schema

package
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// GroupSysAdmin is the built-in administrative group seeded at startup.
	// Its name follows the $name$ convention that marks server-managed groups.
	// Members are granted full access to the management API and CLI.
	GroupSysAdmin = "$admin$"

	// ScopeAuthUserRead grants permission to list and get users.
	ScopeAuthUserRead = "auth:user:read"

	// ScopeAuthUserWrite grants permission to create, update, and delete users.
	ScopeAuthUserWrite = "auth:user:write"

	// ScopeAuthGroupRead grants permission to list and get groups.
	ScopeAuthGroupRead = "auth:group:read"

	// ScopeAuthGroupWrite grants permission to create, update, and delete groups.
	ScopeAuthGroupWrite = "auth:group:write"

	// ScopeAuthKeyRead grants permission to list and get API keys.
	ScopeAuthKeyRead = "auth:key:read"

	// ScopeAuthKeyWrite grants permission to create, update, and delete API keys.
	ScopeAuthKeyWrite = "auth:key:write"
)
View Source 
const (
	DefaultSchema     = "auth"
	DefaultSessionTTL = time.Minute * 15   // 15 minutes
	DefaultRefreshTTL = time.Hour * 24 * 7 // 7 days
)
View Source 
const (
	GroupListMax    = 100
	IdentityListMax = 100
	ScopeListMax    = 100
	UserListMax     = 100
)
View Source 
const (
	// ProviderKeyLocal is the reserved provider key for the built-in local
	// issuer. When this provider is not registered, the server has no local
	// issuer and cannot mint local session tokens from the browser login flow.
	ProviderKeyLocal = "local"
)
View Source 
const (
	SecurityBearerAuth = "bearerAuth"
)

Scopes

Variables

View Source 
var (
	// GroupSysAdminScopes is the fixed set of scopes assigned to GroupSysAdmin at startup.
	GroupSysAdminScopes = []string{
		ScopeAuthUserRead, ScopeAuthUserWrite,
		ScopeAuthGroupRead, ScopeAuthGroupWrite,
		ScopeAuthKeyRead, ScopeAuthKeyWrite,
	}
)
View Source 
var Metrics string
View Source 
var Objects string
View Source 
var Queries string

Functions

func IsSystemGroup 

func IsSystemGroup(id string) bool

IsSystemGroup reports whether id is a server-managed group. System groups are identified by the $name$ naming convention and are seeded at startup; they cannot be created, updated, or deleted via the API.

func IsValidUserStatus 

func IsValidUserStatus(status UserStatus) bool

IsValidUserStatus returns true when status is one of the supported values.

Types

type AuthorizationCodeRequest 

type AuthorizationCodeRequest struct {
	Provider     string  `` /* 140-byte string literal not displayed */
	Code         string  `json:"code" jsonschema:"Authorization code returned by the selected provider." example:"4/0AQSTgQExampleCode"`
	RedirectURI  string  `` /* 173-byte string literal not displayed */
	CodeVerifier string  `` /* 170-byte string literal not displayed */
	Nonce        string  `json:"nonce,omitempty" jsonschema:"Optional expected nonce for ID token validation." example:"n-0S6_WzA2Mj"`
	Meta         MetaMap `json:"meta,omitempty" jsonschema:"Optional metadata forwarded into the local login flow after identity exchange."`
}

AuthorizationCodeRequest contains the provider key and authorization code that should be exchanged server-side for a verified identity token.

func (*AuthorizationCodeRequest) Validate 

func (req *AuthorizationCodeRequest) Validate() error

type ChangeNotification 

type ChangeNotification struct {
	Schema string `json:"schema"`
	Table  string `json:"table"`
	Action string `json:"action"`
}

ChangeNotification is emitted for table changes when database notifications are enabled on the manager.

