core

package
v0.51.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 23, 2026 License: MIT Imports: 39 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	GroupInviteStatusPending  = "pending"
	GroupInviteStatusAccepted = "accepted"
	GroupInviteStatusDeclined = "declined"
	GroupInviteStatusRevoked  = "revoked"
	GroupInviteStatusExpired  = "expired"
)

Group-invite statuses (mirror the group_invites_status_chk constraint).

View Source 
const (
	ErrCodeUsernameTooShort            = "username_too_short"
	ErrCodeUsernameTooLong             = "username_too_long"
	ErrCodeUsernameMustStartWithLetter = "username_must_start_with_letter"
	ErrCodeUsernameCannotContainAt     = "username_cannot_contain_at"
	ErrCodeUsernameCannotStartWithPlus = "username_cannot_start_with_plus"
	ErrCodeUsernameInvalidCharacters   = "username_invalid_characters"
	ErrCodeOwnerSlugTaken              = "owner_slug_taken"
	ErrCodeUsernameNotAllowed          = "username_not_allowed"
	ErrCodeRenameRateLimited           = "rename_rate_limited"
	ErrCodeInvalidEmail                = "invalid_email"
	ErrCodeInvalidPhoneNumber          = "invalid_phone_number"
	ErrCodePasswordTooShort            = "password_too_short"
)
View Source 
const (
	// RootType is the single built-in permission-group type (the former
	// "platform" layer, #95). Every deployment has exactly ONE root group: the
	// parentless ancestor of every other group. Its namespace is `root:`.
	RootType = "root"

	// OwnerRoleName is the required role every type ships. It holds the type's
	// WHOLE namespace (`<type>:*`) and nothing else — never a bare `*`, never
	// another persona. Widest reach within the type, still namespace-pure.
	OwnerRoleName = "owner"

	// MemberRoleName is the base-membership role authkit seeds on every group.
	// Minimal authority (no perms unless the app's catalog gives it some).
	MemberRoleName = "member"
)
View Source 
const (
	// Identity / account directory.
	PermRootUsersRead    = "root:users:read"    // read the account directory
	PermRootUsersSuspend = "root:users:suspend" // suspend / unsuspend an account
	PermRootUsersBan     = "root:users:ban"     // ban / unban an account
	PermRootUsersDelete  = "root:users:delete"  // soft-delete / restore an account

	// Group lifecycle as ENTITIES (moderation — delete/restore a group, never run it).
	PermRootGroupsCreate = "root:groups:create" // create a top-level group as an operator
	PermRootGroupsDelete = "root:groups:delete" // soft-delete / restore any group

	// Operator management of roles/credentials/sessions.
	PermRootRolesManage      = "root:roles:manage"       // define/inspect platform-operator roles
	PermRootRemoteAppsManage = "root:remote-apps:manage" // manage federation issuers as an operator
	PermRootAPIKeysRevoke    = "root:api-keys:revoke"    // revoke any api-key
	PermRootSessionsRevoke   = "root:sessions:revoke"    // revoke any user session

	// SuperAdminRoleName is the root role authkit ships in addition to owner:
	// the apex operator. Like owner it holds root:* (they are equivalent on the
	// root type); kept as a distinct name for the familiar "super-admin" slug.
	SuperAdminRoleName = "super-admin"
)
View Source 
const (
	SubjectKindUser      = "user"
	SubjectKindRemoteApp = "remote_application"
)

SubjectKindUser / SubjectKindRemoteApplication are the polymorphic subject kinds a group assignment may target (mirrors group_role_assignments).

View Source 
const (
	// ServiceJWTTokenUse + DefaultServiceJWTLifetime are defined in authbase
	// (core-free) and re-exported here.
	ServiceJWTTokenUse = authbase.ServiceJWTTokenUse
	// ServiceJWTType is the JOSE typ header AuthKit stamps on minted service JWTs.
	ServiceJWTType            = "service+jwt"
	DefaultServiceJWTLifetime = authbase.DefaultServiceJWTLifetime
)
View Source 
const (
	RemoteAppModeJWKS   = authbase.RemoteAppModeJWKS
	RemoteAppModeStatic = authbase.RemoteAppModeStatic
)

Remote-application trust modes (#74). A remote_application is a federation PRINCIPAL whose credential is a key, with exactly one trust source: 

jwks   — keys fetched + refreshed from JWKSURI; rotation is publishing a new
         kid at the same URL.
static — authorized_keys-style human-managed PEM list for principals without
         a JWKS endpoint; manual rotation by design.

Remote-application trust modes are defined in authbase (core-free) and re-exported here.

View Source 
const (
	SolanaSNSStatusDisabled = "disabled"
	SolanaSNSStatusPending  = "pending"
	SolanaSNSStatusResolved = "resolved"
	SolanaSNSStatusNotFound = "not_found"
	SolanaSNSStatusError    = "error"
	SolanaSNSStatusStale    = "stale"
)
View Source 
const DefaultBootstrapManifestPath = "/etc/authkit/bootstrap.yaml"
View Source 
const DelegatedAccessTokenType = jwtkit.DelegatedAccessTokenType

DelegatedAccessTokenType is the canonical JOSE `typ` header value for a delegated access token.

View Source 
const HashAlgoLegacyResetRequired = "legacy-reset-required"

HashAlgoLegacyResetRequired marks profiles.user_passwords rows migrated from legacy systems whose stored hashes can never verify (DES crypt, md5-crypt, corrupted values). The raw legacy hash is preserved in password_hash for forensics only; the sole way forward for these accounts is a password reset.

View Source 
const (
	// MaxCustomJWTLifetime caps the TTL of a custom-claims JWT. Custom tokens are
	// short-lived first-party tokens (capability/worker tokens, etc.); they share
	// the same 1h ceiling regardless of the requested TTL. Mirrors the bounded-TTL
	// guardrails on MintServiceJWT / MintDelegatedAccessToken.
	MaxCustomJWTLifetime = time.Hour
)
View Source 
const RemoteApplicationAccessTokenType = jwtkit.RemoteApplicationAccessTokenType

RemoteApplicationAccessTokenType is the JOSE `typ` for a remote application access token.

View Source 
const SensitiveActionFreshAuthWindow = 15 * time.Minute
View Source 
const SolanaProviderSlug = "solana"

SolanaProviderSlug is the provider slug used for Solana wallets.

Variables

View Source 
var (
	ErrInvalidAccessToken = authbase.ErrInvalidAccessToken
	ErrAccessTokenRevoked = authbase.ErrAccessTokenRevoked
	ErrAccessTokenExpired = authbase.ErrAccessTokenExpired
)

Token sentinel errors are defined in authbase and re-exported here for backward compatibility (so core.X callers and errors.Is checks are unaffected).

View Source 
var (
	APIKeyMarker    = authbase.APIKeyMarker
	HasAPIKeyPrefix = authbase.HasAPIKeyPrefix
	FormatAPIKey    = authbase.FormatAPIKey
	ParseAPIKey     = authbase.ParseAPIKey
)

API-key marker/parse/format helpers are defined in authbase (core-free) and re-exported here for backward compatibility.

View Source 
var (
	// ErrEmptyCustomClaims is returned when CustomJWTMintOptions.Claims is empty —
	// MintCustomJWT exists to carry host claims, so an empty set is a caller bug.
	ErrEmptyCustomClaims = errors.New("custom_jwt_empty_claims")
	// ErrTooManyCustomClaims is returned when the host claim set exceeds
	// maxCustomJWTClaims.
	ErrTooManyCustomClaims = errors.New("custom_jwt_too_many_claims")
	// ErrCustomClaimsReserved is returned when the host Claims map tries to set a
	// registered claim that AuthKit owns (`iss`/`iat`/`exp`) — those are set by
	// AuthKit and the raw map may not silently clobber them. Use the explicit
	// Issuer option to override `iss`.
	ErrCustomClaimsReserved = errors.New("custom_jwt_reserved_claim")
)
View Source 
var (
	// ErrInviteNotFound indicates no live invite matched the lookup.
	ErrInviteNotFound = errors.New("group_invite_not_found")
	// ErrInviteNotPending indicates an action requiring a pending invite hit one
	// already accepted/declined/revoked/expired.
	ErrInviteNotPending = errors.New("group_invite_not_pending")
)
View Source 
var (
	// ErrAttributeDefNotFound is defined in authbase (core-free) and re-exported here.
	ErrAttributeDefNotFound = authbase.ErrAttributeDefNotFound
	// ErrInvalidAttributeDef indicates a malformed definition registration.
	ErrInvalidAttributeDef = errors.New("invalid_attribute_def")
)
View Source 
var (
	// ErrUserBanned indicates the account is blocked from authenticating.
	ErrUserBanned = errors.New("user_banned")
	// ErrPasswordResetRequired indicates the account's stored password hash is
	// flagged HashAlgoLegacyResetRequired: no plaintext can ever verify against
	// it, so the user must complete a password reset before password auth (login,
	// reauth, change-password) can succeed. HTTP layers map this to the stable
	// code "password_reset_required".
	ErrPasswordResetRequired = errors.New("password_reset_required")
	// ErrUserNotFound indicates a user does not exist (or is not visible).
	ErrUserNotFound = errors.New("user_not_found")
	// ErrEmailAlreadyVerified indicates an email verification request targeted an already-verified email.
	ErrEmailAlreadyVerified = errors.New("email_already_verified")
	// ErrPhoneAlreadyVerified indicates a phone verification request targeted an already-verified phone.
	ErrPhoneAlreadyVerified = errors.New("phone_already_verified")
	// ErrPendingRegistrationNotFound indicates a registration resend request did not match a pending registration.
	ErrPendingRegistrationNotFound = errors.New("pending_registration_not_found")
	// ErrRegistrationDisabled indicates a public user-creation path was attempted
	// while native-user registration is bootstrap-only. Existing-user
	// authentication is unaffected; only NEW account creation through
	// public/auto-registration is blocked.
	ErrRegistrationDisabled = errors.New("registration_disabled")
	// ErrVerificationLinkExpired indicates a verification link/token no longer has a pending verification record.
	ErrVerificationLinkExpired = errors.New("verification_link_expired")
	// ErrOrgManagementDisabled indicates a public org onboarding/management path
	// was attempted while org registration is bootstrap-only. Embedded
	// bootstrap/admin core APIs remain available.
	ErrOrgManagementDisabled = errors.New("org_management_disabled")
)
View Source 
var (
	ErrEmailDeliveryFailed = errors.New("email_delivery_failed")
	ErrSMSDeliveryFailed   = errors.New("sms_delivery_failed")
)
View Source 
var (
	// ErrInvalidServiceJWT is defined in authbase and re-exported here.
	ErrInvalidServiceJWT = authbase.ErrInvalidServiceJWT
	ErrMissingSigner     = errors.New("missing_signer")
)
View Source 
var (
	// ErrRemoteApplicationNotFound indicates no remote_application matched.
	ErrRemoteApplicationNotFound = errors.New("remote_application_not_found")
	// ErrInvalidRemoteApplication is defined in authbase and re-exported here.
	ErrInvalidRemoteApplication = authbase.ErrInvalidRemoteApplication
	// ErrReservedIssuer indicates an attempt to register a remote_application
	// under the platform's own issuer string. The platform issuer is the local,
	// first-party signing identity; allowing a federated remote_application to
	// claim it would overwrite the trusted local issuer entry (key-swap / auth
	// DoS — see AK-AUTH-01).
	ErrReservedIssuer = errors.New("reserved_issuer")
)
View Source 
var (
	NormalizeAllowedOrigin  = authbase.NormalizeAllowedOrigin
	NormalizeAllowedOrigins = authbase.NormalizeAllowedOrigins
	OriginAllowed           = authbase.OriginAllowed
)

Origin helpers are defined in authbase (core-free) and re-exported here.

View Source 
var ErrCannotRemoveLastAdminRole = errors.New("cannot_remove_last_admin_role")

ErrCannotRemoveLastAdminRole is retained for the admin HTTP adapter's error mapping. The root layer has no "last admin" lock (super-admin is seeded out-of-band via the bootstrap manifest), so core no longer returns it, but the exported symbol stays so dependents keep compiling.

View Source 
var ErrEntitlementFilterUnavailable = errors.New("authkit: entitlement filtering requires an EntitlementFilterProvider")

ErrEntitlementFilterUnavailable is returned by AdminListUsers/AdminCountUsers when an Entitlement filter is requested but no EntitlementFilterProvider is configured — fail loud rather than silently return everyone.

View Source 
var ErrGroupNotFound = errors.New("permission group not found")

ErrGroupNotFound is returned when a (type, resource_ref) or id resolves to no live permission-group.

View Source 
var ErrInvalidBootstrapManifest = errors.New("invalid_bootstrap_manifest")
View Source 
var ErrNotGroupMember = errors.New("not_group_member")

ErrNotGroupMember is returned when a remote_application holds no role in its controlling permission-group.

