticator) Authenticate ¶
func (ja *JWTTokenAuthenticator) Authenticate(_ context.Context, authentication security.Authentication) (*security.Principal, error)
Authenticate validates the JWT token and returns the principal. The credentials field should contain the JWT access token.
func (*JWTTokenAuthenticator) Supports ¶
func (*JWTTokenAuthenticator) Supports(authType string) bool
Supports checks if this authenticator can handle JWT authentication.
type JWTTokenGenerator ¶
type JWTTokenGenerator struct {
// contains filtered or unexported fields
}
JWTTokenGenerator implements the TokenGenerator interface for JWT tokens. It generates both access and refresh tokens using the JWT helper.
func (*JWTTokenGenerator) Generate ¶
func (g *JWTTokenGenerator) Generate(principal *security.Principal) (*security.AuthTokens, error)
Generate creates authentication tokens for the given principal. It generates both access and refresh tokens.
type LoginParams ¶
type LoginParams struct {
api.In
// Authentication contains user credentials
security.Authentication
}
LoginParams represents the request parameters for user login.
type OpenapiAuthenticator ¶
type OpenapiAuthenticator struct {
// contains filtered or unexported fields
}
OpenapiAuthenticator implements Authenticator for simple HMAC based OpenAPI authentication. Contract in this framework:
- Authentication.Principal: appId
- Authentication.Credentials: "<signatureHex>@<timestamp>@<bodySha256Base64>"
- SignatureHex is computed as hex(HMAC-SHA256(secret, appId + "\n" + timestamp + "\n" + bodySha256Base64)) where bodySha256Base64 is the Base64(SHA256(raw request body)), timestamp is unix seconds string.
- We only consider appId, timestamp and body hash because the framework uses unified POST with Request body.
func (*OpenapiAuthenticator) Authenticate ¶
func (a *OpenapiAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
Authenticate validates the provided OpenAPI authentication information.
func (*OpenapiAuthenticator) Supports ¶
func (*OpenapiAuthenticator) Supports(authType string) bool
Supports checks if this authenticator can handle OpenAPI authentication.
type PasswordAuthenticator ¶
type PasswordAuthenticator struct {
// contains filtered or unexported fields
}
PasswordAuthenticator implements the Authenticator interface using username/password verification. It relies on an externally provided security.UserLoader to load user info and password hash. Optionally supports password decryption via security.PasswordDecryptor for scenarios where clients encrypt passwords before transmission.
func (*PasswordAuthenticator) Authenticate ¶
func (p *PasswordAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)
Authenticate validates credentials which should be a plaintext password for the given principal (username).
func (*PasswordAuthenticator) Supports ¶
func (*PasswordAuthenticator) Supports(authType string) bool
Supports checks if this authenticator can handle password authentication.
type RBACDataPermResolver ¶
type RBACDataPermResolver struct {
// contains filtered or unexported fields
}
RBACDataPermResolver implements role-based data permission resolution. It delegates role permissions loading to a RolePermissionsLoader implementation.
func (*RBACDataPermResolver) ResolveDataScope ¶
func (r *RBACDataPermResolver) ResolveDataScope( ctx context.Context, principal *security.Principal, permToken string, ) (security.DataScope, error)
ResolveDataScope resolves the applicable DataScope for the given principal and permission token. When a user has multiple roles with the same permission token but different data scopes, this method collects all matching scopes and returns the one with the highest priority. Returns nil if no matching permission is found.
type RBACPermissionChecker ¶
type RBACPermissionChecker struct {
// contains filtered or unexported fields
}
RBACPermissionChecker implements role-based access control (RBAC) permission checking. It delegates role permissions loading to a RolePermissionsLoader implementation.
func (*RBACPermissionChecker) HasPermission ¶
func (c *RBACPermissionChecker) HasPermission( ctx context.Context, principal *security.Principal, permissionToken string, ) (bool, error)
HasPermission checks if the principal has the required permission based on their roles. System principals always have all permissions. For user and external app principals, it loads role permissions sequentially. Sequential loading is more efficient for typical use cases (1-3 roles per user).
type RefreshParams ¶
type RefreshParams struct {
api.In
// RefreshToken is the JWT refresh token used to generate new access tokens
RefreshToken string `json:"refreshToken"`
}
RefreshParams represents the request parameters for token refresh operation.
Source Files