Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuditStore ¶
type AuditStore interface {
RecordAuthEvent(entry interface{}) error
}
AuditStore interface for authentication event logging (Phase 29)
type AuthHandler ¶
type AuthHandler struct {
// contains filtered or unexported fields
}
AuthHandler handles OAuth2/OIDC authentication flows
func NewAuthHandler ¶
func NewAuthHandler( providers map[string]Provider, sessionStore SessionStore, userSessionStore UserSessionStore, privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey, roleMapper *RoleMapper, auditStore AuditStore, ) *AuthHandler
NewAuthHandler creates a new AuthHandler with configured providers sessionStore receives NATS KV connection from server.go (same pattern as Phase 20 certificate storage)
func (*AuthHandler) HandleCallback ¶
func (h *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request)
HandleCallback processes OAuth2 callback and issues JWT access token Query parameters:
- code: Authorization code from provider
- state: CSRF protection token (must match session state)
- error: Optional error from provider
Flow:
- Retrieve session data and verify state token
- Exchange authorization code for tokens (with PKCE verifier)
- Verify ID token (OIDC) or fetch user info (GitHub)
- Check email_verified claim (reject if false)
- Map claims to role (admin or readonly)
- Issue JWT access token
- Delete session (single-use)
func (*AuthHandler) HandleLogin ¶
func (h *AuthHandler) HandleLogin(w http.ResponseWriter, r *http.Request)
HandleLogin initiates OAuth2 login flow with PKCE Query parameters:
- provider: Provider name (google, github, azure, okta)
Flow:
- Generate PKCE verifier and state token
- Store session data server-side (XSS protection)
- Set session cookie (HttpOnly, Secure, SameSite=Lax)
- Redirect to provider authorization URL with S256 challenge
func (*AuthHandler) HandleLogout ¶
func (h *AuthHandler) HandleLogout(w http.ResponseWriter, r *http.Request)
HandleLogout handles user logout by revoking the session and clearing the cookie. Supports both GET and POST methods (GET for simple links, POST for CSRF-protected forms). Flow:
- Get session ID from cookie
- Delete session from NATS KV (revokes immediately)
- Clear session cookie (MaxAge=-1)
- Redirect to login page with logged_out message
type GitHubProvider ¶
type GitHubProvider struct {
// contains filtered or unexported fields
}
GitHubProvider represents a GitHub OAuth2 provider (non-OIDC) GitHub does not support OIDC Discovery - uses OAuth2 with /user API
func NewGitHubProvider ¶
func NewGitHubProvider(providerConfig auth.Provider, redirectURL string) (*GitHubProvider, error)
NewGitHubProvider creates a new GitHub OAuth2 provider GitHub does not support OIDC - uses plain OAuth2 with /user API fallback
func (*GitHubProvider) FetchUserInfo ¶
func (p *GitHubProvider) FetchUserInfo(ctx context.Context, token *oauth2.Token) (email string, login string, err error)
FetchUserInfo calls GitHub /user API to retrieve user email and login Returns error if email is null (private email setting enabled)
func (*GitHubProvider) GetOAuth2Config ¶
func (p *GitHubProvider) GetOAuth2Config() *oauth2.Config
GetOAuth2Config returns the OAuth2 configuration for authorization URL generation
func (*GitHubProvider) Name ¶
func (p *GitHubProvider) Name() string
Name returns the provider display name
func (*GitHubProvider) Type ¶
func (p *GitHubProvider) Type() string
Type returns the provider type (always "github")
type GitHubUser ¶
type GitHubUser struct {
Login string `json:"login"`
Email string `json:"email"`
Name string `json:"name"`
}
GitHubUser represents the GitHub user API response
type OIDCProvider ¶
type OIDCProvider struct {
// contains filtered or unexported fields
}
OIDCProvider represents an OIDC provider with discovery support
func NewOIDCProvider ¶
func NewOIDCProvider(ctx context.Context, providerConfig auth.Provider, redirectURL string) (*OIDCProvider, error)
NewOIDCProvider creates a new OIDC provider with automatic discovery Supports Google, Azure AD, and Okta via OIDC Discovery protocol Returns error if discovery fails (caller should log warning and skip provider)
func (*OIDCProvider) GetOAuth2Config ¶
func (p *OIDCProvider) GetOAuth2Config() *oauth2.Config
GetOAuth2Config returns the OAuth2 configuration for authorization URL generation
func (*OIDCProvider) Name ¶
func (p *OIDCProvider) Name() string
Name returns the provider display name
func (*OIDCProvider) Type ¶
func (p *OIDCProvider) Type() string
Type returns the provider type (google, azure, okta)
func (*OIDCProvider) VerifyIDToken ¶
VerifyIDToken verifies an ID token's signature, audience, and expiration Returns the verified token with claims if successful
type RoleMapper ¶
type RoleMapper struct {
// contains filtered or unexported fields
}
RoleMapper maps OIDC claims (email, groups) to Neuwerk roles
func NewRoleMapper ¶
func NewRoleMapper(config *auth.RoleMapping) *RoleMapper
NewRoleMapper creates a new RoleMapper with the given configuration
func (*RoleMapper) MapRole ¶
func (m *RoleMapper) MapRole(email string, groups []string) string
MapRole maps user email and groups to a Neuwerk role Returns "admin" if email or group matches admin mappings Returns "readonly" if group matches readonly mappings Returns "" if no mapping matches (caller should deny access)
Matching rules (from CONTEXT.md):
- Email OR group match grants admin (either path works)
- Exact string matching (no wildcards, no regex)
- Case-sensitive comparison
- First match wins (admin checked before readonly)
- No default role: unmatched users denied access
type SessionStore ¶
type SessionStore interface {
Create(ctx context.Context, data session.SessionData) (string, error)
Get(ctx context.Context, sessionID string) (*session.SessionData, error)
Delete(ctx context.Context, sessionID string) error
}
SessionStore interface defines session storage operations
Source Files