View Source 
var ErrOwnerSlugTaken = errors.New("owner_slug_taken")

ErrOwnerSlugTaken is retained as a stable sentinel for identity-policy error mapping. Under the permission-group model usernames are unique on their own (the org-slug reservation plane was removed); kept so dependents' errors.Is checks keep compiling.

View Source 
var ErrReauthenticationRequired = errors.New("reauth_required")
View Source 
var ErrRenameRateLimited = errors.New("rename_rate_limited")

ErrRenameRateLimited is returned when a username rename is attempted before the renameCooldown window has elapsed.

View Source 
var ErrReservedRoleSlug = errors.New("reserved_role_slug")
View Source 
var ErrUserRoleNotFound = errors.New("user_role_not_found")

Functions

func IntrinsicRootPermissions added in v0.49.0 

func IntrinsicRootPermissions() []string

IntrinsicRootPermissions returns the authkit-built-in root: permission set (every deployment ships these). Apps add their own root: moderation perms on top via the root type's roles.

func IsDevEnvironment 

func IsDevEnvironment(environment string) bool

IsDevEnvironment reports whether a host-provided environment string is non-production.

func MintDelegatedAccessToken added in v0.26.0 

func MintDelegatedAccessToken(ctx context.Context, signer jwtkit.Signer, p DelegatedAccessParams) (string, error)

MintDelegatedAccessToken signs a canonical delegated access token with an explicit signer. It stamps the `typ=delegated-access+jwt` JOSE header, writes the canonical `delegated_sub`/`permissions`/`attributes` claims, and NEVER sets `sub` — the sub-XOR-delegated_sub invariant is enforced by construction. Receiving services authorize by issuer/resource-account trust plus `permissions`. A top-level `roles` claim is never minted; delegated-subject role UUIDs, when carried, ride under `attributes.roles` (see the Roles param).

Hosts embedding core.Service should prefer (*Service).MintDelegatedAccessToken so they never construct their own signer or read the PEM.

func MintRemoteApplicationAccessToken added in v0.28.0 

func MintRemoteApplicationAccessToken(ctx context.Context, signer jwtkit.Signer, p RemoteApplicationAccessParams) (string, error)

MintRemoteApplicationAccessToken signs a remote application access token with an explicit signer. It stamps the `typ=remote-application-access+jwt` header and writes NO `sub`/`delegated_sub` — identity is the validated `iss` and authority is STORED, resolved at verify. A non-nil p.Permissions is written as the `permissions` claim: a down-scoping request the verifier intersects with the stored ceiling (#76 amendment); never a widening.

func NormalizeEmail added in v0.8.6 

func NormalizeEmail(email string) string

func NormalizePhone added in v0.8.6 

func NormalizePhone(phone string) string

func NormalizePreferredLocale added in v0.14.0 

func NormalizePreferredLocale(locale string) (string, error)

func NormalizeRemoteAppTrustSource added in v0.27.0 

func NormalizeRemoteAppTrustSource(jwksURI string, mode string, keys []RemoteAppKey) (string, error)

NormalizeRemoteAppTrustSource validates the mutually-exclusive trust source of a registration and returns the normalized mode. Empty mode is inferred: a key list means static, otherwise jwks. It is the single validation gate so the XOR rule cannot be bypassed.

func OwnerGrant added in v0.49.0 

func OwnerGrant(typeName string) string

OwnerGrant is the namespace-pure owner grant for a type: `<type>:*`. Never a bare `*`. The owner role of every type holds exactly this.

func PermAPIKeysManage added in v0.49.0 

func PermAPIKeysManage(t string) string

func PermAPIKeysRead added in v0.49.0 

func PermAPIKeysRead(t string) string

func PermInvitesManage added in v0.49.0 

func PermInvitesManage(t string) string

func PermInvitesRead added in v0.49.0 

func PermInvitesRead(t string) string

func PermMembersManage added in v0.49.0 

func PermMembersManage(t string) string

Built-in per-type group-management permissions (authkit-provisioned in every type's catalog). All are 3-segment <persona>:<area>:<action>. The owner role (=<type>:*) covers them all; an app may grant them to other roles.

func PermMembersRead added in v0.49.0 

func PermMembersRead(t string) string

func PermRemoteAppsManage added in v0.49.0 

func PermRemoteAppsManage(t string) string

func PermRemoteAppsRead added in v0.49.0 

func PermRemoteAppsRead(t string) string

func PermRolesManage added in v0.49.0 

func PermRolesManage(t string) string

func PermRolesRead added in v0.49.0 

func PermRolesRead(t string) string

func PermissionPersona added in v0.49.0 

func PermissionPersona(perm string) string

PermissionPersona returns a permission/grant's first segment (its persona ≡ type ≡ namespace). PermissionPersona("merchant:catalog:update") == "merchant".

func ValidateEmail added in v0.8.6 

func ValidateEmail(email string) error

func ValidateGrantPattern added in v0.49.0 

func ValidateGrantPattern(g string) error

ValidateGrantPattern checks a GRANT token (what a role holds). Grants may be concrete perms OR namespace-anchored globs, but NEVER a bare `*`: 

<persona>:<resource>:<action>   a concrete perm
<persona>:<resource>:*          all actions on a resource
<persona>:*                     the whole persona namespace (the owner grant)

The persona segment is always a literal — a bare `*` or `*`-persona is rejected, which is what makes reach != capability structural (a `merchant:*` grant can never name a `root:`/`customer:` perm). Mirrors authbase.PermMatches semantics but is STRICTER: it forbids mid-glob forms like `persona:*:action`.

func ValidatePassword added in v0.8.6 

func ValidatePassword(value string) error

func ValidatePermission added in v0.49.0 

func ValidatePermission(p string) error

ValidatePermission checks a CONCRETE catalog permission: EXACTLY three lowercase segments `<persona>:<resource>:<action>` (e.g. `merchant:catalog:update`, `root:users:ban`). Two-part (`repo:update`) and four-part perms are rejected — a two-part perm must grow a resource (`repo:contents:update`); a type may use a `:self:` resource for "the thing itself" actions (`endpoint:self:invoke`).

func ValidatePhone added in v0.8.6 

func ValidatePhone(phone string) error

func ValidateUsername added in v0.8.6 

func ValidateUsername(username string) error

func ValidationErrorCode added in v0.8.6 

func ValidationErrorCode(err error) string

ValidationErrorCode returns a stable validation code from err when possible.

func WithSessionRevokeReason 

func WithSessionRevokeReason(ctx context.Context, reason SessionRevokeReason) context.Context

WithSessionRevokeReason annotates ctx so revoke paths can emit a structured reason to the auth logger.

Types

type APIKey added in v0.41.0 

type APIKey struct {
	ID          string
	KeyID       string
	Name        string
	Role        string
	Permissions []string
	Resources   []APIKeyResource
	CreatedBy   string
	CreatedAt   time.Time
	LastUsedAt  *time.Time
	ExpiresAt   *time.Time
	RevokedAt   *time.Time
}

APIKey is the non-secret metadata view of an API key. The secret is never stored or returned after creation. Role is the single group role the key holds; Permissions is that role's RESOLVED effective permission set (a convenience projection — the role is the source of truth, edit it to change the key).

type APIKeyMintOptions added in v0.41.0 

type APIKeyMintOptions struct {
	Name      string
	Role      string
	Resources []APIKeyResource
	CreatedBy string
	ExpiresAt *time.Time
}

APIKeyMintOptions is the resource-aware API-key mint request. The key references exactly ONE role (Role) that must be valid for the owning group's TYPE catalog (or a group custom role); its permissions are resolved from that role at use time. Resource-scope is a separate binding.

type APIKeyResource added in v0.41.0 

type APIKeyResource = authbase.APIKeyResource

APIKeyResource is one opaque, host-defined resource scope carried by an API key. Defined in authbase (core-free) and re-exported here.

type APIKeysConfig added in v0.47.0 

type APIKeysConfig struct {
	// Prefix is the issuing application's brand prefix for generated API keys
	// (single value per deployment). Empty defaults to the bare `st_` marker.
	// Must be lowercase alphanumeric, 1-16 chars.
	Prefix string
	// MaxTTL caps how far in the future a minted API key may expire. 0 (default)
	// means no cap (keys may be non-expiring); when set, a requested expiry
	// beyond now+MaxTTL (incl. no-expiry) is capped at mint time. The resource-
	// scope authorizer is injected via the WithResourceScopeAuthorizer option.
	MaxTTL time.Duration
}

APIKeysConfig configures opaque org-owned machine credentials.

type APIKeysFacet added in v0.46.0 

type APIKeysFacet struct {
	// contains filtered or unexported fields
}

APIKeysFacet is the org API-key view of Service.

func (APIKeysFacet) AuthorizeAPIKeyResources added in v0.46.0 

func (f APIKeysFacet) AuthorizeAPIKeyResources(ctx context.Context, req ResourceScopeAuthorizationRequest) error

AuthorizeAPIKeyResources calls Service.AuthorizeAPIKeyResources.

func (APIKeysFacet) ListAPIKeys added in v0.46.0 

func (f APIKeysFacet) ListAPIKeys(ctx context.Context, groupType, resourceRef string) ([]APIKey, error)

ListAPIKeys calls Service.ListAPIKeys.

func (APIKeysFacet) MintAPIKey added in v0.46.0 

func (f APIKeysFacet) MintAPIKey(ctx context.Context, groupType, resourceRef, name, role, createdBy string, expiresAt *time.Time) (APIKey, string, error)

MintAPIKey calls Service.MintAPIKey.

func (APIKeysFacet) MintAPIKeyWithOptions added in v0.46.0 

func (f APIKeysFacet) MintAPIKeyWithOptions(ctx context.Context, groupType, resourceRef string, opts APIKeyMintOptions) (APIKey, string, error)

MintAPIKeyWithOptions calls Service.MintAPIKeyWithOptions.

func (APIKeysFacet) ResolveAPIKey added in v0.46.0 

func (f APIKeysFacet) ResolveAPIKey(ctx context.Context, keyID, secret string) (groupRef string, permissions []string, err error)

ResolveAPIKey calls Service.ResolveAPIKey.

func (APIKeysFacet) ResolveAPIKeyWithResources added in v0.46.0 

func (f APIKeysFacet) ResolveAPIKeyWithResources(ctx context.Context, keyID, secret string) (ResolvedAPIKey, error)

ResolveAPIKeyWithResources calls Service.ResolveAPIKeyWithResources.

func (APIKeysFacet) RevokeAPIKey added in v0.46.0 

func (f APIKeysFacet) RevokeAPIKey(ctx context.Context, groupType, resourceRef, tokenID string) (bool, error)

RevokeAPIKey calls Service.RevokeAPIKey.

type AdminListUsersResult 

type AdminListUsersResult struct {
	Users  []AdminUser `json:"users"`
	Total  int64       `json:"total"`
	Limit  int         `json:"limit"`
	Offset int         `json:"offset"`
}

AdminListUsersResult contains paginated user list with total count

type AdminUser 

type AdminUser struct {
	ID              string     `json:"id"`
	Email           *string    `json:"email"` // Nullable for phone-only users
	PhoneNumber     *string    `json:"phone_number"`
	Username        *string    `json:"username"`
	DiscordUsername *string    `json:"discord_username"`
	EmailVerified   bool       `json:"email_verified"`
	PhoneVerified   bool       `json:"phone_verified"`
	BannedAt        *time.Time `json:"banned_at,omitempty"`
	BannedUntil     *time.Time `json:"banned_until,omitempty"`
	BanReason       *string    `json:"ban_reason,omitempty"`
	BannedBy        *string    `json:"banned_by,omitempty"`
	DeletedAt       *time.Time `json:"deleted_at"`
	Biography       *string    `json:"biography"`
	CreatedAt       time.Time  `json:"created_at"`
	UpdatedAt       time.Time  `json:"updated_at"`
	LastLogin       *time.Time `json:"last_login"`
	Roles           []string   `json:"roles"`
	Entitlements    []string   `json:"entitlements"`
}

Admin listing/get/delete

type AdminUserListOptions added in v0.40.0 

type AdminUserListOptions struct {
	Page        int
	PageSize    int
	Search      string          // ILIKE over username/email/phone_number
	Role        string          // root-group role slug (e.g. "admin"); empty = no role filter
	Status      AdminUserStatus // empty = non-deleted (historical default)
	Sort        AdminUserSort   // empty = created_at
	Desc        bool            // true = descending
	Entitlement string          // empty = no entitlement filter; else provider-backed
}

AdminUserListOptions is the GENERIC admin user-directory query (issue #91). It carries no host product knowledge: Role is any root permission-group role slug, Status/Sort are closed enums. Entitlement filtering delegates to the billing provider (EntitlementFilterProvider), never a cross-schema join.

type AdminUserSort added in v0.40.0 

type AdminUserSort string

AdminUserSort selects the directory ordering column. 

const (
	AdminUserSortCreatedAt AdminUserSort = "created_at" // default
	AdminUserSortLastLogin AdminUserSort = "last_login"
	AdminUserSortUsername  AdminUserSort = "username"
	AdminUserSortEmail     AdminUserSort = "email"
)

type AdminUserStatus added in v0.40.0 

type AdminUserStatus string

AdminUserStatus filters the directory by account state. 

const (
	AdminUserStatusActive  AdminUserStatus = "active"  // not deleted, not banned
	AdminUserStatusBanned  AdminUserStatus = "banned"  // not deleted, currently banned
	AdminUserStatusDeleted AdminUserStatus = "deleted" // soft-deleted
	AdminUserStatusAny     AdminUserStatus = "any"     // no deleted/banned predicate

)

type AuthEventLogReader added in v0.4.2 

type AuthEventLogReader interface {
	// ListSessionEvents returns session events matching any of the given event types.
	// If userID is empty, returns events for all users.
	ListSessionEvents(ctx context.Context, userID string, eventTypes ...SessionEventType) ([]AuthSessionEvent, error)
}

AuthEventLogReader allows listing session events filtered by event types and optional userID.

type AuthEventLogger 

type AuthEventLogger interface {
	LogSessionEvent(ctx context.Context, e AuthSessionEvent) error
}

type AuthSessionEvent 

type AuthSessionEvent struct {
	OccurredAt time.Time
	Issuer     string
	UserID     string
	SessionID  string
	Event      SessionEventType
	Method     *string
	Reason     *string
	IPAddr     *string
	UserAgent  *string
}

AuthSessionEvent is a best-effort, append-only session lifecycle record intended for external sinks.

