security

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 22, 2025 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// OpenApi authentication type.
	AuthTypeOpenApi = "openapi"
)
View Source 
const (
	// Password authentication type.
	AuthTypePassword = "password"
)
View Source 
const (
	// Refresh authentication type.
	AuthTypeRefresh = "refresh"
)
View Source 
const (
	// Token authentication type.
	AuthTypeToken = "token"
)

Variables

View Source 
var Module = fx.Module(
	"vef:security",
	fx.Provide(

		fx.Annotate(
			func(config *config.AppConfig) (*security.Jwt, error) {
				return security.NewJwt(&security.JwtConfig{
					Audience: lo.SnakeCase(config.Name),
				})
			},
		),

		fx.Annotate(
			NewJwtAuthenticator,
			fx.ResultTags(`group:"vef:security:authenticators"`),
		),

		fx.Annotate(
			NewJwtRefreshAuthenticator,
			fx.ParamTags(``, `optional:"true"`),
			fx.ResultTags(`group:"vef:security:authenticators"`),
		),

		NewJwtTokenGenerator,

		fx.Annotate(
			NewOpenApiAuthenticator,
			fx.ParamTags(`optional:"true"`),
			fx.ResultTags(`group:"vef:security:authenticators"`),
		),

		fx.Annotate(
			NewPasswordAuthenticator,
			fx.ParamTags(`optional:"true"`, `optional:"true"`),
			fx.ResultTags(`group:"vef:security:authenticators"`),
		),

		fx.Annotate(
			NewAuthManager,
			fx.ParamTags(`group:"vef:security:authenticators"`),
		),

		fx.Annotate(
			NewRbacPermissionChecker,
			fx.ParamTags(`optional:"true"`),
		),

		fx.Annotate(
			NewRbacDataPermResolver,
			fx.ParamTags(`optional:"true"`),
		),

		fx.Annotate(
			NewAuthResource,
			fx.ParamTags(``, ``, `optional:"true"`),
			fx.ResultTags(`group:"vef:api:resources"`),
		),
	),
)

Module provides the security-related dependencies for the application.

Functions

func NewAuthManager 

func NewAuthManager(authenticators []security.Authenticator) security.AuthManager

NewAuthManager creates a new authentication manager with the provided authenticators.

func NewAuthResource 

func NewAuthResource(authManager security.AuthManager, tokenGenerator security.TokenGenerator, userInfoLoader security.UserInfoLoader) api.Resource

NewAuthResource creates a new authentication resource with the provided auth manager and token generator.

func NewJwtAuthenticator added in v0.6.0 

func NewJwtAuthenticator(jwt *security.Jwt) security.Authenticator

NewJwtAuthenticator creates a new Jwt authenticator.

func NewJwtRefreshAuthenticator added in v0.6.0 

func NewJwtRefreshAuthenticator(jwt *security.Jwt, userLoader security.UserLoader) security.Authenticator

func NewJwtTokenGenerator added in v0.6.0 

func NewJwtTokenGenerator(jwt *security.Jwt, securityConfig *config.SecurityConfig) security.TokenGenerator

NewJwtTokenGenerator creates a new Jwt token generator.

func NewOpenApiAuthenticator added in v0.6.0 

func NewOpenApiAuthenticator(loader security.ExternalAppLoader) security.Authenticator

NewOpenApiAuthenticator creates a new OpenApi authenticator with the given loader.

func NewPasswordAuthenticator 

func NewPasswordAuthenticator(loader security.UserLoader, decryptor security.PasswordDecryptor) security.Authenticator

NewPasswordAuthenticator creates a new password authenticator with the given user loader. The decryptor parameter is optional; pass nil if passwords are transmitted in plaintext.

func NewRbacDataPermResolver added in v0.6.0 

func NewRbacDataPermResolver(loader security.RolePermissionsLoader) security.DataPermissionResolver

NewRbacDataPermResolver creates a new RBAC data permission resolver. loader: The strategy for loading role permissions.

func NewRbacPermissionChecker added in v0.6.0 

func NewRbacPermissionChecker(loader security.RolePermissionsLoader) security.PermissionChecker

NewRbacPermissionChecker creates a new RBAC permission checker. loader: The strategy for loading role permissions.

Types

type AuthResource 

type AuthResource struct {
	api.Resource
	// contains filtered or unexported fields
}

AuthResource handles authentication-related Api endpoints.

func (*AuthResource) GetUserInfo added in v0.6.0 

func (a *AuthResource) GetUserInfo(ctx fiber.Ctx, principal *security.Principal) error

GetUserInfo retrieves detailed information about the currently authenticated user. It requires a UserInfoLoader implementation to be provided.

func (*AuthResource) Login 

func (a *AuthResource) Login(ctx fiber.Ctx, params LoginParams) error

Login authenticates a user and returns token credentials. It validates the provided credentials and generates access tokens upon successful authentication.

func (*AuthResource) Logout 

func (a *AuthResource) Logout(ctx fiber.Ctx) error

Logout logs out the authenticated user and invalidates their session. This is a client-side logout implementation that returns success immediately. Token invalidation should be handled on the client side by removing stored tokens.

func (*AuthResource) Refresh 

func (a *AuthResource) Refresh(ctx fiber.Ctx, params RefreshParams) error

Refresh refreshes the access token using a valid refresh token. It validates the refresh token and generates new access tokens. Note: The user data reload logic is now handled by JwtRefreshAuthenticator.

type AuthenticatorAuthManager 

type AuthenticatorAuthManager struct {
	// contains filtered or unexported fields
}

