manager

package
v0.0.11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2026 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultCleanupInterval = time.Hour
	DefaultCleanupLimit    = 100
	DefaultCacheSize       = 1000 // default max entries in the session and key caches
)

Variables

This section is empty.

Functions

This section is empty.

Types

type APIKeyHook added in v0.0.8 

type APIKeyHook interface {
	// Return the prefix to use for the API key token
	OnKeyCreate(context.Context, schema.Key) (string, error)

	// Return the token after stripping the prefix, or an error if the token is invalid
	OnKeyValidate(context.Context, string) (string, error)
}

APIKeyHook manages the shape of API tokens - allowing for custom prefixes and validation logic.

type IdentityLinkHook 

type IdentityLinkHook interface {
	OnIdentityLink(context.Context, schema.IdentityInsert, *schema.User) error
}

IdentityLinkHook decides whether a new provider identity may be linked to an existing local user.

type Manager 

type Manager struct {
	sync.Mutex

	pg.PoolConn
	// contains filtered or unexported fields
}

Manager wraps a database connection pool scoped to the application schema.

func New 

func New(ctx context.Context, pool pg.PoolConn, name, version string, opts ...Opt) (*Manager, error)

New creates a Manager, ensures the schema exists, and bootstraps all database objects from the embedded objects.sql. If schemaName is empty the default schema is used.

func (*Manager) AddGroupScope 

func (m *Manager) AddGroupScope(ctx context.Context, name, scope string) (_ *schema.Group, err error)

func (*Manager) AddUserGroups 

func (m *Manager) AddUserGroups(ctx context.Context, user schema.UserID, groups []string) (_ *schema.User, err error)

func (*Manager) AuthConfig 

func (m *Manager) AuthConfig(ctx context.Context) (_ schema.PublicClientConfigurations, err error)

AuthConfig returns the shareable upstream provider configuration exposed by /auth/config. The client secret remains server-side.

func (*Manager) AuthenticateBearer added in v0.0.11 

func (m *Manager) AuthenticateBearer(ctx context.Context, token string) (_ *schema.UserInfo, _ *schema.Session, err error)

AuthenticateBearer verifies a locally issued access token and returns the public authenticated user shape together with the session required by HTTP middleware.

func (*Manager) AuthenticateKey added in v0.0.11 

func (m *Manager) AuthenticateKey(ctx context.Context, token string) (_ *schema.UserInfo, _ *schema.Key, err error)

AuthenticateKey validates an API key token and returns the public authenticated user shape together with the key required by HTTP middleware.

func (*Manager) ChangeNotification 

func (m *Manager) ChangeNotification(ctx context.Context, callback func(schema.ChangeNotification)) error

ChangeNotification invokes callback for each table change notification until the caller context or manager notification listener is cancelled.

func (*Manager) CleanupSessions 

func (m *Manager) CleanupSessions(ctx context.Context) (_ []schema.Session, err error)

CleanupSessions deletes revoked or expired sessions and returns the deleted session rows.

func (*Manager) CreateGroup 

func (m *Manager) CreateGroup(ctx context.Context, insert schema.GroupInsert) (_ *schema.Group, err error)

func (*Manager) CreateIdentity 

func (m *Manager) CreateIdentity(ctx context.Context, user uuid.UUID, identity schema.IdentityInsert) (_ *schema.Identity, err error)

CreateIdentity inserts a new identity row for an existing user.

func (*Manager) CreateKey added in v0.0.8 

func (m *Manager) CreateKey(ctx context.Context, user schema.UserID, meta schema.KeyMeta) (_ *schema.Key, err error)

func (*Manager) CreateUser 

func (m *Manager) CreateUser(ctx context.Context, meta schema.UserMeta, identity *schema.IdentityInsert) (_ *schema.User, err error)

CreateUser inserts a new user row. If identity is non-nil it is inserted in the same transaction and the returned User is re-fetched so that Email and Claims reflect the new identity row.

func (*Manager) DeleteGroup 

func (m *Manager) DeleteGroup(ctx context.Context, name string) (_ *schema.Group, err error)

func (*Manager) DeleteIdentity 

func (m *Manager) DeleteIdentity(ctx context.Context, key schema.IdentityKey) (_ *schema.Identity, err error)

DeleteIdentity removes an identity row identified by its (provider, sub) primary key and returns the deleted row.