ClickHouse schema expectation (see migrations/clickhouse): - issuer, user_id, session_id, event are required - method is typically set for SessionEventCreated - reason is typically set for SessionEventRevoked

type BatchEntitlementsProvider added in v0.21.0 

type BatchEntitlementsProvider interface {
	ListEntitlementsBatch(ctx context.Context, userIDs []string) (map[string][]string, error)
}

BatchEntitlementsProvider is an optional upgrade of EntitlementsProvider: one call answers many users, so list renders (AdminListUsers) cost one provider round trip instead of one per row. Detected by type assertion; providers without it get the per-user fallback. Unknown user ids may be absent from the result.

type BootstrapFacet added in v0.46.0 

type BootstrapFacet struct {
	// contains filtered or unexported fields
}

BootstrapFacet is the manifest/provisioning view of Service.

func (BootstrapFacet) ReconcileBootstrapManifest added in v0.46.0 

func (f BootstrapFacet) ReconcileBootstrapManifest(ctx context.Context, manifest BootstrapManifest, opts BootstrapReconcileOptions) (BootstrapManifestResult, error)

ReconcileBootstrapManifest calls Service.ReconcileBootstrapManifest.

type BootstrapManifest added in v0.37.0 

type BootstrapManifest struct {
	Users       []BootstrapManifestUser       `json:"users" yaml:"users"`
	GlobalRoles []BootstrapManifestGlobalRole `json:"global_roles" yaml:"global_roles"`
}

BootstrapManifest is AuthKit's first-class closed-deployment authority manifest. It owns AuthKit state only: users, root permission-group roles, and password seeding.

The org/platform RBAC planes were hard-cut in favor of the permission-group model (#111): operator authority is a role assignment in the singleton root group. The manifest still uses the `global_roles` field names for backward compatibility, but they now seed root-group roles: a role named "admin" maps onto the root super-admin (root:*), and any other name must be a catalog role of the root type (declared in core.Config). The legacy role name/description fields no longer have a target and are accepted-but-ignored.

func LoadBootstrapManifestFile added in v0.37.0 

func LoadBootstrapManifestFile(path string) (BootstrapManifest, error)

func ParseBootstrapManifestYAML added in v0.37.0 

func ParseBootstrapManifestYAML(raw []byte) (BootstrapManifest, error)

type BootstrapManifestGlobalRole added in v0.37.0 

type BootstrapManifestGlobalRole struct {
	Name        string  `json:"name" yaml:"name"`
	Slug        string  `json:"slug" yaml:"slug"`
	Description *string `json:"description" yaml:"description"`
}

BootstrapManifestGlobalRole declares a root-group role to ensure exists. Only Slug is meaningful (the role name); Name/Description are accepted for backward compatibility but ignored. "admin" seeds the super-admin role (root:*).

type BootstrapManifestResult added in v0.37.0 

type BootstrapManifestResult struct {
	DryRun                bool `json:"dry_run"`
	UsersCreated          int  `json:"users_created"`
	UsersUpdated          int  `json:"users_updated"`
	PasswordsSet          int  `json:"passwords_set"`
	PasswordsKept         int  `json:"passwords_kept"`
	GlobalRoles           int  `json:"global_roles"`
	GlobalRoleAssignments int  `json:"global_role_assignments"`
}

type BootstrapManifestUser added in v0.37.0 

type BootstrapManifestUser struct {
	Ref           string                 `json:"ref" yaml:"ref"`
	Email         string                 `json:"email" yaml:"email"`
	PhoneNumber   string                 `json:"phone_number" yaml:"phone_number"`
	Username      string                 `json:"username" yaml:"username"`
	EmailVerified bool                   `json:"email_verified" yaml:"email_verified"`
	PhoneVerified bool                   `json:"phone_verified" yaml:"phone_verified"`
	Banned        bool                   `json:"banned" yaml:"banned"`
	BannedAt      *time.Time             `json:"banned_at" yaml:"banned_at"`
	BannedUntil   *time.Time             `json:"banned_until" yaml:"banned_until"`
	BanReason     *string                `json:"ban_reason" yaml:"ban_reason"`
	BannedBy      *string                `json:"banned_by" yaml:"banned_by"`
	Metadata      map[string]any         `json:"metadata" yaml:"metadata"`
	Password      *BootstrapUserPassword `json:"password" yaml:"password"`
	// GlobalRoles assigns root permission-group roles to this user by name (#111).
	// "admin" mints the root super-admin (root:*); any other name is assigned as a
	// same-named catalog role of the root type.
	GlobalRoles []string `json:"global_roles" yaml:"global_roles"`
}

type BootstrapReconcileOptions added in v0.37.0 

type BootstrapReconcileOptions struct {
	DryRun bool
}

type BootstrapUserPassword added in v0.37.0 

type BootstrapUserPassword struct {
	Plaintext     string         `json:"plaintext" yaml:"plaintext"`
	Hash          string         `json:"hash" yaml:"hash"`
	HashAlgo      string         `json:"hash_algo" yaml:"hash_algo"`
	HashParams    map[string]any `json:"hash_params" yaml:"hash_params"`
	ResetRequired bool           `json:"reset_required" yaml:"reset_required"`
	// Enforce makes the password DESIRED-STATE (#89): re-asserted on every
	// reconcile. Default false = SEED-ONCE — the password is applied only when
	// the user is first created, so a password rotated out of band (via the
	// admin API) is never reverted to the manifest value on a later reconcile.
	// Must not be combined with ResetRequired (forcing a reset every run is
	// nonsensical).
	Enforce bool `json:"enforce" yaml:"enforce"`
}

type Config 

type Config struct {
	// Token is the JWT issuing/verification contract and session limits.
	Token TokenConfig
	// Frontend describes host-owned frontend routes used for absolute-URL and
	// full-page OIDC callback construction.
	Frontend FrontendConfig
	// Registration controls verification policy and public self-registration.
	Registration RegistrationConfig
	// Keys controls signing-key resolution (or verify-only mode).
	Keys KeysConfig
	// Identity declares external OAuth2/OIDC identity providers.
	Identity IdentityConfig
	// APIKeys configures opaque org-owned machine credentials.
	APIKeys APIKeysConfig
	// RBAC declares the app permission catalog, default roles, and owner policy.
	RBAC RBACConfig

	// Environment is a host-provided runtime mode string used for dev/prod
	// behavior checks. "prod"/"production" mean production; anything else is
	// treated as non-prod.
	Environment string

	// Schema is the Postgres schema AuthKit's tables live in. Empty defaults to
	// "profiles" (the historical hard-coded name). Set it when multiple apps
	// embed AuthKit against the same database and must not share auth tables
	// (authkit issue 69). The name must match ^[a-z_][a-z0-9_]*$ (max 63 bytes);
	// NewFromConfig rejects anything else. Hosts that set a non-default schema
	// must also run the migrations rendered for that schema — see
	// migrations/postgres.FSForSchema.
	Schema string

	// SolanaNetwork is the SIWS chain selector ("mainnet"/"testnet"/"devnet").
	// Empty derives a default from Environment. Solana Name Service (SNS)
	// resolution turns on automatically when a resolver is supplied via the
	// WithSolanaSNSResolver option; its lookup timeout (3s) and cache TTL (24h)
	// are fixed constants, not configurable.
	SolanaNetwork string
}

Config is the host-provided configuration for an AuthKit Service. Fields are grouped by concern into typed sub-structs (#108). It carries DATA/POLICY only; runtime dependencies (Postgres, Redis, senders, loggers) are injected via the constructor's functional options, not here.

type CreatePermissionGroupRequest added in v0.49.0 

type CreatePermissionGroupRequest struct {
	Type              string
	ResourceRef       string
	ParentType        string
	ParentResourceRef string
	OwnerSubjectID    string
}

CreatePermissionGroupRequest creates a typed group. Parent is addressed by (ParentType, ParentResourceRef); for a single-allowed-parent type ParentType may be omitted. OwnerSubjectID, when set, is seeded with the owner role.

type CustomJWTMintOptions added in v0.26.0 

type CustomJWTMintOptions struct {
	// Claims is the host's claim set, e.g. {"cap_kind": "...", "grants": [...],
	// "release_id": "..."}. Required and non-empty. It may carry `sub`/`aud`
	// (unless overridden by the Subject/Audiences options) but may NOT carry the
	// AuthKit-owned registered claims `iss`/`iat`/`exp`.
	Claims map[string]any
	// TTL is the token lifetime. Required (must be > 0); capped at
	// MaxCustomJWTLifetime.
	TTL time.Duration
	// Type is the JOSE `typ` header (e.g. "worker-capability+jwt"). When empty the
	// header is left unset — unlike the opinionated minters, MintCustomJWT does
	// not impose a default `typ`; the host owns the token shape.
	Type string
	// Subject, when set, becomes the `sub` claim and wins over any `sub` in Claims.
	Subject string
	// Audiences, when set, becomes the `aud` claim and wins over any `aud` in Claims.
	Audiences []string
	// Issuer, when set, becomes the `iss` claim; otherwise `iss` defaults to the
	// Service's configured Issuer. This is the ONLY way to override `iss`.
	Issuer string
}

CustomJWTMintOptions controls minting of a JWT with an arbitrary first-party claim set. This is AuthKit's documented escape hatch: the HOST owns the claim semantics, and the verifier side MUST understand them. Prefer the constrained, opinionated paths — MintServiceJWT (machine-to-machine service JWT) and MintDelegatedAccessToken (cross-service delegated access) — whenever they fit; reach for MintCustomJWT only for token shapes those can't express (e.g. tensorhub capability/worker tokens with `cap_kind`/`grants`/`release_id`).

Claim precedence (documented + enforced):

  • AuthKit ALWAYS sets the registered claims it owns: `iss`, `iat`, `exp` (and the `kid`/`alg` JOSE headers, via the signer). The host Claims map may NOT set `iss`/`iat`/`exp` — doing so returns ErrCustomClaimsReserved rather than silently dropping or clobbering them.
  • `iss` is overridable ONLY via the explicit Issuer option (defaults to the Service's configured Issuer). `sub`/`aud` are set from the explicit Subject/Audiences options when provided; otherwise the host Claims map may carry its own `sub`/`aud` (the host owns those for custom tokens). When an explicit Subject/Audiences IS provided, it wins over any `sub`/`aud` in the Claims map.

type CustomRoleResolver added in v0.49.0 

type CustomRoleResolver func(groupID, role string) ([]string, bool)

CustomRoleResolver returns the grant tokens of a per-group custom role, or (nil, false) if no such custom role exists. Consulted only for types whose AllowCustomRoles is set; pass nil when the deployment defines no custom roles.

type DefaultRole added in v0.11.3 

type DefaultRole struct {
	Name        string   `json:"name"`
	Permissions []string `json:"permissions"`
}

DefaultRole is a role template seeded into every org at creation: a role name and its permission set (tokens are concrete perms or namespace-anchored globs like `org:*`/`org:*:read`; no bare `*`, no `!perm` negation).

type DelegatedAccessParams added in v0.26.0 

type DelegatedAccessParams struct {
	// Issuer becomes the `iss` claim: the AuthKit issuer that signed the token.
	// Must match a remote_application registered with the validating resource server.
	// Required when minting via the free function; the *Service mint method
	// defaults it to the Service's configured Issuer when empty.
	Issuer string
	// Audiences becomes the `aud` claim: the target resource API(s), e.g.
	// "openrails", "tensorhub", or "gen-orchestrator".
	Audiences []string
	// DelegatedSubject becomes `delegated_sub`: the issuer-side subject id.
	// Required. No local account is implied in the receiving service.
	DelegatedSubject string
	// Permissions becomes the `permissions` claim: an array of resource-defined
	// permission strings (NOT OAuth's space-delimited `scope`). Receiving
	// services validate these against their own permission set.
	Permissions []string
	// Attributes becomes the `attributes` claim: the canonical app-specific
	// ESCAPE HATCH (#75). An object of issuer-asserted, NAMESPACED, OPAQUE
	// key/values that AuthKit transports + optionally shape-validates but NEVER
	// interprets — the semantics belong to the consuming app (tensorhub etc.).
	// Each value is set in ONE of two modes, per key:
	//   INLINE    — the value carries the full definition, e.g.
	//               {"tier":{"endpoints":[...],"caps":[...]}}. No lookup.
	//   REFERENCE — the value is a short string key, e.g. {"tier":"tier-1"},
	//               resolved by the consumer against a definition the
	//               remote_application registered ahead of time (see the
	//               attribute-def registry: Service.RegisterRemoteAppAttributeDef
	//               / ResolveRemoteAppAttributeDef). Keeps tokens small.
	// Reserved well-known keys: `tier` (opaque entitlement-tier string) and
	// `roles` (a uuid array; prefer the typed Roles field below). Everything
	// else is free-form per consuming app. Values are arbitrary JSON.
	Attributes map[string]any
	// Roles is a convenience for emitting the delegated subject's role UUIDs into
	// `attributes.roles` (a JSON array of UUID strings). Equivalent to setting
	// Attributes["roles"] yourself; when both are set this typed field wins.
	Roles []string
	// TTL is the token lifetime. Defaults to 15m when zero.
	TTL time.Duration
	// JTI, when set, becomes the `jti` claim (token identifier). Optional.
	JTI string
	// NotBefore, when set, becomes the `nbf` claim. Optional.
	NotBefore time.Time
}

DelegatedAccessParams describes a delegated access token to mint.

