auth

package
v0.10.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 25, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// UserContextKey is the key used to store user in Gin context
	UserContextKey = "user"
	// TokenDuration is the validity period for JWT tokens
	TokenDuration = 24 * time.Hour
)

Variables

View Source 
var (
	ErrInvalidCredentials = errors.New("invalid credentials")
	ErrUnauthorized       = errors.New("unauthorized")
)

Functions

func HashPassword 

func HashPassword(password string) (string, error)

HashPassword hashes a password using bcrypt

func LocalUsername 

func LocalUsername() string

LocalUsername is the well-known username used in local mode.

func VerifyPassword 

func VerifyPassword(hash, password string) bool

VerifyPassword checks if a password matches the hash

Types

type AuthCodeEntry added in v0.10.1 

type AuthCodeEntry struct {
	Token    string // Nebi JWT
	UserJSON []byte // Serialized user object
	// contains filtered or unexported fields
}

AuthCodeEntry holds a single-use authorization code and the session it grants.

type AuthCodeStore added in v0.10.1 

type AuthCodeStore struct {
	// contains filtered or unexported fields
}

AuthCodeStore is a thread-safe in-memory store for single-use authorization codes. Codes are generated by the gateway session redirect and exchanged by the frontend.

func NewAuthCodeStore added in v0.10.1 

func NewAuthCodeStore() *AuthCodeStore

NewAuthCodeStore creates a new authorization code store.

func (*AuthCodeStore) Exchange added in v0.10.1 

func (s *AuthCodeStore) Exchange(code string) (token string, userJSON []byte, ok bool)

Exchange consumes a code and returns the associated session data. The code is deleted after use (single-use). Returns false if the code is invalid, expired, or already consumed.

func (*AuthCodeStore) Generate added in v0.10.1 

func (s *AuthCodeStore) Generate(token string, userJSON []byte) (string, error)

Generate creates a cryptographically random authorization code, stores it with the associated session data, and returns the code.

type Authenticator 

type Authenticator interface {
	// Login authenticates a user and returns a JWT token
	Login(username, password string) (*LoginResponse, error)

	// Middleware returns a Gin middleware for authentication
	Middleware() gin.HandlerFunc

	// GetUserFromContext extracts the authenticated user from the Gin context
	GetUserFromContext(c *gin.Context) (*models.User, error)
}

Authenticator is an interface for authentication providers

type BasicAuthenticator 

type BasicAuthenticator struct {
	// contains filtered or unexported fields
}

BasicAuthenticator implements basic username/password authentication

func NewBasicAuthenticator 

func NewBasicAuthenticator(db *gorm.DB, jwtSecret string, rbacProvider rbac.Provider) *BasicAuthenticator

NewBasicAuthenticator creates a new basic authenticator

func (*BasicAuthenticator) ExchangeIDToken added in v0.10.1 

func (a *BasicAuthenticator) ExchangeIDToken(rawIDToken string, adminGroups string) (*LoginResponse, error)

ExchangeIDToken verifies a raw OIDC ID token (e.g. from device flow), finds/creates the user, syncs roles, and returns a Nebi JWT.

func (*BasicAuthenticator) GetUserFromContext 

func (a *BasicAuthenticator) GetUserFromContext(c *gin.Context) (*models.User, error)

GetUserFromContext extracts the authenticated user from the Gin context

func (*BasicAuthenticator) Login 

func (a *BasicAuthenticator) Login(username, password string) (*LoginResponse, error)

Login authenticates a user and returns a JWT token

func (*BasicAuthenticator) Middleware 

func (a *BasicAuthenticator) Middleware() gin.HandlerFunc

Middleware returns a Gin middleware for authentication. It checks (in order): Bearer token header, ?token= query param, IdToken cookie.

func (*BasicAuthenticator) SessionFromProxy 

func (a *BasicAuthenticator) SessionFromProxy(r *http.Request, adminGroups string) (*LoginResponse, error)

SessionFromProxy checks for an IdToken cookie, finds/creates the user, syncs roles, and returns a Nebi JWT + user. Used by /auth/session.

func (*BasicAuthenticator) SetIDTokenVerifier 

func (a *BasicAuthenticator) SetIDTokenVerifier(v *oidc.IDTokenVerifier)

SetIDTokenVerifier configures the OIDC verifier used to validate IdToken cookies.

func (*BasicAuthenticator) SetProxyAdminGroups 

func (a *BasicAuthenticator) SetProxyAdminGroups(groups string)

SetProxyAdminGroups configures which IdToken groups grant Nebi admin.

type Claims 

type Claims struct {
	UserID   string `json:"user_id"` // UUID stored as string
	Username string `json:"username"`
	jwt.RegisteredClaims
}

