auth

package
v0.10.0-rc2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 11, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// UserContextKey is the key used to store user in Gin context
	UserContextKey = "user"
	// TokenDuration is the validity period for JWT tokens
	TokenDuration = 24 * time.Hour
)

Variables

View Source 
var (
	ErrInvalidCredentials = errors.New("invalid credentials")
	ErrUnauthorized       = errors.New("unauthorized")
)

Functions

func HashPassword 

func HashPassword(password string) (string, error)

HashPassword hashes a password using bcrypt

func LocalUsername 

func LocalUsername() string

LocalUsername is the well-known username used in local mode.

func VerifyPassword 

func VerifyPassword(hash, password string) bool

VerifyPassword checks if a password matches the hash

Types

type Authenticator 

type Authenticator interface {
	// Login authenticates a user and returns a JWT token
	Login(username, password string) (*LoginResponse, error)

	// Middleware returns a Gin middleware for authentication
	Middleware() gin.HandlerFunc

	// GetUserFromContext extracts the authenticated user from the Gin context
	GetUserFromContext(c *gin.Context) (*models.User, error)
}

Authenticator is an interface for authentication providers

type BasicAuthenticator 

type BasicAuthenticator struct {
	// contains filtered or unexported fields
}

BasicAuthenticator implements basic username/password authentication

func NewBasicAuthenticator 

func NewBasicAuthenticator(db *gorm.DB, jwtSecret string) *BasicAuthenticator

NewBasicAuthenticator creates a new basic authenticator

func (*BasicAuthenticator) GetUserFromContext 

func (a *BasicAuthenticator) GetUserFromContext(c *gin.Context) (*models.User, error)

GetUserFromContext extracts the authenticated user from the Gin context

func (*BasicAuthenticator) Login 

func (a *BasicAuthenticator) Login(username, password string) (*LoginResponse, error)

Login authenticates a user and returns a JWT token

func (*BasicAuthenticator) Middleware 

func (a *BasicAuthenticator) Middleware() gin.HandlerFunc

Middleware returns a Gin middleware for authentication. It checks (in order): Bearer token header, ?token= query param.

type Claims 

type Claims struct {
	UserID   string `json:"user_id"` // UUID stored as string
	Username string `json:"username"`
	jwt.RegisteredClaims
}

Claims represents JWT claims

type DeviceCodeEntry 

type DeviceCodeEntry struct {
	Token     string
	Username  string
	Completed bool
	// contains filtered or unexported fields
}

DeviceCodeEntry holds the state of a single device code login session.

type DeviceCodeStore 

type DeviceCodeStore struct {
	// contains filtered or unexported fields
}

DeviceCodeStore is an in-memory store for CLI device code login sessions. It is safe for concurrent use.

func NewDeviceCodeStore 

func NewDeviceCodeStore() *DeviceCodeStore

NewDeviceCodeStore creates a new device code store.

func (*DeviceCodeStore) Complete 

func (s *DeviceCodeStore) Complete(code, token, username string) bool

Complete marks a device code as completed with the auth result.

func (*DeviceCodeStore) Generate 

func (s *DeviceCodeStore) Generate() (string, error)

Generate creates a new device code (e.g., "ABCD-1234") and stores it. Expired entries are cleaned up on each call.

func (*DeviceCodeStore) Poll 

func (s *DeviceCodeStore) Poll(code string) (token, username string, found, completed bool)

Poll checks the status of a device code.

func (*DeviceCodeStore) TTLSeconds 

func (s *DeviceCodeStore) TTLSeconds() int

TTLSeconds returns the TTL for device codes in seconds.

type LocalAuthenticator 

type LocalAuthenticator struct {
	// contains filtered or unexported fields
}

LocalAuthenticator provides a no-op authenticator for local/desktop mode. It ensures a well-known "local-user" exists in the database and injects that user into every request context without checking credentials.

func NewLocalAuthenticator 

func NewLocalAuthenticator(db *gorm.DB) (*LocalAuthenticator, error)

NewLocalAuthenticator finds or creates the well-known local-user and returns an authenticator that always uses that user.

func (*LocalAuthenticator) GetUserFromContext 

func (a *LocalAuthenticator) GetUserFromContext(c *gin.Context) (*models.User, error)

GetUserFromContext extracts the authenticated user from the Gin context.

func (*LocalAuthenticator) Login 

func (a *LocalAuthenticator) Login(_, _ string) (*LoginResponse, error)

Login returns the local-user with a dummy token (no password check).

func (*LocalAuthenticator) Middleware 

func (a *LocalAuthenticator) Middleware() gin.HandlerFunc

Middleware injects the local-user into the context without checking credentials.

func (*LocalAuthenticator) User 

func (a *LocalAuthenticator) User() *models.User

User returns the local-user for use outside the HTTP request path (e.g. granting RBAC roles at startup).

type LoginRequest 

type LoginRequest struct {
	Username string `json:"username" binding:"required"`
	Password string `json:"password" binding:"required"`
}

LoginRequest represents a login request

type LoginResponse 

type LoginResponse struct {
	Token string       `json:"token"`
	User  *models.User `json:"user"`
}

LoginResponse represents a login response

type OIDCAuthenticator 

type OIDCAuthenticator struct {
	// contains filtered or unexported fields
}

OIDCAuthenticator provides generic OIDC authentication

func NewOIDCAuthenticator 

func NewOIDCAuthenticator(ctx context.Context, cfg OIDCConfig, db *gorm.DB, jwtSecret string) (*OIDCAuthenticator, error)

NewOIDCAuthenticator creates a new OIDC authenticator

func (*OIDCAuthenticator) GetAuthURL 

func (a *OIDCAuthenticator) GetAuthURL(state string) string

GetAuthURL returns the URL to redirect users to for authentication

func (*OIDCAuthenticator) GetAuthURLWithRedirect 

func (a *OIDCAuthenticator) GetAuthURLWithRedirect(state, redirectURL string) string

GetAuthURLWithRedirect returns the auth URL using a custom redirect URI. Used by CLI login which has its own callback endpoint.

func (*OIDCAuthenticator) HandleCallback 

func (a *OIDCAuthenticator) HandleCallback(ctx context.Context, code string) (*LoginResponse, error)

HandleCallback handles the OAuth2 callback

func (*OIDCAuthenticator) HandleCallbackWithRedirect 

func (a *OIDCAuthenticator) HandleCallbackWithRedirect(ctx context.Context, code, redirectURL string) (*LoginResponse, error)

HandleCallbackWithRedirect handles the OAuth2 callback using a custom redirect URI. The redirect_uri must match what was used in GetAuthURLWithRedirect.

type OIDCConfig 

type OIDCConfig struct {
	IssuerURL    string
	ClientID     string
	ClientSecret string
	RedirectURL  string
	Scopes       []string
	AdminGroups  string // Comma-separated groups that grant admin role
}

OIDCConfig holds OIDC configuration

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.