A delegated access token is AuthKit's standard primitive for resource-service federation: one AuthKit issuer signs a short-lived JWT for an external delegated subject, and a resource service accepts it after issuer/JWKS/ audience validation. The token represents a delegated subject (DelegatedSubject) acting under the resource account that the VALIDATED `iss` resolves to in the receiver's issuer registry — the token itself carries no org claims. It NEVER carries a normal `sub` — no local account is implied in the receiving service.

type EmailSender 

type EmailSender interface {
	SendVerification(ctx context.Context, email, username string, msg VerificationMessage) error
	SendPasswordResetLink(ctx context.Context, email, username, token string) error
	SendLoginCode(ctx context.Context, email, username, code string) error
	SendWelcome(ctx context.Context, email, username string) error
}

EmailSender sends verification/login/reset emails.

type EntitlementFilterProvider added in v0.40.0 

type EntitlementFilterProvider interface {
	ListSubjectsWithEntitlement(ctx context.Context, entitlement string) ([]string, error)
}

EntitlementFilterProvider is the REVERSE of EntitlementsProvider: given an entitlement key, it returns the subject ids that currently hold it. AuthKit owns the user DIRECTORY; the billing system (OpenRails) owns "who is entitled", so filtering the directory BY entitlement delegates here instead of joining across schemas. Subject ids ARE user ids (UUID-only payable identity). Detected by type assertion on the entitlements provider; when absent, AdminListUsers with an Entitlement filter fails with ErrEntitlementFilterUnavailable so the misconfiguration is loud rather than silently returning everyone.

type EntitlementsProvider 

type EntitlementsProvider interface {
	ListEntitlements(ctx context.Context, userID string) ([]string, error)
}

EntitlementsProvider returns the names of a user's currently active application entitlements (e.g., billing tiers). Names are the ONLY shape AuthKit consumes — they are baked verbatim into the `entitlements` claim of access tokens and surfaced on admin user views. Providers should return active grants only; expired/revoked entitlements are the provider's concern, not AuthKit's.

type EphemeralMode 

type EphemeralMode string
const (
	EphemeralMemory EphemeralMode = "memory"
	EphemeralRedis  EphemeralMode = "redis"
)

type EphemeralStore 

type EphemeralStore interface {
	Get(ctx context.Context, key string) ([]byte, bool, error)
	Set(ctx context.Context, key string, value []byte, ttl time.Duration) error
	Del(ctx context.Context, key string) error
}

EphemeralStore is a minimal key-value interface used for short-lived auth state. Implementations should honor TTL on Set and treat missing keys as (found=false, err=nil).

type FrontendConfig added in v0.47.0 

type FrontendConfig struct {
	// BaseURL, if set, is used for building absolute URLs (e.g. password
	// reset/verify links). If empty and Token.Issuer is a well-formed URL,
	// NewFromConfig defaults it to the issuer.
	BaseURL string
	// CallbackPath is the host-owned frontend route that receives full-page OIDC
	// login results. Empty defaults to "/login/callback". (Paths for
	// reset/verify are fixed to "/reset"/"/verify" — not configurable.)
	CallbackPath string
}

FrontendConfig describes host-owned frontend routes.

type GeneratedRoute added in v0.49.0 

type GeneratedRoute struct {
	Persona string
	Method  string
	Path    string // e.g. /:persona/:resource-id/members  (with :persona bound to Persona)
	Perm    string
}

GeneratedRoute is one auto-generated management endpoint: addressed by the RESOURCE's own id (:resource-id), gated by Perm (a concrete <persona>:<res>:<act>).

type GroupAssignment added in v0.49.0 

type GroupAssignment struct {
	GroupType string   // the declared type of the group this assignment lives in
	GroupID   string   // opaque group id; used ONLY to scope custom-role lookups
	Roles     []string // role names the subject holds in this group
}

GroupAssignment is a subject's role-assignment set within ONE permission-group, tagged with that group's TYPE. The engine produces a slice of these by walking a target group's parent chain (resolving the subject's roles at each level); the slice order is irrelevant — the union is additive and order-independent.

type GroupInvite added in v0.50.0 

type GroupInvite struct {
	ID        string
	GroupID   string
	UserID    string
	InvitedBy string
	Role      string
	Status    string
	ExpiresAt *time.Time
	ActedAt   *time.Time
	CreatedAt time.Time
	UpdatedAt time.Time
}

GroupInvite is the non-secret view of a pending/acted invite. Role resolves via the type catalog / custom roles (not a DB FK); on accept it is assigned to UserID.

type GroupMember added in v0.49.0 

type GroupMember struct {
	SubjectID   string
	SubjectKind string
	Role        string
}

GroupMember is one role-assignment in a group (roster listing).

type GroupSchema added in v0.49.0 

type GroupSchema struct {
	// contains filtered or unexported fields
}

GroupSchema is the validated, immutable set of declared group types — the containment schema + catalogs + management profiles. Construct via NewGroupSchema, which validates everything once.

func BuildSchema added in v0.49.0 

func BuildSchema(appTypes ...GroupTypeDef) (*GroupSchema, error)

BuildSchema assembles the deployment's GroupSchema from authkit's intrinsic root type plus the app's declared types, and validates the whole. If the app passes its OWN root type (to add moderation roles) it is used as-is; otherwise the bare IntrinsicRootType() is injected. This is the consumer entry point: an app declares only its non-root types (+ optional extra root roles) and gets a validated schema, or a clear error.

func NewGroupSchema added in v0.49.0 

func NewGroupSchema(types ...GroupTypeDef) (*GroupSchema, error)

NewGroupSchema validates an app's declared types and returns the schema, or an error describing the first problem. It enforces: a single root type (named RootType, parentless); every type has an `owner` role == `<type>:*`; every role grant is a valid pattern in the type's OWN persona (namespace purity); allowed-parent edges reference declared types and form an acyclic tree rooted at root; and CustomRoleCreation routes imply AllowCustomRoles.

func (*GroupSchema) Can added in v0.49.0 

func (s *GroupSchema) Can(assignments []GroupAssignment, custom CustomRoleResolver, perm string) bool

Can reports whether the subject (via its assignments across a target group's parent chain) holds a grant covering perm. ALLOW if any granted token covers perm under authkit's namespace-anchored glob semantics (a bare `*` never matches). Additive walk-up union; the caller constructs the exact perm to check (e.g. for a resource of type RT acted on from an ancestor of type LT, the perm is `LT:RT:<action>` — the two-persona rule, decision #5).

func (*GroupSchema) GeneratedRoutes added in v0.49.0 

func (s *GroupSchema) GeneratedRoutes() []GeneratedRoute

GeneratedRoutes returns the full management surface implied by the schema's per-type management profiles. The HTTP layer mounts exactly these; anything a profile disables is simply absent (→ 404). Reads gate on <area>:read; mutations on the matching <area>:manage built-in.

func (*GroupSchema) IsRoot added in v0.49.0 

func (s *GroupSchema) IsRoot(name string) bool

IsRoot reports whether name is the root type.

func (*GroupSchema) ResolveGrants added in v0.49.0 

func (s *GroupSchema) ResolveGrants(assignments []GroupAssignment, custom CustomRoleResolver) []string

ResolveGrants computes the additive, de-duplicated UNION of grant tokens a subject holds across the given assignments. For each (groupType, role): a catalog role contributes the type's catalog grants; otherwise, if the type allows custom roles, the per-group custom role's grants are used. Unknown types and unknown roles contribute NOTHING (fail-closed). Every returned token is a grant pattern already validated at schema-construction time.

func (*GroupSchema) Role added in v0.49.0 

func (s *GroupSchema) Role(typeName, roleName string) (RoleDef, bool)

Role returns a single role from a type's catalog.

func (*GroupSchema) Roles added in v0.49.0 

func (s *GroupSchema) Roles(typeName string) ([]RoleDef, bool)

Roles returns a type's effective roles (app-declared + seeded owner/member).

func (*GroupSchema) Type added in v0.49.0 

func (s *GroupSchema) Type(name string) (GroupTypeDef, bool)

Type returns a declared type's effective definition.

func (*GroupSchema) Types added in v0.49.0 

func (s *GroupSchema) Types() []string

Types returns the declared type names, sorted.

func (*GroupSchema) ValidateParent added in v0.49.0 

func (s *GroupSchema) ValidateParent(childType, parentType string) error

ValidateParent enforces the containment schema at INSTANCE-create time: a proposed (childType, parentType) edge. root is parentless; every non-root group needs a parent whose type is in the child type's AllowedParents — so e.g. `root -> repo` is structurally impossible, not merely discouraged.

type GroupTypeDef added in v0.49.0 

type GroupTypeDef struct {
	Name             string
	Roles            []RoleDef // app-declared; owner (=<type>:*) + member are injected if absent
	AllowedParents   []string  // declared types; empty ⇒ root (parentless). Non-root needs >=1.
	AllowCustomRoles bool      // may a group owner define ADDITIONAL custom roles?
	Routes           ManagementProfile
}

GroupTypeDef declares one permission-group type (a persona). persona ≡ type ≡ the first permission segment. `Name == RootType` is the parentless singleton.

func IntrinsicRootType added in v0.49.0 

func IntrinsicRootType(extraRootRoles ...RoleDef) GroupTypeDef

IntrinsicRootType returns the base `root` GroupTypeDef authkit ships: the parentless singleton type whose owner/super-admin hold root:*. An app passes this to BuildSchema along with EXTRA root roles (moderation bundles) and its other types; the extra root roles may hold any root: perm (intrinsic or app-declared). Custom roles are OFF on root (operators are not end users).

type IdentityConfig added in v0.47.0 

type IdentityConfig struct {
	// Providers – identity providers by name ("google"/"apple"/"github"/
	// "discord"). Only client id/secret are required; standard scopes derive
	// from defaults.
	Providers map[string]oidckit.RPConfig
	// ProviderDescriptors define OAuth2/OIDC providers using config-first
	// descriptors. They augment/override built-in Providers entries and are the
	// preferred path for adding custom providers.
	ProviderDescriptors map[string]authprovider.Provider
}

IdentityConfig declares external OAuth2/OIDC identity providers.

type IdentityFacet added in v0.46.0 

type IdentityFacet struct {
	// contains filtered or unexported fields
}

IdentityFacet is the identity-linking view of Service.

func (IdentityFacet) AddRemoteApplicationMember added in v0.46.0 

func (f IdentityFacet) AddRemoteApplicationMember(ctx context.Context, appID, role string) error

AddRemoteApplicationMember calls Service.AddRemoteApplicationMember. 

func (f IdentityFacet) CountProviderLinks(ctx context.Context, userID string) int

CountProviderLinks calls Service.CountProviderLinks.

func (IdentityFacet) DeleteRemoteAppAttributeDef added in v0.46.0 

func (f IdentityFacet) DeleteRemoteAppAttributeDef(ctx context.Context, appID, key string) error

DeleteRemoteAppAttributeDef calls Service.DeleteRemoteAppAttributeDef.

func (IdentityFacet) DeleteRemoteApplication added in v0.46.0 

func (f IdentityFacet) DeleteRemoteApplication(ctx context.Context, issuer string) error

DeleteRemoteApplication calls Service.DeleteRemoteApplication.