type Group 

type Group struct {
	ID string `json:"id" readonly:""`
	GroupMeta
}

func (*Group) Scan 

func (group *Group) Scan(row pg.Row) error

func (Group) Select 

func (group Group) Select(bind *pg.Bind, op pg.Op) (string, error)

func (Group) String 

func (g Group) String() string

type GroupInsert 

type GroupInsert struct {
	ID string `json:"id"`
	GroupMeta
}

func (GroupInsert) Insert 

func (group GroupInsert) Insert(bind *pg.Bind) (string, error)

func (GroupInsert) String 

func (g GroupInsert) String() string

type GroupList 

type GroupList struct {
	pg.OffsetLimit
	Count uint    `json:"count" readonly:""`
	Body  []Group `json:"body,omitempty"`
}

GroupList represents a paginated list of groups.

func (*GroupList) Scan 

func (list *GroupList) Scan(row pg.Row) error

func (*GroupList) ScanCount 

func (list *GroupList) ScanCount(row pg.Row) error

func (GroupList) String 

func (g GroupList) String() string

type GroupListRequest 

type GroupListRequest struct {
	pg.OffsetLimit
}

GroupListRequest contains the query parameters for listing groups.

func (GroupListRequest) Query 

func (req GroupListRequest) Query() url.Values

func (GroupListRequest) Select 

func (req GroupListRequest) Select(bind *pg.Bind, op pg.Op) (string, error)

func (GroupListRequest) String 

func (req GroupListRequest) String() string

type GroupMeta 

type GroupMeta struct {
	Description *string  `json:"description,omitempty"`
	Enabled     *bool    `json:"enabled,omitempty" negatable:""`
	Scopes      []string `json:"scopes,omitempty"`
	Meta        MetaMap  `json:"meta,omitempty"`
}

func (GroupMeta) Insert 

func (group GroupMeta) Insert(bind *pg.Bind) (string, error)

func (GroupMeta) String 

func (g GroupMeta) String() string

func (GroupMeta) Update 

func (group GroupMeta) Update(bind *pg.Bind) error

type Identity 

type Identity struct {
	IdentityKey
	IdentityMeta
	User       UserID    `json:"user" format:"uuid" readonly:""`
	CreatedAt  time.Time `json:"created_at" format:"date-time" readonly:""`
	ModifiedAt time.Time `json:"modified_at" format:"date-time" readonly:""`
}

Identity represents a stored identity row.

func (Identity) RedactedString 

func (i Identity) RedactedString() string

func (*Identity) Scan 

func (i *Identity) Scan(row pg.Row) error

Scan reads a full identity row into the receiver. Expected column order: user, provider, sub, email, claims, created_at, modified_at.

func (Identity) String 

func (i Identity) String() string

type IdentityInsert 

type IdentityInsert struct {
	IdentityKey
	IdentityMeta
}

IdentityInsert contains the fields required to create a new identity.

func NewIdentityFromClaims 

func NewIdentityFromClaims(claims map[string]any) (IdentityInsert, error)

func (IdentityInsert) Insert 

func (i IdentityInsert) Insert(bind *pg.Bind) (string, error)

Insert binds the identity key and delegates the mutable fields to IdentityMeta.Insert. The owning user must already be present in the bind.

func (IdentityInsert) Name 

func (i IdentityInsert) Name() string

func (IdentityInsert) RedactedString 

func (i IdentityInsert) RedactedString() string

func (IdentityInsert) String 

func (i IdentityInsert) String() string

type IdentityKey 

type IdentityKey struct {
	Provider string `json:"provider"`
	Sub      string `json:"sub"`
}

IdentityKey contains the key for an identity.

func (IdentityKey) RedactedString 

func (key IdentityKey) RedactedString() string

func (IdentityKey) Select 

func (key IdentityKey) Select(bind *pg.Bind, op pg.Op) (string, error)

Select binds the identity key and returns the appropriate named query for the given operation (Get, Update or Delete).

func (IdentityKey) String 

func (key IdentityKey) String() string

type IdentityList 

type IdentityList struct {
	pg.OffsetLimit
	Count uint       `json:"count" readonly:""`
	Body  []Identity `json:"body,omitempty"`
}