AuthenticatorAuthManager implements the AuthManager interface. It manages multiple authenticators and delegates authentication requests to the appropriate one.

func (*AuthenticatorAuthManager) Authenticate 

func (am *AuthenticatorAuthManager) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)

Authenticate attempts to authenticate the provided authentication information. It finds the appropriate authenticator and delegates the authentication request.

type JwtRefreshAuthenticator added in v0.6.0 

type JwtRefreshAuthenticator struct {
	// contains filtered or unexported fields
}

func (*JwtRefreshAuthenticator) Authenticate added in v0.6.0 

func (j *JwtRefreshAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)

func (*JwtRefreshAuthenticator) Supports added in v0.6.0 

func (j *JwtRefreshAuthenticator) Supports(authType string) bool

type JwtTokenAuthenticator added in v0.6.0 

type JwtTokenAuthenticator struct {
	// contains filtered or unexported fields
}

JwtTokenAuthenticator implements the Authenticator interface for Jwt token authentication. It validates Jwt tokens and extracts principal information from them.

func (*JwtTokenAuthenticator) Authenticate added in v0.6.0 

func (ja *JwtTokenAuthenticator) Authenticate(_ context.Context, authentication security.Authentication) (*security.Principal, error)

Authenticate validates the Jwt token and returns the principal. The credentials field should contain the Jwt access token.

func (*JwtTokenAuthenticator) Supports added in v0.6.0 

func (*JwtTokenAuthenticator) Supports(authType string) bool

Supports checks if this authenticator can handle Jwt authentication.

type JwtTokenGenerator added in v0.6.0 

type JwtTokenGenerator struct {
	// contains filtered or unexported fields
}

JwtTokenGenerator implements the TokenGenerator interface for Jwt tokens. It generates both access and refresh tokens using the Jwt helper.

func (*JwtTokenGenerator) Generate added in v0.6.0 

func (g *JwtTokenGenerator) Generate(principal *security.Principal) (*security.AuthTokens, error)

Generate creates authentication tokens for the given principal. It generates both access and refresh tokens.

type LoginParams 

type LoginParams struct {
	api.P

	// Authentication contains user credentials
	security.Authentication
}

LoginParams represents the request parameters for user login.

type OpenApiAuthenticator added in v0.6.0 

type OpenApiAuthenticator struct {
	// contains filtered or unexported fields
}

OpenApiAuthenticator implements Authenticator for simple HMAC based OpenApi authentication. Contract in this framework:

  • Authentication.Principal: appId
  • Authentication.Credentials: "<signatureHex>@<timestamp>@<bodySha256Base64>"
  • SignatureHex is computed as hex(HMAC-SHA256(secret, appId + "\n" + timestamp + "\n" + bodySha256Base64)) where bodySha256Base64 is the Base64(SHA256(raw request body)), timestamp is unix seconds string.
  • We only consider appId, timestamp and body hash because the framework uses unified POST with Request body.

func (*OpenApiAuthenticator) Authenticate added in v0.6.0 

func (a *OpenApiAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)

Authenticate validates the provided OpenApi authentication information.

func (*OpenApiAuthenticator) Supports added in v0.6.0 

func (*OpenApiAuthenticator) Supports(authType string) bool

Supports checks if this authenticator can handle OpenApi authentication.

type PasswordAuthenticator 

type PasswordAuthenticator struct {
	// contains filtered or unexported fields
}

PasswordAuthenticator implements the Authenticator interface using username/password verification. It relies on an externally provided security.UserLoader to load user info and password hash. Optionally supports password decryption via security.PasswordDecryptor for scenarios where clients encrypt passwords before transmission.

func (*PasswordAuthenticator) Authenticate 

func (p *PasswordAuthenticator) Authenticate(ctx context.Context, authentication security.Authentication) (*security.Principal, error)

Authenticate validates credentials which should be a plaintext password for the given principal (username).

func (*PasswordAuthenticator) Supports 

func (*PasswordAuthenticator) Supports(authType string) bool

Supports checks if this authenticator can handle password authentication.

type RbacDataPermResolver added in v0.6.0 

type RbacDataPermResolver struct {
	// contains filtered or unexported fields
}

RbacDataPermResolver implements role-based data permission resolution. It delegates role permissions loading to a RolePermissionsLoader implementation.

func (*RbacDataPermResolver) ResolveDataScope added in v0.6.0 

func (r *RbacDataPermResolver) ResolveDataScope(
	ctx context.Context,
	principal *security.Principal,
	permToken string,
) (security.DataScope, error)

ResolveDataScope resolves the applicable DataScope for the given principal and permission token. When a user has multiple roles with the same permission token but different data scopes, this method collects all matching scopes and returns the one with the highest priority. Returns nil if no matching permission is found.

type RbacPermissionChecker added in v0.6.0 

type RbacPermissionChecker struct {
	// contains filtered or unexported fields
}

RbacPermissionChecker implements role-based access control (RBAC) permission checking. It delegates role permissions loading to a RolePermissionsLoader implementation.

func (*RbacPermissionChecker) HasPermission added in v0.6.0 

func (c *RbacPermissionChecker) HasPermission(
	ctx context.Context,
	principal *security.Principal,
	permissionToken string,
) (bool, error)

HasPermission checks if the principal has the required permission based on their roles. System principals always have all permissions. For user and external app principals, it loads role permissions sequentially. Sequential loading is more efficient for typical use cases (1-3 roles per user).

type RefreshParams 

type RefreshParams struct {
	api.P

	// RefreshToken is the Jwt refresh token used to generate new access tokens
	RefreshToken string `json:"refreshToken"`
}

RefreshParams represents the request parameters for token refresh operation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.