func (IdentityFacet) GenerateSIWSChallenge added in v0.46.0 

func (f IdentityFacet) GenerateSIWSChallenge(ctx context.Context, cache siws.ChallengeCache, domain, address, username string) (siws.SignInInput, error)

GenerateSIWSChallenge calls Service.GenerateSIWSChallenge.

func (IdentityFacet) GetDiscordUsername added in v0.46.0 

func (f IdentityFacet) GetDiscordUsername(ctx context.Context, userID string) (string, error)

GetDiscordUsername calls Service.GetDiscordUsername. 

func (f IdentityFacet) GetProviderLink(ctx context.Context, providerSlug, subject string) (string, *string, error)

GetProviderLink calls Service.GetProviderLink.

func (IdentityFacet) GetProviderLinkByIssuer added in v0.46.0 

func (f IdentityFacet) GetProviderLinkByIssuer(ctx context.Context, issuer, subject string) (string, *string, error)

GetProviderLinkByIssuer calls Service.GetProviderLinkByIssuer.

func (IdentityFacet) GetProviderUsername added in v0.46.0 

func (f IdentityFacet) GetProviderUsername(ctx context.Context, userID, provider string) (string, error)

GetProviderUsername calls Service.GetProviderUsername.

func (IdentityFacet) GetRemoteApplication added in v0.46.0 

func (f IdentityFacet) GetRemoteApplication(ctx context.Context, issuer string) (*RemoteApplication, error)

GetRemoteApplication calls Service.GetRemoteApplication.

func (IdentityFacet) GetRemoteApplicationBySlug added in v0.46.0 

func (f IdentityFacet) GetRemoteApplicationBySlug(ctx context.Context, slug string) (*RemoteApplication, error)

GetRemoteApplicationBySlug calls Service.GetRemoteApplicationBySlug.

func (IdentityFacet) GetSolanaAddress added in v0.46.0 

func (f IdentityFacet) GetSolanaAddress(ctx context.Context, userID string) (string, error)

GetSolanaAddress calls Service.GetSolanaAddress.

func (IdentityFacet) GetSolanaLinkedAccount added in v0.46.0 

func (f IdentityFacet) GetSolanaLinkedAccount(ctx context.Context, userID string) (*SolanaLinkedAccount, error)

GetSolanaLinkedAccount calls Service.GetSolanaLinkedAccount.

func (IdentityFacet) GetUserByEmail added in v0.46.0 

func (f IdentityFacet) GetUserByEmail(ctx context.Context, email string) (*User, error)

GetUserByEmail calls Service.GetUserByEmail.

func (IdentityFacet) GetUserBySolanaAddress added in v0.46.0 

func (f IdentityFacet) GetUserBySolanaAddress(ctx context.Context, address string) (*User, error)

GetUserBySolanaAddress calls Service.GetUserBySolanaAddress.

func (IdentityFacet) GetUserByUsername added in v0.46.0 

func (f IdentityFacet) GetUserByUsername(ctx context.Context, username string) (*User, error)

GetUserByUsername calls Service.GetUserByUsername.

func (IdentityFacet) HasPassword added in v0.46.0 

func (f IdentityFacet) HasPassword(ctx context.Context, userID string) bool

HasPassword calls Service.HasPassword.

func (IdentityFacet) LinkProvider added in v0.46.0 

func (f IdentityFacet) LinkProvider(ctx context.Context, userID, provider, subject string, email *string) error

LinkProvider calls Service.LinkProvider.

func (IdentityFacet) LinkProviderByIssuer added in v0.46.0 

func (f IdentityFacet) LinkProviderByIssuer(ctx context.Context, userID, issuer, providerSlug, subject string, email *string) error

LinkProviderByIssuer calls Service.LinkProviderByIssuer.

func (IdentityFacet) LinkSolanaWallet added in v0.46.0 

func (f IdentityFacet) LinkSolanaWallet(ctx context.Context, cache siws.ChallengeCache, userID string, output siws.SignInOutput) error

LinkSolanaWallet calls Service.LinkSolanaWallet.

func (IdentityFacet) ListRemoteAppAttributeDefs added in v0.46.0 

func (f IdentityFacet) ListRemoteAppAttributeDefs(ctx context.Context, appID string) ([]RemoteAppAttributeDef, error)

ListRemoteAppAttributeDefs calls Service.ListRemoteAppAttributeDefs.

func (IdentityFacet) ListRemoteApplications added in v0.46.0 

func (f IdentityFacet) ListRemoteApplications(ctx context.Context, activeOnly bool) ([]RemoteApplication, error)

ListRemoteApplications calls Service.ListRemoteApplications.

func (IdentityFacet) RegisterRemoteAppAttributeDef added in v0.46.0 

func (f IdentityFacet) RegisterRemoteAppAttributeDef(ctx context.Context, appID, key string, version int32, definition json.RawMessage) (*RemoteAppAttributeDef, error)

RegisterRemoteAppAttributeDef calls Service.RegisterRemoteAppAttributeDef.

func (IdentityFacet) RemoteApplicationRoles added in v0.49.0 

func (f IdentityFacet) RemoteApplicationRoles(ctx context.Context, appID string) ([]string, error)

RemoteApplicationRoles calls Service.RemoteApplicationRoles.

func (IdentityFacet) RemoveRemoteApplicationMember added in v0.46.0 

func (f IdentityFacet) RemoveRemoteApplicationMember(ctx context.Context, appID, role string) error

RemoveRemoteApplicationMember calls Service.RemoveRemoteApplicationMember.

func (IdentityFacet) ResolveAndStoreSolanaSNS added in v0.46.0 

func (f IdentityFacet) ResolveAndStoreSolanaSNS(ctx context.Context, userID, address string) (SolanaLinkedAccount, error)

ResolveAndStoreSolanaSNS calls Service.ResolveAndStoreSolanaSNS.

func (IdentityFacet) ResolveRemoteAppAttributeDef added in v0.46.0 

func (f IdentityFacet) ResolveRemoteAppAttributeDef(ctx context.Context, appID, key string, version int32) (*RemoteAppAttributeDef, error)

ResolveRemoteAppAttributeDef calls Service.ResolveRemoteAppAttributeDef.

func (IdentityFacet) ResolveRemoteApplicationAuthority added in v0.46.0 

func (f IdentityFacet) ResolveRemoteApplicationAuthority(ctx context.Context, appID string) (permissions []string, err error)

ResolveRemoteApplicationAuthority calls Service.ResolveRemoteApplicationAuthority.

func (IdentityFacet) ResolveRemoteApplicationGroup added in v0.49.0 

func (f IdentityFacet) ResolveRemoteApplicationGroup(ctx context.Context, issuer string) (string, error)

ResolveRemoteApplicationGroup calls Service.ResolveRemoteApplicationGroup.

func (IdentityFacet) SetProviderUsername added in v0.46.0 

func (f IdentityFacet) SetProviderUsername(ctx context.Context, userID, provider, subject, username string) error

SetProviderUsername calls Service.SetProviderUsername.

func (IdentityFacet) UnlinkProvider added in v0.46.0 

func (f IdentityFacet) UnlinkProvider(ctx context.Context, userID, provider string) error

UnlinkProvider calls Service.UnlinkProvider.

func (IdentityFacet) UpsertRemoteApplication added in v0.46.0 

func (f IdentityFacet) UpsertRemoteApplication(ctx context.Context, in RemoteApplication) (*RemoteApplication, error)

UpsertRemoteApplication calls Service.UpsertRemoteApplication.

func (IdentityFacet) VerifySIWSAndLogin added in v0.46.0 

func (f IdentityFacet) VerifySIWSAndLogin(ctx context.Context, cache siws.ChallengeCache, output siws.SignInOutput, extra map[string]any) (accessToken string, expiresAt time.Time, refreshToken, userID string, created bool, err error)

VerifySIWSAndLogin calls Service.VerifySIWSAndLogin.

type ImportUserInput added in v0.9.0 

type ImportUserInput struct {
	Email         string
	PhoneNumber   string
	Username      string
	EmailVerified bool
	PhoneVerified bool
	BannedAt      *time.Time
	BannedUntil   *time.Time
	BanReason     *string
	BannedBy      *string
	Metadata      map[string]any
	CreatedAt     *time.Time
	UpdatedAt     *time.Time
}

type KeysConfig added in v0.47.0 

type KeysConfig struct {
	// Source can be nil — if nil, authkit auto-discovers keys: (1) env vars
	// (ACTIVE_KEY_ID, ACTIVE_PRIVATE_KEY_PEM, PUBLIC_KEYS); (2) filesystem
	// <Path>/keys.json (default /vault/auth); (3) auto-generated keys in
	// .runtime/authkit/ (dev fallback; prod hard-fail). Hosts NEVER handle the
	// private key — they delegate the signing OPERATION to authkit; there is no
	// API that returns a private key or PEM (a future Vault-Transit backend,
	// authkit future #72, drops in behind the same Signer seam).
	Source jwtkit.KeySource
	// Path overrides the filesystem DIRECTORY the local key resolver scans for
	// keys.json when Source is nil. Empty defaults to AUTHKIT_KEYS_PATH, then
	// /vault/auth.
	Path string
	// VerifyOnly constructs the Service with NO active signer (#87): token
	// MINTING returns ErrMissingSigner, while VERIFICATION and all RBAC reads
	// work fully and the JWKS endpoint serves an empty key set. When true, key
	// auto-discovery is SKIPPED. Ignored when Source is non-nil. Use it for a
	// pure resource-server / control-plane deployment that only verifies inbound
	// tokens.
	VerifyOnly bool
}

KeysConfig controls signing-key resolution.

type Keyset 

type Keyset struct {
	Active     jwtkit.Signer
	PublicKeys map[string]crypto.PublicKey // kid -> pub
}

Keyset holds the active signer and the public keys exposed via JWKS.

type ManagementProfile added in v0.49.0 

type ManagementProfile struct {
	MemberAssignment      bool // api-routes.member-assignment
	CustomRoleCreation    bool // api-routes.custom-role-creation (requires AllowCustomRoles)
	APIKeyMinting         bool // api-routes.api-key-minting
	RemoteAppRegistration bool // api-routes.remote-app-registration
	Invitation            bool // api-routes.invitation
}

ManagementProfile chooses which group-management operations authkit exposes as AUTO-GENERATED routes for a type's groups (the `api-routes.*` block). Each flag gates ROUTE GENERATION, not the capability: the host can always do the op via core even with the route off (false ⇒ no public route / 404, not "impossible").

type Option added in v0.47.0 

type Option func(*Service)

Option configures a Service at construction time. Options are applied inside NewFromConfig / NewService, after the base service is built — the replacement for the removed chainable WithX builder methods (#108). Data/policy belongs in Config; every runtime DEPENDENCY is an Option.

func WithAuthLogger added in v0.47.0 

func WithAuthLogger(l AuthEventLogger) Option

WithAuthLogger sets the session-event audit sink.

func WithDBTXWrapper added in v0.47.0 

func WithDBTXWrapper(wrap func(db.DBTX) db.DBTX) Option

WithDBTXWrapper re-binds the querier through wrap (a decorator over the schema-rewriting db.DBTX). Test seam for counting/spy queriers; must be applied after WithPostgres (NewFromConfig applies pg first).

func WithEmailSender added in v0.47.0 

func WithEmailSender(sender EmailSender) Option

WithEmailSender sets the email provider.

func WithEntitlements added in v0.47.0 

func WithEntitlements(p EntitlementsProvider) Option

WithEntitlements sets the entitlements provider.

func WithEphemeralStore added in v0.47.0 

func WithEphemeralStore(store EphemeralStore, mode EphemeralMode) Option

WithEphemeralStore sets the ephemeral store + mode (empty mode => memory).

func WithPostgres added in v0.47.0 

func WithPostgres(pool *pgxpool.Pool) Option

WithPostgres attaches the pgx pool and binds the schema-qualified querier. NewFromConfig applies this automatically from its required pg argument.

func WithResourceScopeAuthorizer added in v0.47.0 

func WithResourceScopeAuthorizer(fn ResourceScopeAuthorizer) Option

WithResourceScopeAuthorizer sets the optional API-key resource-scope authorizer (host hook for resource no-escalation at mint time).

func WithSMSSender added in v0.47.0 

func WithSMSSender(sender SMSSender) Option

WithSMSSender sets the SMS provider.

func WithSolanaSNSResolver added in v0.47.0 

func WithSolanaSNSResolver(r SolanaSNSResolver) Option

WithSolanaSNSResolver turns on Solana Name Service resolution using the host-provided resolver (SNS is off when no resolver is supplied).

type Options 

type Options struct {
	Issuer               string
	IssuedAudiences      []string // JWT audiences - tokens issued will contain ALL of these audiences
	ExpectedAudiences    []string
	AccessTokenDuration  time.Duration
	RefreshTokenDuration time.Duration
	SessionMaxPerUser    int
	// Optional link building (paths are fixed: /reset and /verify)
	BaseURL string
	// FrontendCallbackPath is the host-owned frontend route that receives full-page OIDC login results.
	FrontendCallbackPath string
	// Schema is the Postgres schema AuthKit's tables live in. Empty defaults to
	// "profiles". Must match ^[a-z_][a-z0-9_]*$ (max 63 bytes); NewService
	// panics on an invalid non-empty value because a malformed name would be
	// spliced into SQL text (see internal/db.ForSchema). Prefer NewFromConfig,
	// which returns the validation error instead.
	Schema string
	// RegistrationVerification controls whether registration verification is disabled,
	// non-blocking, or required.
	RegistrationVerification RegistrationVerificationPolicy