IdentityList represents a paginated list of identities.

func (*IdentityList) Scan 

func (list *IdentityList) Scan(row pg.Row) error

func (*IdentityList) ScanCount 

func (list *IdentityList) ScanCount(row pg.Row) error

func (IdentityList) String 

func (list IdentityList) String() string

type IdentityListRequest 

type IdentityListRequest struct {
	pg.OffsetLimit
	User *uuid.UUID `json:"user,omitempty" format:"uuid"`
}

IdentityListRequest contains the query parameters for listing identities.

func (IdentityListRequest) Select 

func (req IdentityListRequest) Select(bind *pg.Bind, op pg.Op) (string, error)

func (IdentityListRequest) String 

func (req IdentityListRequest) String() string

type IdentityMeta 

type IdentityMeta struct {
	Email  string         `json:"email"`
	Claims map[string]any `json:"claims"`
}

IdentityMeta contains the mutable fields for an identity.

func (IdentityMeta) Insert 

func (i IdentityMeta) Insert(bind *pg.Bind) (string, error)

Insert binds all mutable identity fields for an INSERT and returns the named query. Immutable fields must already be present in the bind.

func (IdentityMeta) RedactedString 

func (meta IdentityMeta) RedactedString() string

func (IdentityMeta) String 

func (meta IdentityMeta) String() string

func (IdentityMeta) Update 

func (i IdentityMeta) Update(bind *pg.Bind) error

Update builds a PATCH-style SET clause from whichever fields are non-zero.

type Key added in v0.0.8 

type Key struct {
	ID         KeyID       `` /* 141-byte string literal not displayed */
	User       UserID      `` /* 145-byte string literal not displayed */
	CreatedAt  time.Time   `` /* 136-byte string literal not displayed */
	ModifiedAt time.Time   `` /* 143-byte string literal not displayed */
	Status     *UserStatus `` /* 254-byte string literal not displayed */
	Token      string      `` /* 243-byte string literal not displayed */
	KeyMeta
}

Key represents a stored API key row plus the generated plaintext token.

func (*Key) Scan added in v0.0.8 

func (k *Key) Scan(row pg.Row) error

Scan reads a full API key row into the receiver. Expected column order: id, user, name, created_at, modified_at, expires_at, status, token.

func (Key) String added in v0.0.8 

func (k Key) String() string

type KeyID added in v0.0.8 

type KeyID uuid.UUID

KeyID is a unique identifier for an API key.

func KeyIDFromString added in v0.0.8 

func KeyIDFromString(s string) (KeyID, error)

func (KeyID) MarshalJSON added in v0.0.8 

func (k KeyID) MarshalJSON() ([]byte, error)

func (KeyID) MarshalText added in v0.0.8 

func (k KeyID) MarshalText() ([]byte, error)

func (KeyID) Select added in v0.0.8 

func (id KeyID) Select(bind *pg.Bind, op pg.Op) (string, error)

func (KeyID) String added in v0.0.8 

func (k KeyID) String() string

func (*KeyID) UnmarshalJSON added in v0.0.8 

func (k *KeyID) UnmarshalJSON(data []byte) error

func (*KeyID) UnmarshalText added in v0.0.8 

func (k *KeyID) UnmarshalText(text []byte) error

type KeyMeta added in v0.0.8 

type KeyMeta struct {
	Name      string     `` /* 132-byte string literal not displayed */
	ExpiresAt *time.Time `` /* 226-byte string literal not displayed */
}

KeyMeta contains the writable fields for an API key.

func (KeyMeta) Insert added in v0.0.8 

func (k KeyMeta) Insert(bind *pg.Bind) (string, error)

func (KeyMeta) String added in v0.0.8 

func (k KeyMeta) String() string

func (KeyMeta) Update added in v0.0.8 

func (k KeyMeta) Update(bind *pg.Bind) error

type KeySelector added in v0.0.8 

type KeySelector struct {
	ID    KeyID
	User  *UserID
	Query string
}

KeySelector selects an API key row by ID and optionally scopes it to a user.

