Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrHeaderAuthFailed = errors.New("header authentication failed")
ErrHeaderAuthFailed indicates that the header was present but the credential did not validate. Callers should return 401 instead of falling through to other auth schemes.
Functions ¶
func WithTunnelLookup ¶ added in v0.72.0
func WithTunnelLookup(ctx context.Context, lookup TunnelLookupFunc) context.Context
WithTunnelLookup attaches a per-account peerstore lookup function to the request context. The auth middleware calls this lookup before hitting management's ValidateTunnelPeer to short-circuit unknown IPs and to skip the RPC for already-cached identities.
Types ¶
type DomainConfig ¶
type DomainConfig struct {
Schemes []Scheme
SessionPublicKey ed25519.PublicKey
SessionExpiration time.Duration
AccountID types.AccountID
ServiceID types.ServiceID
IPRestrictions *restrict.Filter
// Private routes the domain through ValidateTunnelPeer; failure → 403.
Private bool
}
DomainConfig holds the authentication and restriction settings for a protected domain.
type Header ¶ added in v0.67.0
type Header struct {
// contains filtered or unexported fields
}
Header implements header-based authentication. The proxy checks for the configured header in each request and validates its value via gRPC.
func NewHeader ¶ added in v0.67.0
func NewHeader(client authenticator, id types.ServiceID, accountId types.AccountID, headerName string) Header
NewHeader creates a Header authentication scheme for the given header name.
func (Header) Authenticate ¶ added in v0.67.0
Authenticate checks for the configured header in the request. If absent, returns empty (unauthenticated). If present, validates via gRPC.
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
Middleware applies per-domain authentication and IP restriction checks.
func NewMiddleware ¶
func NewMiddleware(logger *log.Logger, sessionValidator SessionValidator, geo restrict.GeoResolver) *Middleware
NewMiddleware creates a new authentication middleware. The sessionValidator is optional; if nil, OIDC session tokens are validated locally without group access checks.
func (*Middleware) AddDomain ¶
func (mw *Middleware) AddDomain(domain string, schemes []Scheme, publicKeyB64 string, expiration time.Duration, accountID types.AccountID, serviceID types.ServiceID, ipRestrictions *restrict.Filter, private bool) error
AddDomain registers authentication schemes for the given domain. With schemes a valid session public key is required. private=true forces ValidateTunnelPeer enforcement (403 on failure) regardless of the schemes list.
func (*Middleware) Protect ¶
func (mw *Middleware) Protect(next http.Handler) http.Handler
Protect wraps next with per-domain authentication and IP restriction checks. Requests whose Host is not registered pass through unchanged.
func (*Middleware) RemoveDomain ¶
func (mw *Middleware) RemoveDomain(domain string)
RemoveDomain unregisters authentication for the given domain.
type OIDC ¶
type OIDC struct {
// contains filtered or unexported fields
}
func NewOIDC ¶
func NewOIDC(client urlGenerator, id types.ServiceID, accountId types.AccountID, forwardedProto string) OIDC
NewOIDC creates a new OIDC authentication scheme
func (OIDC) Authenticate ¶
Authenticate checks for an OIDC session token or obtains the OIDC redirect URL.
type Password ¶
type Password struct {
// contains filtered or unexported fields
}
func NewPassword ¶
func (Password) Authenticate ¶
Authenticate attempts to authenticate the request using a form value passed in the request. If authentication fails, the required HTTP form ID is returned so that it can be injected into a request from the UI so that authentication may be successful.
type PeerIdentity ¶ added in v0.72.0
type PeerIdentity struct {
PubKey string
TunnelIP netip.Addr
FQDN string
// V2 fields (zero in V1).
UserID string
Email string
Groups []string
}
PeerIdentity describes the locally-known facts about a peer reachable on the proxy's per-account WireGuard listener. Phase 3 fills PubKey, TunnelIP and FQDN from the embedded client's peerstore. UserID, Email and Groups stay zero in V1 — full identity still travels through ValidateTunnelPeer. Phase V2 will populate them once RemotePeerConfig carries user identity.
type Pin ¶
type Pin struct {
// contains filtered or unexported fields
}
func (Pin) Authenticate ¶
Authenticate attempts to authenticate the request using a form value passed in the request. If authentication fails, the required HTTP form ID is returned so that it can be injected into a request from the UI so that authentication may be successful.
type Scheme ¶
type Scheme interface {
Type() auth.Method
// Authenticate checks the request and determines whether it represents
// an authenticated user. An empty token indicates an unauthenticated
// request; optionally, promptData may be returned for the login UI.
// An error indicates an infrastructure failure (e.g. gRPC unavailable).
Authenticate(*http.Request) (token string, promptData string, err error)
}
Scheme defines an authentication mechanism for a domain.
type SessionValidator ¶
type SessionValidator interface {
ValidateSession(ctx context.Context, in *proto.ValidateSessionRequest, opts ...grpc.CallOption) (*proto.ValidateSessionResponse, error)
ValidateTunnelPeer(ctx context.Context, in *proto.ValidateTunnelPeerRequest, opts ...grpc.CallOption) (*proto.ValidateTunnelPeerResponse, error)
}
SessionValidator validates session tokens and checks user access permissions.
type TunnelLookupFunc ¶ added in v0.72.0
type TunnelLookupFunc func(ip netip.Addr) (PeerIdentity, bool)
TunnelLookupFunc resolves a tunnel IP to a peer identity using locally available peerstore data. ok=false means the IP is not in the calling account's roster.
func TunnelLookupFromContext ¶ added in v0.72.0
func TunnelLookupFromContext(ctx context.Context) TunnelLookupFunc
TunnelLookupFromContext returns the peerstore lookup attached to ctx, or nil when the request did not arrive on a per-account listener.
Source Files