	// VerificationSendTimeout bounds each in-line email/SMS provider send
	// (verification codes, password-reset links, login codes) so a configured
	// but misconfigured/unreachable provider cannot hang the request that
	// triggered it (e.g. registration). Empty/<=0 defaults to 15 seconds.
	VerificationSendTimeout time.Duration

	// NativeUserRegistrationMode controls public native-user self-registration.
	NativeUserRegistrationMode RegistrationMode

	// Environment is host-provided runtime mode used for dev/prod behavior checks.
	Environment string
	// SolanaNetwork is host-provided chain selector for SIWS flows.
	SolanaNetwork string
	// SolanaSNSEnabled enables AuthKit-owned Solana Name Service resolution for SIWS-linked wallets.
	SolanaSNSEnabled bool
	// SolanaSNSResolver resolves a verified Solana wallet address to its primary .sol name.
	SolanaSNSResolver SolanaSNSResolver
	// SolanaSNSLookupTimeout bounds resolver calls. Empty defaults to 3 seconds.
	SolanaSNSLookupTimeout time.Duration
	// SolanaSNSCacheTTL controls when cached SNS metadata is considered stale. Empty defaults to 24 hours.
	SolanaSNSCacheTTL time.Duration

	// APIKeyPrefix is the issuing application's brand prefix for generated API
	// keys (validated lowercase-alnum, 1-16 chars; empty -> bare st_).
	APIKeyPrefix string
	// APIKeyMaxTTL caps a minted API key's expiry (0 = no cap).
	APIKeyMaxTTL time.Duration
	// ResourceScopeAuthorizer optionally authorizes host-defined API-key resource
	// scopes during HTTP minting. Nil means AuthKit stores valid scopes
	// opaquely for callers who may manage API keys for the org.
	ResourceScopeAuthorizer ResourceScopeAuthorizer
	// Permissions is the app's permission vocabulary (merged with authkit's
	// base `org:` permissions). DefaultRoles are role templates seeded per org.
	Permissions  []PermissionDef
	DefaultRoles []DefaultRole
	// OwnerOwnsAppResources extends the owner apex grant to cover every
	// app-declared resource namespace (`<ns>:*`), not just `org:*`. See
	// Config.OwnerOwnsAppResources. (#100)
	OwnerOwnsAppResources bool
}

Options configures issued tokens and identifiers.

func (Options) PublicNativeUserRegistrationEnabled added in v0.12.4 

func (o Options) PublicNativeUserRegistrationEnabled() bool

PublicNativeUserRegistrationEnabled reports whether public native-user self-registration / auto-registration is allowed.

func (Options) RegistrationVerificationEnabled added in v0.5.0 

func (o Options) RegistrationVerificationEnabled() bool

func (Options) RegistrationVerificationPolicy added in v0.5.0 

func (o Options) RegistrationVerificationPolicy() RegistrationVerificationPolicy

func (Options) RegistrationVerificationRequired added in v0.5.0 

func (o Options) RegistrationVerificationRequired() bool

type PendingChangeKind added in v0.15.5 

type PendingChangeKind string

PendingChangeKind identifies one of the four verification-gated "deferred change" flows. They all share the same shape — "hold a change until an emailed/texted code is verified, then finalize it" — so they share one record type, one ephemeral storage namespace, and one set of generic operations, differing only in their per-kind finalizer. 

const (
	KindRegisterEmail PendingChangeKind = "register_email"
	KindRegisterPhone PendingChangeKind = "register_phone"
	KindChangeEmail   PendingChangeKind = "change_email"
	KindChangePhone   PendingChangeKind = "change_phone"
)

type PendingRegistration 

type PendingRegistration struct {
	Email           string
	Username        string
	PasswordHash    string
	PreferredLocale string
}

PendingRegistration represents an unverified registration

type PermissionDef added in v0.11.3 

type PermissionDef struct {
	Name        string `json:"name"`
	Description string `json:"description,omitempty"`
}

PermissionDef is one entry in the permission set: an opaque permission string plus a human-readable description (surfaced to admin UIs).

type PermissionGroupStore added in v0.49.0 

type PermissionGroupStore struct {
	// contains filtered or unexported fields
}

PermissionGroupStore is the database access layer for permission-groups. It holds a db.DBTX (a *pgxpool.Pool or a pgx.Tx), so callers choose the txn scope.

func NewPermissionGroupStore added in v0.49.0 

func NewPermissionGroupStore(q db.DBTX) *PermissionGroupStore

NewPermissionGroupStore wraps a db.DBTX (pool or transaction).

func (*PermissionGroupStore) AssignRole added in v0.49.0 

func (st *PermissionGroupStore) AssignRole(ctx context.Context, groupID, subjectID, subjectKind, role string) error

AssignRole grants subject a role in a group (idempotent; un-soft-deletes a prior assignment). The role NAME is validated against the type catalog / custom roles by the caller (engine) before assignment.

func (*PermissionGroupStore) CanOnGroup added in v0.49.0 

func (st *PermissionGroupStore) CanOnGroup(ctx context.Context, schema *GroupSchema, subjectID, subjectKind, groupID, perm string) (bool, error)

CanOnGroup is the end-to-end DB-backed authorization check: walk the target group's chain, preload any custom roles, and test perm coverage against the schema. The caller constructs perm per the two-persona rule (e.g. for an action on a type-RT resource reached from an ancestor of type LT, the perm is `LT:RT:<action>`).

func (*PermissionGroupStore) CreateGroup added in v0.49.0 

func (st *PermissionGroupStore) CreateGroup(ctx context.Context, groupType, parentID, parentType, resourceRef string) (string, error)

CreateGroup inserts a permission-group and returns its internal id. parentID/ parentType are empty for the root group. The containment trigger + CHECK enforce shape at the DB; callers SHOULD also pre-validate via GroupSchema.ValidateParent for a clear error before hitting the DB.

func (*PermissionGroupStore) CustomRolesFor added in v0.49.0 

func (st *PermissionGroupStore) CustomRolesFor(ctx context.Context, groupIDs []string) (CustomRoleResolver, error)

CustomRolesFor preloads the custom roles for a set of group ids and returns a CustomRoleResolver backed by the result — so the pure decision core resolves custom-role grants without per-call DB access.

func (*PermissionGroupStore) DeleteCustomRole added in v0.50.0 

func (st *PermissionGroupStore) DeleteCustomRole(ctx context.Context, groupID, role string) error

DeleteCustomRole removes a per-group custom role (and its permissions).

func (*PermissionGroupStore) GroupByResourceRef added in v0.49.0 

func (st *PermissionGroupStore) GroupByResourceRef(ctx context.Context, groupType, resourceRef string) (string, error)

GroupByResourceRef resolves a group by its API addressing key (type, resource_ref) — the route layer's (persona, resource-id). Returns the internal id, which never leaves authkit.

func (*PermissionGroupStore) GroupMembers added in v0.49.0 

func (st *PermissionGroupStore) GroupMembers(ctx context.Context, groupID string) ([]GroupMember, error)

GroupMembers lists the live role-assignments in a group.

func (*PermissionGroupStore) RootGroupID added in v0.49.0 

func (st *PermissionGroupStore) RootGroupID(ctx context.Context) (string, error)

RootGroupID returns the singleton root group's internal id (ErrGroupNotFound if the deployment has not seeded one yet).

func (*PermissionGroupStore) SeedContainment added in v0.49.0 

func (st *PermissionGroupStore) SeedContainment(ctx context.Context, schema *GroupSchema) error

SeedContainment upserts the containment schema (group_type_parents) from a validated GroupSchema. Idempotent; call once at bootstrap so the DB trigger can enforce the declared tree shape. root has no rows (parentless).

func (*PermissionGroupStore) SubjectGroups added in v0.49.0 

func (st *PermissionGroupStore) SubjectGroups(ctx context.Context, subjectID, subjectKind string) ([]SubjectGroupMembership, error)

SubjectGroups lists every group membership a subject holds (cross-persona), the data behind /me/groups.

func (*PermissionGroupStore) UnassignRole added in v0.49.0 

func (st *PermissionGroupStore) UnassignRole(ctx context.Context, groupID, subjectID, subjectKind, role string) error

UnassignRole soft-deletes a role assignment.

func (*PermissionGroupStore) UpsertCustomRole added in v0.49.0 

func (st *PermissionGroupStore) UpsertCustomRole(ctx context.Context, groupID, role string, permissions []string) error

UpsertCustomRole defines/updates a per-group custom role's permission set. Only meaningful for types whose AllowCustomRoles is set; the caller enforces that + validates each grant pattern (namespace-pure to the group's type).

func (*PermissionGroupStore) WalkAssignments added in v0.49.0 

func (st *PermissionGroupStore) WalkAssignments(ctx context.Context, groupID, subjectID, subjectKind string) ([]GroupAssignment, error)

WalkAssignments walks the target group's parent chain to the root and returns the subject's assignments at each ancestor where it holds at least one role — exactly the []GroupAssignment that GroupSchema.ResolveGrants/Can consume. This is the additive walk-up made concrete.

type PreferredLocale added in v0.14.0 

type PreferredLocale struct {
	Locale    string
	Source    string
	UpdatedAt *time.Time
}

type RBACConfig added in v0.47.0 

type RBACConfig struct {
	// Permissions is the embedding application's set of valid permission strings
	// (e.g. `endpoint:revise`, `repo:create`). authkit merges this with its base
	// `org:` namespace; permissions are opaque to authkit. Names must not collide
	// with the reserved `org:` base permissions.
	Permissions []PermissionDef
	// DefaultRoles are role templates seeded into every org at creation, beyond
	// the built-in `owner`. Tokens are concrete perms or namespace-anchored globs
	// (`org:*`, `org:*:read`); no bare `*`, no `!perm` negation (#93/#95).
	DefaultRoles []DefaultRole
	// OwnerOwnsAppResources, when true, extends the prebuilt `owner` role's apex
	// grant to cover EVERY app-declared resource namespace (one `<ns>:*` glob per
	// non-`platform:` namespace in Permissions), not just `org:*`. Default false
	// keeps the #95 contract (owner = `org:*`). `platform:` is never owned by an
	// org role. Backfill existing orgs with EnsureOwnerGrants. (#100)
	OwnerOwnsAppResources bool

	// Groups declares the app's permission-group types (#111): the containment
	// schema + per-type role catalogs + management profiles. authkit injects the
	// intrinsic `root` type when absent, so an empty slice yields a valid
	// root-only deployment. Validated by NewFromConfig via BuildSchema.
	Groups []GroupTypeDef
}

RBACConfig declares the app permission catalog, default roles, and owner policy.

type RegistrationConfig added in v0.47.0 

type RegistrationConfig struct {
	// Verification controls registration verification: "none"|"optional"|
	// "required". Empty defaults to "none".
	Verification RegistrationVerificationPolicy
	// NativeUserMode controls public native-user self-registration. Empty
	// defaults to "open". Non-open modes disable every public user-creation path
	// while leaving embedded admin/bootstrap core APIs available.
	NativeUserMode RegistrationMode
}

RegistrationConfig controls verification policy and public self-registration.

type RegistrationMode added in v0.12.4 

type RegistrationMode string
const (
	RegistrationModeOpen               RegistrationMode = "open"
	RegistrationModeInviteOnly         RegistrationMode = "invite_only"
	RegistrationModeAdminOnly          RegistrationMode = "admin_only"
	RegistrationModeAdminBootstrapOnly RegistrationMode = "admin_bootstrap_only"
	RegistrationModeManifestOnly       RegistrationMode = "manifest_only"
	RegistrationModeClosed             RegistrationMode = "closed"
)

type RegistrationVerificationPolicy added in v0.5.0 

type RegistrationVerificationPolicy string
const (
	RegistrationVerificationNone     RegistrationVerificationPolicy = "none"
	RegistrationVerificationOptional RegistrationVerificationPolicy = "optional"
	RegistrationVerificationRequired RegistrationVerificationPolicy = "required"
)

type RemoteAppAttributeDef added in v0.27.0 

type RemoteAppAttributeDef = authbase.RemoteAppAttributeDef

RemoteAppAttributeDef is one REFERENCE-mode attribute definition (#75): a remote_application registers (key, version) -> definition, and a platform resolves a token's `attributes.<key>: "<ref>"` reference back to it. The Definition is an OPAQUE JSON doc — AuthKit stores and serves it but NEVER interprets its semantics (same agnosticism as the token attributes bag). RemoteAppAttributeDef is defined in authbase (core-free) and re-exported here.

type RemoteAppKey added in v0.27.0 

type RemoteAppKey = authbase.RemoteAppKey

RemoteAppKey is defined in authbase (core-free) and re-exported here.