func (*Manager) DeleteKey added in v0.0.8 

func (m *Manager) DeleteKey(ctx context.Context, id schema.KeyID, user *schema.UserID) (_ *schema.Key, err error)

func (*Manager) DeleteUser 

func (m *Manager) DeleteUser(ctx context.Context, user schema.UserID) (_ *schema.User, err error)

func (*Manager) GetGroup 

func (m *Manager) GetGroup(ctx context.Context, name string) (_ *schema.Group, err error)

func (*Manager) GetIdentity 

func (m *Manager) GetIdentity(ctx context.Context, key schema.IdentityKey) (_ *schema.Identity, err error)

GetIdentity retrieves a single identity by its (provider, sub) primary key.

func (*Manager) GetKeyByID added in v0.0.8 

func (m *Manager) GetKeyByID(ctx context.Context, id schema.KeyID, user *schema.UserID) (_ *schema.Key, err error)

func (*Manager) GetKeyByToken added in v0.0.8 

func (m *Manager) GetKeyByToken(ctx context.Context, token string) (_ *schema.Key, _ *schema.User, err error)

func (*Manager) GetSession 

func (m *Manager) GetSession(ctx context.Context, id schema.SessionID) (_ *schema.Session, err error)

GetSession returns a session by ID.

func (*Manager) GetUser 

func (m *Manager) GetUser(ctx context.Context, user schema.UserID) (_ *schema.User, err error)

func (*Manager) Issuer added in v0.0.4 

func (m *Manager) Issuer() (string, error)

OIDCIssuer returns the canonical issuer for locally signed tokens.

func (*Manager) ListGroups 

func (m *Manager) ListGroups(ctx context.Context, req schema.GroupListRequest) (_ *schema.GroupList, err error)

func (*Manager) ListIdentities 

func (m *Manager) ListIdentities(ctx context.Context, req schema.IdentityListRequest) (_ *schema.IdentityList, err error)

func (*Manager) ListKeys added in v0.0.9 

func (m *Manager) ListKeys(ctx context.Context, user *schema.UserID, req schema.KeyListRequest) (_ *schema.KeyList, err error)

func (*Manager) ListScopes 

func (m *Manager) ListScopes(ctx context.Context, req schema.ScopeListRequest) (_ *schema.ScopeList, err error)

func (*Manager) ListUsers 

func (m *Manager) ListUsers(ctx context.Context, req schema.UserListRequest) (_ *schema.UserList, err error)

func (*Manager) LoginWithIdentity 

func (m *Manager) LoginWithIdentity(ctx context.Context, meta schema.IdentityInsert, createMeta map[string]any) (_ *schema.User, _ *schema.Session, err error)

func (*Manager) Name added in v0.0.4 

func (m *Manager) Name() string

Name returns the manager name

func (*Manager) OIDCConfig 

func (m *Manager) OIDCConfig() (oidc.OIDCConfiguration, error)

OIDCConfig returns the OIDC configuration for this server, including the issuer URL

func (*Manager) OIDCJWKSet 

func (m *Manager) OIDCJWKSet() (jwk.Set, error)

OIDCJWKSet returns the public JSON Web Key Set for the manager's configured signing keys.

func (*Manager) OIDCSign 

func (m *Manager) OIDCSign(claims jwt.Claims) (string, error)

OIDCSign signs the supplied claims with the manager's active signing key. It returns an error if no signing key has been configured.

func (*Manager) OIDCVerify 

func (m *Manager) OIDCVerify(token, issuer string) (map[string]any, error)

OIDCVerify verifies a locally signed JWT using the configured verification key matching the token kid header and expected issuer.

func (*Manager) ProtectedResourceMetadata 

func (m *Manager) ProtectedResourceMetadata(r *http.Request) (oidc.ProtectedResourceMetadata, error)

ProtectedResourceMetadata returns OAuth protected-resource metadata for this server.

func (*Manager) Provider 

func (m *Manager) Provider(key string) (provider.Provider, error)

Provider returns a registered provider by key.

func (*Manager) ProviderKeys 

func (m *Manager) ProviderKeys() []string

ProviderKeys returns the keys of all registered providers.

func (*Manager) ProviderPath 

func (m *Manager) ProviderPath(key string) (string, error)

ProviderPath returns the mount path for a registered provider browser handler.

func (*Manager) RefreshSession 

func (m *Manager) RefreshSession(ctx context.Context, id schema.SessionID, refreshCounter uint64) (_ *schema.User, _ *schema.Session, err error)