func (KeySelector) Select added in v0.0.8 

func (k KeySelector) Select(bind *pg.Bind, op pg.Op) (string, error)

type KeyToken added in v0.0.8 

type KeyToken struct {
	Token string
	Query string
}

KeyToken selects API key rows by plaintext token.

func (KeyToken) Select added in v0.0.8 

func (k KeyToken) Select(bind *pg.Bind, op pg.Op) (string, error)

type MetaMap 

type MetaMap map[string]any

func (MetaMap) Map 

func (meta MetaMap) Map() map[string]any

func (MetaMap) RedactedString 

func (meta MetaMap) RedactedString() string

func (*MetaMap) Scan 

func (meta *MetaMap) Scan(src any) error

func (MetaMap) String 

func (meta MetaMap) String() string

func (*MetaMap) UnmarshalJSON 

func (meta *MetaMap) UnmarshalJSON(data []byte) error

func (*MetaMap) UnmarshalText 

func (meta *MetaMap) UnmarshalText(text []byte) error

func (MetaMap) Value 

func (meta MetaMap) Value() (driver.Value, error)

type PublicClientConfiguration 

type PublicClientConfiguration struct {
	Issuer   string `` /* 129-byte string literal not displayed */
	ClientID string `` /* 207-byte string literal not displayed */
}

PublicClientConfiguration contains the upstream provider details that are safe to expose to clients that need to initiate authentication.

type PublicClientConfigurations 

type PublicClientConfigurations map[string]PublicClientConfiguration

PublicClientConfigurations contains shareable client configuration keyed by provider or role name.

func (PublicClientConfigurations) String 

func (cfg PublicClientConfigurations) String() string

type RefreshRequest 

type RefreshRequest struct {
	Token string `json:"token"`
}

RefreshRequest contains a previously issued local session token.

type ScopeList 

type ScopeList struct {
	pg.OffsetLimit
	Count uint     `json:"count" readonly:""`
	Body  []string `json:"body,omitempty"`
}

func (*ScopeList) Scan 

func (list *ScopeList) Scan(row pg.Row) error

func (*ScopeList) ScanCount 

func (list *ScopeList) ScanCount(row pg.Row) error

func (ScopeList) String 

func (list ScopeList) String() string

type ScopeListRequest 

type ScopeListRequest struct {
	pg.OffsetLimit
	Q string `json:"q,omitempty"`
}

func (ScopeListRequest) Query 

func (req ScopeListRequest) Query() url.Values

func (ScopeListRequest) Select 

func (req ScopeListRequest) Select(bind *pg.Bind, op pg.Op) (string, error)

func (ScopeListRequest) String 

func (req ScopeListRequest) String() string

type Session 

type Session struct {
	ID               SessionID `json:"id" format:"uuid" readonly:""`
	User             UserID    `json:"user" format:"uuid" readonly:""`
	ExpiresAt        time.Time `json:"expires_at" format:"date-time" readonly:""`
	RefreshExpiresAt time.Time `json:"refresh_expires_at" format:"date-time" readonly:""`
	RefreshCounter   uint64    `json:"refresh_counter" readonly:""`
	CreatedAt        time.Time `json:"created_at" format:"date-time" readonly:""`
	SessionMeta
}

Session represents a stored session row.

func (*Session) Scan 

func (s *Session) Scan(row pg.Row) error

Scan reads a full session row into the receiver. Expected column order: id, user, expires_at, refresh_expires_at, refresh_counter, created_at, revoked_at.

func (Session) String 

func (s Session) String() string

type SessionID 

type SessionID uuid.UUID

SessionID is a unique identifier for a session.

func SessionIDFromString 

func SessionIDFromString(s string) (SessionID, error)

SessionIDFromString parses a string into a SessionID, which is a UUID.

func (SessionID) MarshalJSON 

func (id SessionID) MarshalJSON() ([]byte, error)

func (SessionID) MarshalText 

func (id SessionID) MarshalText() ([]byte, error)

func (SessionID) Select 

func (id SessionID) Select(bind *pg.Bind, op pg.Op) (string, error)