type RemoteApplication added in v0.27.0 

type RemoteApplication = authbase.RemoteApplication

RemoteApplication is a federation principal: an external system that authenticates by signing JWTs verified against its JWKS/public keys. It is optionally owned by an org and may hold org memberships with roles via the same polymorphic membership machinery as users (#74). Defined in authbase (core-free) and re-exported here.

type RemoteApplicationAccessParams added in v0.28.0 

type RemoteApplicationAccessParams struct {
	// Issuer becomes the `iss` claim: the remote_application's OIDC issuer,
	// registered with the validating resource server. Required when minting via
	// the free function; the *Service mint method defaults it to the Service's
	// configured Issuer when empty.
	Issuer string
	// Audiences becomes the `aud` claim: the target resource API(s).
	Audiences []string
	// TTL is the token lifetime. Defaults to 15m when zero.
	TTL time.Duration
	// JTI, when set, becomes the `jti` claim. Optional.
	JTI string
	// NotBefore, when set, becomes the `nbf` claim. Optional.
	NotBefore time.Time
	// Permissions, when non-nil, becomes the `permissions` claim: a DOWN-SCOPING
	// request for least-privilege (#76 amendment). The stored grant is the
	// ceiling; effective = this claim, but EVERY claimed perm must be within the
	// stored grant — an out-of-grant claimed perm REJECTS the token at verify (a
	// remote application access token can never widen). nil/absent => no claim
	// => full stored ceiling (backward-compatible with v0.28.0 tokens).
	Permissions []string
}

RemoteApplicationAccessParams describes a remote application access token to mint (#76): a remote_application signs a short-lived JWT that authenticates it AS ITSELF. The principal's authority is the STORED set AuthKit assigned it (org role membership only, #95), resolved at verify from the validated `iss`. The token therefore carries NO authority role claims of its own — and even if a caller adds them, the verifier ignores them.

type ResolvedAPIKey added in v0.41.0 

type ResolvedAPIKey = authbase.ResolvedAPIKey

ResolvedAPIKey is defined in authbase (core-free) and re-exported here.

type ResourceScopeAuthorizationRequest added in v0.12.4 

type ResourceScopeAuthorizationRequest struct {
	GroupType   string
	ResourceRef string
	ActorUserID string
	Permissions []string
	Resources   []APIKeyResource
}

ResourceScopeAuthorizationRequest is passed to a host callback when the HTTP API-key mint route receives resource scopes. AuthKit has already validated shape and permission no-escalation before this hook runs.

type ResourceScopeAuthorizer added in v0.12.4 

type ResourceScopeAuthorizer func(ctx context.Context, req ResourceScopeAuthorizationRequest) error

ResourceScopeAuthorizer is an optional host callback for API-key resource-scope no-escalation. Return an error to deny minting. AuthKit treats resource kinds and IDs as opaque and never interprets their semantics itself.

type RoleDef added in v0.49.0 

type RoleDef struct {
	Name        string
	Permissions []string
}

RoleDef is a named permission bundle within a type's catalog. Its permissions are grant patterns, all in the OWNING type's persona (namespace-pure).

type RolesFacet added in v0.46.0 

type RolesFacet struct {
	// contains filtered or unexported fields
}

RolesFacet is the role and permission view of Service.

func (RolesFacet) AssignRoleBySlug added in v0.46.0 

func (f RolesFacet) AssignRoleBySlug(ctx context.Context, userID, slug string) error

AssignRoleBySlug calls Service.AssignRoleBySlug (root-group role).

func (RolesFacet) ListRoleSlugsByUser added in v0.46.0 

func (f RolesFacet) ListRoleSlugsByUser(ctx context.Context, userID string) []string

ListRoleSlugsByUser calls Service.ListRoleSlugsByUser (root-group roles).

func (RolesFacet) RemoveRoleBySlug added in v0.46.0 

func (f RolesFacet) RemoveRoleBySlug(ctx context.Context, userID, slug string) error

RemoveRoleBySlug calls Service.RemoveRoleBySlug (root-group role).

func (RolesFacet) UpsertRoleBySlug added in v0.46.0 

func (f RolesFacet) UpsertRoleBySlug(ctx context.Context, name, slug string, description *string) error

UpsertRoleBySlug calls Service.UpsertRoleBySlug (root-group catalog role).

type SMSHealthChecker added in v0.15.4 

type SMSHealthChecker interface {
	CheckHealth(ctx context.Context) error
}

SMSHealthChecker is an optional capability for SMS senders that can verify, without sending a message, that they are configured to actually deliver (valid credentials, an attached sender, and a verified/registered number). CheckHealth returns nil when delivery is expected to succeed, or a descriptive error explaining why it will not (e.g. an unverified toll-free sender that would otherwise fail silently with Twilio error 30032).

type SMSSender 

type SMSSender interface {
	SendVerification(ctx context.Context, phone string, msg VerificationMessage) error
	SendPasswordResetLink(ctx context.Context, phone, token string) error
	SendLoginCode(ctx context.Context, phone, code string) error
}

SMSSender sends verification/login/reset SMS messages.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service is the core auth service used by HTTP adapters.

func NewFromConfig 

func NewFromConfig(cfg Config, pg *pgxpool.Pool, extraOpts ...Option) (*Service, error)

NewFromConfig creates a Service from high-level Config + Stores. If Keys is nil, auto-discovers keys from environment variables, filesystem, or generates development keys.

func NewService 

func NewService(opts Options, keys Keyset, coreOpts ...Option) *Service

func (*Service) APIKeys added in v0.46.0 

func (s *Service) APIKeys() APIKeysFacet

APIKeys returns the org API-key facet.

func (*Service) AcceptGroupInvite added in v0.50.0 

func (s *Service) AcceptGroupInvite(ctx context.Context, inviteID, userID string) error

AcceptGroupInvite flips a pending invite (addressed by id) to accepted and, in the same transaction, assigns the invited role to userID. userID must be the invited user. ErrInviteNotFound if no live pending invite for (id, userID) exists. Idempotency: a second accept finds no pending row and returns ErrInviteNotPending.

func (*Service) AddRemoteApplicationMember added in v0.27.0 

func (s *Service) AddRemoteApplicationMember(ctx context.Context, appID, role string) error

AddRemoteApplicationMember grants a remote_application a role in its own controlling permission-group via group_role_assignments (subject_kind= remote_application) — the same machinery as users (#111). role defaults to the base member role. Deprecated: use s.Identity().AddRemoteApplicationMember.

func (*Service) AdminCountUsers added in v0.40.0 

func (s *Service) AdminCountUsers(ctx context.Context, opts AdminUserListOptions) (int64, error)

AdminCountUsers returns the number of users matching opts (same filters as AdminListUsers, ignoring pagination/sort). Deprecated: use s.Users().AdminCountUsers.

func (*Service) AdminDeleteUser deprecated 

func (s *Service) AdminDeleteUser(ctx context.Context, id string) error

Deprecated: use s.Users().AdminDeleteUser.

func (*Service) AdminGetUser deprecated 

func (s *Service) AdminGetUser(ctx context.Context, id string) (*AdminUser, error)

Deprecated: use s.Users().AdminGetUser.

func (*Service) AdminListUserSessions 

func (s *Service) AdminListUserSessions(ctx context.Context, userID string) ([]Session, error)

Helper exposed for admin endpoints Deprecated: use s.Sessions().AdminListUserSessions.

func (*Service) AdminListUsers 

func (s *Service) AdminListUsers(ctx context.Context, opts AdminUserListOptions) (*AdminListUsersResult, error)

AdminListUsers is the generic admin user-directory list (issue #91): generic role/org/status filter + search + sort + offset pagination, with optional provider-backed entitlement filtering. Each row is enriched with role slugs and (via the entitlements provider) entitlement names. Deprecated: use s.Users().AdminListUsers.

func (*Service) AdminRevokeUserSessions deprecated 

func (s *Service) AdminRevokeUserSessions(ctx context.Context, userID string) error

Deprecated: use s.Sessions().AdminRevokeUserSessions.

func (*Service) AdminSetPassword 

func (s *Service) AdminSetPassword(ctx context.Context, userID, new string) error

AdminSetPassword force-sets a user's password (admin only, no current password required) Deprecated: use s.Users().AdminSetPassword.

func (*Service) AssignGroupRole added in v0.49.0 

func (s *Service) AssignGroupRole(ctx context.Context, groupType, resourceRef, subjectID, subjectKind, role string) error

AssignGroupRole grants a subject a role in the group addressed by (groupType, resourceRef). The role must be a catalog role (or any role for custom-enabled types).

func (*Service) AssignRoleBySlug 

func (s *Service) AssignRoleBySlug(ctx context.Context, userID, slug string) error

Exported wrappers for admin endpoints Deprecated: use s.Roles().AssignRoleBySlug.

func (*Service) AuthorizeAPIKeyResources deprecated added in v0.41.0 

func (s *Service) AuthorizeAPIKeyResources(ctx context.Context, req ResourceScopeAuthorizationRequest) error

Deprecated: use s.APIKeys().AuthorizeAPIKeyResources.

func (*Service) BanUser 

func (s *Service) BanUser(ctx context.Context, userID string, reason *string, until *time.Time, bannedBy string) error

BanUser disables a user account and stores ban metadata. Deprecated: use s.Users().BanUser.

func (*Service) BeginPasswordReset added in v0.5.0 

func (s *Service) BeginPasswordReset(ctx context.Context, token string, sessionTTL time.Duration) (string, error)

BeginPasswordReset validates and consumes a password reset token, then issues a short-lived one-time reset session for browser handoff. Deprecated: use s.Users().BeginPasswordReset.

func (*Service) Bootstrap added in v0.46.0 

func (s *Service) Bootstrap() BootstrapFacet

Bootstrap returns the manifest/provisioning facet.

func (*Service) Can added in v0.49.0 

func (s *Service) Can(ctx context.Context, subjectID, subjectKind, groupType, resourceRef, perm string) (bool, error)

Can is the Service-level authorization check: resolve the group addressed by (groupType, resourceRef), then test perm coverage via the additive walk-up. The caller constructs perm per the two-persona rule (LT:RT:action).

func (*Service) CancelEmailChange added in v0.15.5 

func (s *Service) CancelEmailChange(ctx context.Context, userID string) error

CancelEmailChange aborts a pending email-change for the user, clearing the unified pending-change record. The new email is applied only on confirmation, so there is nothing to roll back. Idempotent: a no-op when none is pending. Deprecated: use s.Users().CancelEmailChange.

func (*Service) CancelPhoneChange added in v0.15.5 

func (s *Service) CancelPhoneChange(ctx context.Context, userID, phone string) error

CancelPhoneChange aborts a pending phone-change for the user, clearing the unified pending-change record. Because the new phone is held only in the pending record and never optimistically applied to the profile, there is nothing to roll back. Idempotent: a no-op when no pending change exists. Deprecated: use s.Users().CancelPhoneChange.

func (*Service) ChangePassword 

func (s *Service) ChangePassword(ctx context.Context, userID, current, new string, keepSessionID *string) error

ChangePassword sets or changes a user's password. If the user already has a password, current must verify; otherwise current is ignored. Always Argon2id-hashes the new password and upserts it, then revokes all other sessions for the user; caller may keep one active session via keepSessionID. Deprecated: use s.Users().ChangePassword.

func (*Service) CheckPendingRegistrationConflict 

func (s *Service) CheckPendingRegistrationConflict(ctx context.Context, email, username string) (bool, bool, error)

CheckPendingRegistrationConflict checks if email or username exists in users or pending registration cache. Returns (emailTaken, usernameTaken, error) Deprecated: use s.Users().CheckPendingRegistrationConflict.

func (*Service) CheckPhoneRegistrationConflict 

func (s *Service) CheckPhoneRegistrationConflict(ctx context.Context, phone, username string) (bool, bool, error)

CheckPhoneRegistrationConflict checks if phone or username exists in users OR pending tables. Returns (phoneTaken, usernameTaken, error) Deprecated: use s.Users().CheckPhoneRegistrationConflict.

func (*Service) CheckSMSHealth added in v0.15.4 

func (s *Service) CheckSMSHealth(ctx context.Context) error

CheckSMSHealth probes whether the configured SMS sender can actually deliver, without sending a message, when the sender implements SMSHealthChecker. The result is cached and gates phone-based flows via SMSAvailable. It returns the probe error (nil = healthy) so callers can log it. When no sender is configured or the sender cannot self-check, it records healthy=true (delivery readiness is then governed solely by sender presence, as before).

func (*Service) CheckUserPassword added in v0.24.0 

func (s *Service) CheckUserPassword(ctx context.Context, userID, pass string) error

CheckUserPassword is the error-returning form of VerifyUserPassword: nil on success, ErrPasswordResetRequired when the stored hash is flagged HashAlgoLegacyResetRequired (no plaintext can verify; the user must reset), and a generic unauthorized error otherwise. Callers that need to route reset-required users (reauth, change-password) should use this form. Deprecated: use s.Users().CheckUserPassword.

