auth

package
v0.67.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2026 License: BSD-3-Clause, AGPL-3.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrHeaderAuthFailed = errors.New("header authentication failed")

ErrHeaderAuthFailed indicates that the header was present but the credential did not validate. Callers should return 401 instead of falling through to other auth schemes.

Functions

This section is empty.

Types

type DomainConfig 

type DomainConfig struct {
	Schemes           []Scheme
	SessionPublicKey  ed25519.PublicKey
	SessionExpiration time.Duration
	AccountID         types.AccountID
	ServiceID         types.ServiceID
	IPRestrictions    *restrict.Filter
}

DomainConfig holds the authentication and restriction settings for a protected domain. 

type Header struct {
	// contains filtered or unexported fields
}

Header implements header-based authentication. The proxy checks for the configured header in each request and validates its value via gRPC.

func NewHeader added in v0.67.0 

func NewHeader(client authenticator, id types.ServiceID, accountId types.AccountID, headerName string) Header

NewHeader creates a Header authentication scheme for the given header name.

func (Header) Authenticate added in v0.67.0 

func (h Header) Authenticate(r *http.Request) (string, string, error)

Authenticate checks for the configured header in the request. If absent, returns empty (unauthenticated). If present, validates via gRPC.

func (Header) Type added in v0.67.0 

func (Header) Type() auth.Method

Type returns auth.MethodHeader.

type Middleware 

type Middleware struct {
	// contains filtered or unexported fields
}

Middleware applies per-domain authentication and IP restriction checks.

func NewMiddleware 

func NewMiddleware(logger *log.Logger, sessionValidator SessionValidator, geo restrict.GeoResolver) *Middleware

NewMiddleware creates a new authentication middleware. The sessionValidator is optional; if nil, OIDC session tokens are validated locally without group access checks.

func (*Middleware) AddDomain 

func (mw *Middleware) AddDomain(domain string, schemes []Scheme, publicKeyB64 string, expiration time.Duration, accountID types.AccountID, serviceID types.ServiceID, ipRestrictions *restrict.Filter) error

AddDomain registers authentication schemes for the given domain. If schemes are provided, a valid session public key is required to sign/verify session JWTs. Returns an error if the key is missing or invalid. Callers must not serve the domain if this returns an error, to avoid exposing an unauthenticated service.

func (*Middleware) Protect 

func (mw *Middleware) Protect(next http.Handler) http.Handler

Protect wraps next with per-domain authentication and IP restriction checks. Requests whose Host is not registered pass through unchanged.

func (*Middleware) RemoveDomain 

func (mw *Middleware) RemoveDomain(domain string)

RemoveDomain unregisters authentication for the given domain.

type OIDC 

type OIDC struct {
	// contains filtered or unexported fields
}

func NewOIDC 

func NewOIDC(client urlGenerator, id types.ServiceID, accountId types.AccountID, forwardedProto string) OIDC

NewOIDC creates a new OIDC authentication scheme

func (OIDC) Authenticate 

func (o OIDC) Authenticate(r *http.Request) (string, string, error)

Authenticate checks for an OIDC session token or obtains the OIDC redirect URL.

func (OIDC) Type 

func (OIDC) Type() auth.Method

type Password 

type Password struct {
	// contains filtered or unexported fields
}

func NewPassword 

func NewPassword(client authenticator, id types.ServiceID, accountId types.AccountID) Password

func (Password) Authenticate 

func (p Password) Authenticate(r *http.Request) (string, string, error)

Authenticate attempts to authenticate the request using a form value passed in the request. If authentication fails, the required HTTP form ID is returned so that it can be injected into a request from the UI so that authentication may be successful.

func (Password) Type 

func (Password) Type() auth.Method

type Pin 

type Pin struct {
	// contains filtered or unexported fields
}

func NewPin 

func NewPin(client authenticator, id types.ServiceID, accountId types.AccountID) Pin

func (Pin) Authenticate 

func (p Pin) Authenticate(r *http.Request) (string, string, error)

Authenticate attempts to authenticate the request using a form value passed in the request. If authentication fails, the required HTTP form ID is returned so that it can be injected into a request from the UI so that authentication may be successful.

func (Pin) Type 

func (Pin) Type() auth.Method

type Scheme 

type Scheme interface {
	Type() auth.Method
	// Authenticate checks the request and determines whether it represents
	// an authenticated user. An empty token indicates an unauthenticated
	// request; optionally, promptData may be returned for the login UI.
	// An error indicates an infrastructure failure (e.g. gRPC unavailable).
	Authenticate(*http.Request) (token string, promptData string, err error)
}

Scheme defines an authentication mechanism for a domain.

type SessionValidator 

type SessionValidator interface {
	ValidateSession(ctx context.Context, in *proto.ValidateSessionRequest, opts ...grpc.CallOption) (*proto.ValidateSessionResponse, error)
}

SessionValidator validates session tokens and checks user access permissions.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.