Select binds the session ID and returns the appropriate named query for the given operation (Get, Update or Delete).

func (SessionID) String 

func (id SessionID) String() string

func (*SessionID) UnmarshalJSON 

func (id *SessionID) UnmarshalJSON(data []byte) error

func (*SessionID) UnmarshalText 

func (id *SessionID) UnmarshalText(text []byte) error

type SessionInsert 

type SessionInsert struct {
	User             UserID         `json:"user" format:"uuid"`
	ExpiresIn        *time.Duration `json:"expires_in"`
	RefreshExpiresIn *time.Duration `json:"refresh_expires_in,omitempty"`
}

SessionInsert contains the fields required to create a new session.

func (SessionInsert) Insert 

func (s SessionInsert) Insert(bind *pg.Bind) (string, error)

Insert binds all required session fields for an INSERT and returns the named query.

func (SessionInsert) Update 

func (s SessionInsert) Update(bind *pg.Bind) error

Update delegates mutable session fields to SessionMeta so SessionInsert can satisfy the writer interface used by the query helpers.

type SessionMeta 

type SessionMeta struct {
	ExpiresIn        *time.Duration `json:"expires_in,omitempty"`
	RefreshExpiresIn *time.Duration `json:"refresh_expires_in,omitempty"`
	RevokedAt        *time.Time     `json:"revoked_at,omitempty" format:"date-time" readonly:""`
}

SessionMeta contains the mutable fields for a session.

func (SessionMeta) Insert 

func (s SessionMeta) Insert(bind *pg.Bind) (string, error)

Insert is not supported for SessionMeta because it does not contain the immutable fields required to create a session row.

func (SessionMeta) Update 

func (s SessionMeta) Update(bind *pg.Bind) error

Update builds a PATCH-style SET clause from whichever fields are non-zero.

type TokenResponse 

type TokenResponse struct {
	Token    string    `json:"token" readonly:""`
	UserInfo *UserInfo `json:"userinfo,omitempty" readonly:""`
}

TokenResponse is returned by token-issuing auth endpoints.

type User 

type User struct {
	ID             UserID         `json:"id" format:"uuid" readonly:""`
	CreatedAt      time.Time      `json:"created_at" format:"date-time" readonly:""`
	ModifiedAt     *time.Time     `json:"modified_at,omitempty" format:"date-time" readonly:""`
	Claims         map[string]any `json:"claims,omitempty" readonly:""`
	EffectiveMeta  MetaMap        `json:"effective_meta,omitempty" readonly:""`
	DisabledGroups []string       `json:"disabled_groups,omitempty" readonly:""`
	Scopes         []string       `json:"scopes,omitempty" readonly:""`
	UserMeta
}

User represents a user account in the system. It contains both immutable and mutable fields.

func (User) HasAllScopes 

func (u User) HasAllScopes(scopes ...string) bool

func (User) HasScope 

func (u User) HasScope(scope string) bool

func (User) RedactedString 

func (u User) RedactedString() string

func (*User) Scan 

func (u *User) Scan(row pg.Row) error

func (User) String 

func (u User) String() string

func (*User) UUID 

func (u *User) UUID() uuid.UUID

type UserGroupInsert 

type UserGroupInsert struct {
	User   UserID
	Groups []string
}

func (UserGroupInsert) Insert 

func (insert UserGroupInsert) Insert(bind *pg.Bind) (string, error)

func (UserGroupInsert) Update 

func (insert UserGroupInsert) Update(_ *pg.Bind) error

type UserGroupList 

type UserGroupList []string

func (*UserGroupList) Scan 

func (list *UserGroupList) Scan(row pg.Row) error

type UserGroupListRequest 

type UserGroupListRequest struct {
	User UserID
}

func (UserGroupListRequest) Select 

func (req UserGroupListRequest) Select(bind *pg.Bind, op pg.Op) (string, error)

type UserID 

type UserID uuid.UUID

UserID is a unique identifier for a user account. It is generated as a UUID.