RefreshSession validates an existing session, extends its expiry according to the manager refresh policy, and returns the owning user together with the refreshed session record.

func (*Manager) RemoveGroupScope 

func (m *Manager) RemoveGroupScope(ctx context.Context, name, scope string) (_ *schema.Group, err error)

func (*Manager) RemoveUserGroups 

func (m *Manager) RemoveUserGroups(ctx context.Context, user schema.UserID, groups []string) (_ *schema.User, err error)

func (*Manager) RevokeSession 

func (m *Manager) RevokeSession(ctx context.Context, id schema.SessionID) (_ *schema.Session, err error)

RevokeSession marks a session as revoked and returns the updated session record.

func (*Manager) Run 

func (m *Manager) Run(ctx context.Context) error

Run periodically prunes stale sessions until the context is cancelled.

func (*Manager) UpdateGroup 

func (m *Manager) UpdateGroup(ctx context.Context, name string, meta schema.GroupMeta) (_ *schema.Group, err error)

func (*Manager) UpdateIdentity 

func (m *Manager) UpdateIdentity(ctx context.Context, key schema.IdentityKey, meta schema.IdentityMeta) (_ *schema.Identity, err error)

UpdateIdentity refreshes the mutable fields (email, claims) on an existing identity row identified by (provider, sub). modified_at is always updated.

func (*Manager) UpdateKey added in v0.0.8 

func (m *Manager) UpdateKey(ctx context.Context, id schema.KeyID, user *schema.UserID, meta schema.KeyMeta) (_ *schema.Key, err error)

func (*Manager) UpdateUser 

func (m *Manager) UpdateUser(ctx context.Context, user schema.UserID, meta schema.UserMeta) (_ *schema.User, err error)

func (*Manager) Version added in v0.0.4 

func (m *Manager) Version() string

Version returns the manager version.

func (*Manager) WithIssuer added in v0.0.4 

func (m *Manager) WithIssuer(issuer string) error

WithIssuer sets the issuer URL for the manager's OIDC configuration.

func (*Manager) WithProvider added in v0.0.4 

func (m *Manager) WithProvider(provider provider.Provider) error

WithProvider sets an identity provider for the manager.

type Opt 

type Opt func(*opt) error

Opt configures a Manager during construction.

func WithCleanup 

func WithCleanup(interval time.Duration, limit int) Opt

WithCleanup sets how often Manager.Run prunes stale sessions and the maximum number of stale sessions deleted in a single cleanup pass.

func WithHooks 

func WithHooks(hooks any) Opt

WithHooks sets a hook object that may implement one or more supported login hook interfaces such as UserCreationHook or IdentityLinkHook.

func WithIssuer 

func WithIssuer(issuer string) Opt

WithIssuer stores the canonical issuer used for this server's OIDC metadata and locally-signed token verification.

func WithMetrics 

func WithMetrics(meter metric.Meter) Opt

WithMetrics sets the OpenTelemetry meter used for manager metrics.

func WithNotificationChannel 

func WithNotificationChannel(name string) Opt

WithNotificationChannel sets the PostgreSQL LISTEN/NOTIFY channel used by the table change triggers created during bootstrap.

func WithProvider 

func WithProvider(provider providerpkg.Provider) Opt

WithProvider adds an identity provider to the manager. The provider's Key() value is used as the provider identifier in the "iss" claim of tokens issued for identities from that provider and must be unique among all configured providers.

func WithSchema 

func WithSchema(name string) Opt

WithSchema sets the database schema name to use for all queries. If not set the default schema is used.

func WithSigner 

func WithSigner(kid string, key *rsa.PrivateKey) Opt

WithSigner stores the RSA private key for later token-signing use. The supplied key ID is used in the "kid" header of signed tokens and must be unique among all configured keys. The last configured key becomes the default signing key used for new tokens and JWKS responses.

func WithTTL 

func WithTTL(sessionTTL, refreshTTL time.Duration) Opt

WithTTL sets the session and refresh token time-to-live durations.

func WithTracer 

func WithTracer(tracer trace.Tracer) Opt

WithTracer sets the OpenTelemetry tracer used for manager spans.

type UserCreationHook 

type UserCreationHook interface {
	OnUserCreate(context.Context, schema.IdentityInsert, schema.UserMeta) (schema.UserMeta, error)
}

UserCreationHook can modify or reject the proposed local user metadata before a new user is created on first login.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.