Claims represents JWT claims

type DeviceCodeEntry 

type DeviceCodeEntry struct {
	Token     string
	Username  string
	Completed bool
	// contains filtered or unexported fields
}

DeviceCodeEntry holds the state of a single device code login session.

type DeviceCodeStore 

type DeviceCodeStore struct {
	// contains filtered or unexported fields
}

DeviceCodeStore is an in-memory store for CLI device code login sessions. It is safe for concurrent use.

func NewDeviceCodeStore 

func NewDeviceCodeStore() *DeviceCodeStore

NewDeviceCodeStore creates a new device code store.

func (*DeviceCodeStore) Complete 

func (s *DeviceCodeStore) Complete(code, token, username string) bool

Complete marks a device code as completed with the auth result.

func (*DeviceCodeStore) Generate 

func (s *DeviceCodeStore) Generate() (string, error)

Generate creates a new device code (e.g., "ABCD-1234") and stores it. Expired entries are cleaned up on each call.

func (*DeviceCodeStore) Poll 

func (s *DeviceCodeStore) Poll(code string) (token, username string, found, completed bool)

Poll checks the status of a device code.

func (*DeviceCodeStore) TTLSeconds 

func (s *DeviceCodeStore) TTLSeconds() int

TTLSeconds returns the TTL for device codes in seconds.

type LocalAuthenticator 

type LocalAuthenticator struct {
	// contains filtered or unexported fields
}

LocalAuthenticator provides a no-op authenticator for local/desktop mode. It ensures a well-known "local-user" exists in the database and injects that user into every request context without checking credentials.

func NewLocalAuthenticator 

func NewLocalAuthenticator(db *gorm.DB) (*LocalAuthenticator, error)

NewLocalAuthenticator finds or creates the well-known local-user and returns an authenticator that always uses that user.

func (*LocalAuthenticator) GetUserFromContext 

func (a *LocalAuthenticator) GetUserFromContext(c *gin.Context) (*models.User, error)

GetUserFromContext extracts the authenticated user from the Gin context.

func (*LocalAuthenticator) Login 

func (a *LocalAuthenticator) Login(_, _ string) (*LoginResponse, error)

Login returns the local-user with a dummy token (no password check).

func (*LocalAuthenticator) Middleware 

func (a *LocalAuthenticator) Middleware() gin.HandlerFunc

Middleware injects the local-user into the context without checking credentials.

func (*LocalAuthenticator) User 

func (a *LocalAuthenticator) User() *models.User

User returns the local-user for use outside the HTTP request path (e.g. granting RBAC roles at startup).

type LoginRequest 

type LoginRequest struct {
	Username string `json:"username" binding:"required"`
	Password string `json:"password" binding:"required"`
}

LoginRequest represents a login request

type LoginResponse 

type LoginResponse struct {
	Token string       `json:"token"`
	User  *models.User `json:"user"`
}

LoginResponse represents a login response

type OIDCAuthenticator 

type OIDCAuthenticator struct {
	// contains filtered or unexported fields
}

OIDCAuthenticator provides generic OIDC authentication

func NewOIDCAuthenticator 

func NewOIDCAuthenticator(ctx context.Context, cfg OIDCConfig, db *gorm.DB, jwtSecret string, rbacProvider rbac.Provider) (*OIDCAuthenticator, error)

NewOIDCAuthenticator creates a new OIDC authenticator

func (*OIDCAuthenticator) GetAuthURL 

func (a *OIDCAuthenticator) GetAuthURL(state string) string

GetAuthURL returns the URL to redirect users to for authentication

func (*OIDCAuthenticator) HandleCallback 

func (a *OIDCAuthenticator) HandleCallback(ctx context.Context, code string) (*LoginResponse, error)

HandleCallback handles the OAuth2 callback

func (*OIDCAuthenticator) Verifier 

func (a *OIDCAuthenticator) Verifier() *oidc.IDTokenVerifier

Verifier returns the OIDC ID token verifier for signature validation.

type OIDCConfig 

type OIDCConfig struct {
	IssuerURL    string
	ClientID     string
	ClientSecret string
	RedirectURL  string
	Scopes       []string
}

OIDCConfig holds OIDC configuration

type ProxyTokenClaims 

type ProxyTokenClaims struct {
	Sub               string   `json:"sub"`
	PreferredUsername string   `json:"preferred_username"`
	Email             string   `json:"email"`
	Name              string   `json:"name"`
	Picture           string   `json:"picture"`
	Groups            []string `json:"groups"`
}

ProxyTokenClaims represents claims extracted from an IdToken cookie set by an authenticating proxy (e.g., Envoy Gateway after Keycloak OIDC).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.