func UserIDFromString 

func UserIDFromString(s string) (UserID, error)

UserIDFromString parses a string into a UserID, which is a UUID.

func (UserID) MarshalJSON 

func (id UserID) MarshalJSON() ([]byte, error)

func (UserID) MarshalText 

func (id UserID) MarshalText() ([]byte, error)

func (UserID) Select 

func (user UserID) Select(bind *pg.Bind, op pg.Op) (string, error)

Select binds the user ID and returns the appropriate named query for the given operation (Get, Update or Delete).

func (UserID) String 

func (id UserID) String() string

func (*UserID) UnmarshalJSON 

func (id *UserID) UnmarshalJSON(data []byte) error

func (*UserID) UnmarshalText 

func (id *UserID) UnmarshalText(text []byte) error

type UserInfo 

type UserInfo struct {
	Sub    UserID   `` /* 156-byte string literal not displayed */
	Email  string   `` /* 155-byte string literal not displayed */
	Name   string   `` /* 126-byte string literal not displayed */
	Groups []string `json:"groups,omitempty" jsonschema:"Group memberships associated with the authenticated user." readonly:""`
	Scopes []string `json:"scopes,omitempty" jsonschema:"Scopes granted to the current local bearer token." readonly:""`
}

UserInfo is the client-facing authenticated identity view exposed by the auth APIs.

func NewUserInfo 

func NewUserInfo(user *User) *UserInfo

type UserList 

type UserList struct {
	pg.OffsetLimit
	Count uint   `json:"count" readonly:""`
	Body  []User `json:"body,omitempty"`
}

UserList represents a paginated list of users.

func (*UserList) Scan 

func (list *UserList) Scan(row pg.Row) error

func (*UserList) ScanCount 

func (list *UserList) ScanCount(row pg.Row) error

func (UserList) String 

func (u UserList) String() string

type UserListRequest 

type UserListRequest struct {
	pg.OffsetLimit
	Email  string       `json:"email,omitempty"`
	Status []UserStatus `json:"status,omitempty" enum:"new,active,inactive,suspended,deleted"`
}

UserListRequest contains the query parameters for listing users.

func (UserListRequest) Query 

func (req UserListRequest) Query() url.Values

func (UserListRequest) RedactedString 

func (u UserListRequest) RedactedString() string

func (UserListRequest) Select 

func (req UserListRequest) Select(bind *pg.Bind, op pg.Op) (string, error)

func (UserListRequest) String 

func (u UserListRequest) String() string

type UserMeta 

type UserMeta struct {
	Name      string      `json:"name,omitempty"`
	Email     string      `json:"email,omitempty"`
	Groups    []string    `json:"groups,omitempty"`
	Status    *UserStatus `json:"status,omitempty" enum:"new,active,inactive,suspended,deleted"`
	Meta      MetaMap     `json:"meta,omitempty"`
	ExpiresAt *time.Time  `json:"expires_at,omitzero" format:"date-time"`
}

UserMeta contains the mutable profile fields of a user. Email is the canonical address used to merge logins across providers.

func (UserMeta) Insert 

func (u UserMeta) Insert(bind *pg.Bind) (string, error)

Insert binds all UserMeta fields for an INSERT and returns the named query.

func (UserMeta) RedactedString 

func (u UserMeta) RedactedString() string

func (UserMeta) String 

func (u UserMeta) String() string

func (UserMeta) Update 

func (u UserMeta) Update(bind *pg.Bind) error

Update builds a PATCH-style SET clause from whichever fields are non-zero.

type UserStatus 

type UserStatus string

UserStatus represents the lifecycle state of a user account. 

const (
	UserStatusNew       UserStatus = "new"
	UserStatusActive    UserStatus = "active"
	UserStatusInactive  UserStatus = "inactive"
	UserStatusSuspended UserStatus = "suspended"
	UserStatusDeleted   UserStatus = "deleted"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.