func (*Service) CleanupExpiredAuthState added in v0.9.0 

func (s *Service) CleanupExpiredAuthState(ctx context.Context) error

CleanupExpiredAuthState removes expired transient AuthKit state that lives in postgres. Short-lived verification state — pending registrations, pending email/phone changes, email/phone verifications, and password resets — now lives entirely in the ephemeral store (Redis when multi-instance, in-memory otherwise) and expires automatically by TTL, so no database sweep is needed for it. The only persistent auth state requiring a sweep is revoked/expired refresh sessions. Deprecated: use s.Sessions().CleanupExpiredAuthState.

func (*Service) Clear2FAChallenge 

func (s *Service) Clear2FAChallenge(ctx context.Context, userID string) error

Clear2FAChallenge removes the stored challenge after successful 2FA verification. Deprecated: use s.TwoFactor().Clear2FAChallenge.

func (*Service) ConfirmEmailChange 

func (s *Service) ConfirmEmailChange(ctx context.Context, userID, code string) error

ConfirmEmailChange verifies the code and updates the user's email address. This is called when the user enters the verification code sent to their new email. Deprecated: use s.Users().ConfirmEmailChange.

func (*Service) ConfirmEmailVerification 

func (s *Service) ConfirmEmailVerification(ctx context.Context, token string) (userID string, err error)

ConfirmEmailVerification verifies a token and marks email_verified = true. Returns the userID of the verified user. Deprecated: use s.Users().ConfirmEmailVerification.

func (*Service) ConfirmPasswordReset 

func (s *Service) ConfirmPasswordReset(ctx context.Context, token, newPassword string) (string, error)

ConfirmPasswordReset verifies token and sets a new password. Deprecated: use s.Users().ConfirmPasswordReset.

func (*Service) ConfirmPasswordResetWithSession added in v0.5.0 

func (s *Service) ConfirmPasswordResetWithSession(ctx context.Context, resetSession, newPassword string) (string, error)

ConfirmPasswordResetWithSession consumes a reset session and sets the new password. Deprecated: use s.Users().ConfirmPasswordResetWithSession.

func (*Service) ConfirmPendingPhoneRegistration 

func (s *Service) ConfirmPendingPhoneRegistration(ctx context.Context, phone, code string) (userID string, err error)

ConfirmPendingPhoneRegistration verifies code and creates the actual user account. Implements "first to verify wins" - whoever verifies first gets the username/phone. Deprecated: use s.Users().ConfirmPendingPhoneRegistration.

func (*Service) ConfirmPendingPhoneRegistrationByToken added in v0.5.0 

func (s *Service) ConfirmPendingPhoneRegistrationByToken(ctx context.Context, token string) (string, error)

ConfirmPendingPhoneRegistrationByToken verifies a pending phone registration using either a manual code or a high-entropy link token. Deprecated: use s.Users().ConfirmPendingPhoneRegistrationByToken.

func (*Service) ConfirmPendingRegistration 

func (s *Service) ConfirmPendingRegistration(ctx context.Context, token string) (userID string, err error)

ConfirmPendingRegistration verifies token and creates the actual user account. This implements "first to verify wins" - whoever verifies first gets the username/email. Deprecated: use s.Users().ConfirmPendingRegistration.

func (*Service) ConfirmPhoneChange 

func (s *Service) ConfirmPhoneChange(ctx context.Context, userID, phone, code string) error

ConfirmPhoneChange verifies the code and updates the user's phone number. This is called when the user enters the verification code sent to their new phone. Deprecated: use s.Users().ConfirmPhoneChange.

func (*Service) ConfirmPhoneVerification 

func (s *Service) ConfirmPhoneVerification(ctx context.Context, phone, code string) error

ConfirmPhoneVerification verifies a token and marks phone_verified = true. Deprecated: use s.Users().ConfirmPhoneVerification.

func (*Service) ConfirmPhoneVerificationByToken added in v0.5.0 

func (s *Service) ConfirmPhoneVerificationByToken(ctx context.Context, token string) error

ConfirmPhoneVerificationByToken verifies phone ownership using a one-click token. Deprecated: use s.Users().ConfirmPhoneVerificationByToken.

func (*Service) ConfirmPhoneVerificationByTokenUserID added in v0.8.1 

func (s *Service) ConfirmPhoneVerificationByTokenUserID(ctx context.Context, token string) (string, error)

ConfirmPhoneVerificationByTokenUserID verifies phone ownership using a one-click token and returns the user ID. Deprecated: use s.Users().ConfirmPhoneVerificationByTokenUserID.

func (*Service) ConfirmPhoneVerificationUserID added in v0.8.1 

func (s *Service) ConfirmPhoneVerificationUserID(ctx context.Context, phone, code string) (string, error)

ConfirmPhoneVerificationUserID verifies a token, marks phone_verified = true, and returns the user ID. Deprecated: use s.Users().ConfirmPhoneVerificationUserID. 

func (s *Service) CountProviderLinks(ctx context.Context, userID string) int

Public wrappers Deprecated: use s.Identity().CountProviderLinks.

func (*Service) Create2FAChallenge 

func (s *Service) Create2FAChallenge(ctx context.Context, userID string) (string, error)

Create2FAChallenge creates a short-lived challenge to prove password verification before 2FA. Deprecated: use s.TwoFactor().Create2FAChallenge.

func (*Service) CreateGroupInvite added in v0.50.0 

func (s *Service) CreateGroupInvite(ctx context.Context, groupType, resourceRef, userID, role, invitedBy string) (string, error)

CreateGroupInvite records a pending invite for userID to hold role in the group addressed by (groupType, resourceRef), attributed to invitedBy. The role is validated against the type catalog (catalog role, or any role for custom-enabled types) exactly as AssignGroupRole does. Returns the new invite's id. A pending invite for the same (group, user) is unique at the DB; a duplicate is rejected.

func (*Service) CreatePendingPhoneRegistration 

func (s *Service) CreatePendingPhoneRegistration(ctx context.Context, phone, username, passwordHash string) (string, error)

CreatePendingPhoneRegistration creates a pending phone registration and sends SMS verification code. Returns 6-digit code for verification. Code expires in 10 minutes (shorter than email). Deprecated: use s.Users().CreatePendingPhoneRegistration.

func (*Service) CreatePendingPhoneRegistrationWithLocale deprecated added in v0.14.0 

func (s *Service) CreatePendingPhoneRegistrationWithLocale(ctx context.Context, phone, username, passwordHash, preferredLocale string) (string, error)

Deprecated: use s.Users().CreatePendingPhoneRegistrationWithLocale.

func (*Service) CreatePendingRegistration 

func (s *Service) CreatePendingRegistration(ctx context.Context, email, username, passwordHash string, ttl time.Duration) (string, error)

CreatePendingRegistration creates a pending registration and sends verification email. Returns token for verification. Allows duplicate pending registrations (last one wins). Deprecated: use s.Users().CreatePendingRegistration.

func (*Service) CreatePendingRegistrationWithLocale deprecated added in v0.14.0 

func (s *Service) CreatePendingRegistrationWithLocale(ctx context.Context, email, username, passwordHash string, ttl time.Duration, preferredLocale string) (string, error)

Deprecated: use s.Users().CreatePendingRegistrationWithLocale.

func (*Service) CreatePermissionGroup added in v0.49.0 

func (s *Service) CreatePermissionGroup(ctx context.Context, req CreatePermissionGroupRequest) (string, error)

CreatePermissionGroup validates containment against the schema, resolves the parent group, creates the group, and (atomically) seeds the owner assignment. Returns the INTERNAL group id (for the caller's own bookkeeping; never exposed over the wire).

func (*Service) CreateUser deprecated 

func (s *Service) CreateUser(ctx context.Context, email, username string) (*User, error)

Deprecated: use s.Users().CreateUser.

func (*Service) DeclineGroupInvite added in v0.50.0 

func (s *Service) DeclineGroupInvite(ctx context.Context, inviteID, userID string) error

DeclineGroupInvite flips a pending invite (addressed by id) to declined. userID must be the invited user. No role is assigned. ErrInviteNotFound if no live pending invite for (id, userID) exists; ErrInviteNotPending if already acted.

func (*Service) DefineGroupCustomRole added in v0.50.0 

func (s *Service) DefineGroupCustomRole(ctx context.Context, groupType, resourceRef, role string, permissions []string) error

DefineGroupCustomRole creates/updates a custom role in the group addressed by (groupType, resourceRef). Requires the type to allow custom roles; every permission must be a valid grant pattern in the type's OWN persona namespace (namespace purity) and must not collide with a catalog role name.

func (*Service) DeleteGroupCustomRole added in v0.50.0 

func (s *Service) DeleteGroupCustomRole(ctx context.Context, groupType, resourceRef, role string) error

DeleteGroupCustomRole removes a custom role from a group.

func (*Service) DeletePendingPhoneRegistrationByPhone added in v0.15.4 

func (s *Service) DeletePendingPhoneRegistrationByPhone(ctx context.Context, phone string) error

DeletePendingPhoneRegistrationByPhone removes a pending phone registration (and all its verification tokens) for the given phone, if one exists. No-op when none exists. Deprecated: use s.Users().DeletePendingPhoneRegistrationByPhone.

func (*Service) DeletePendingRegistrationByEmail added in v0.15.4 

func (s *Service) DeletePendingRegistrationByEmail(ctx context.Context, email string) error

DeletePendingRegistrationByEmail removes a pending email registration (and all its verification tokens) for the given email, if one exists. Used to abandon a pending registration the user explicitly cancelled. No-op when none exists. Deprecated: use s.Users().DeletePendingRegistrationByEmail.

func (*Service) DeleteRemoteAppAttributeDef added in v0.27.0 

func (s *Service) DeleteRemoteAppAttributeDef(ctx context.Context, appID, key string) error

DeleteRemoteAppAttributeDef removes ALL versions of a key for the remote_application. Returns ErrAttributeDefNotFound when nothing matched. Deprecated: use s.Identity().DeleteRemoteAppAttributeDef.

func (*Service) DeleteRemoteApplication added in v0.27.0 

func (s *Service) DeleteRemoteApplication(ctx context.Context, issuer string) error

DeleteRemoteApplication removes a remote_application by OIDC issuer URL. Deprecated: use s.Identity().DeleteRemoteApplication.

func (*Service) DeriveUsername deprecated 

func (s *Service) DeriveUsername(email string) string

Deprecated: use s.Users().DeriveUsername.

func (*Service) DeriveUsernameForOAuth 

func (s *Service) DeriveUsernameForOAuth(ctx context.Context, provider, preferred, email, displayName string) string

DeriveUsernameForOAuth prefers provider-preferred usernames; falls back to email local part or display name. Deprecated: use s.Users().DeriveUsernameForOAuth.

func (*Service) Disable2FA 

func (s *Service) Disable2FA(ctx context.Context, userID string) error

Disable2FA disables two-factor authentication for a user Deprecated: use s.TwoFactor().Disable2FA.

func (*Service) Enable2FA 

func (s *Service) Enable2FA(ctx context.Context, userID, method string, phoneNumber *string) ([]string, error)

Enable2FA enables two-factor authentication for a user and generates backup codes. Returns the plaintext backup codes (caller must show these to user ONCE). Deprecated: use s.TwoFactor().Enable2FA.

func (*Service) EnsureRootGroup added in v0.49.0 

func (s *Service) EnsureRootGroup(ctx context.Context) (string, error)

EnsureRootGroup creates the singleton root group if absent (idempotent) and returns its internal id.

func (*Service) EntitlementsProvider 

func (s *Service) EntitlementsProvider() EntitlementsProvider

func (*Service) EphemeralMode 

func (s *Service) EphemeralMode() EphemeralMode

func (*Service) ExchangeRefreshToken 

func (s *Service) ExchangeRefreshToken(ctx context.Context, refreshToken string, ua string, ip net.IP) (idToken string, expiresAt time.Time, newRefresh string, err error)

ExchangeRefreshToken rotates a refresh token and returns a new ID token + refresh token. Deprecated: use s.Sessions().ExchangeRefreshToken.

func (*Service) GenerateAvailableUsername 

func (s *Service) GenerateAvailableUsername(ctx context.Context, base string) string

GenerateAvailableUsername tries base, then minimal numeric suffixes, then a short fallback. Deprecated: use s.Users().GenerateAvailableUsername.

func (*Service) GenerateSIWSChallenge 

func (s *Service) GenerateSIWSChallenge(ctx context.Context, cache siws.ChallengeCache, domain, address, username string) (siws.SignInInput, error)

GenerateSIWSChallenge creates a new SIWS challenge for the given address. The challenge is stored in the cache and must be verified within 15 minutes. Deprecated: use s.Identity().GenerateSIWSChallenge.

func (*Service) Get2FASettings 

func (s *Service) Get2FASettings(ctx context.Context, userID string) (*TwoFactorSettings, error)

Get2FASettings retrieves a user's 2FA settings Deprecated: use s.TwoFactor().Get2FASettings.

func (*Service) GetDiscordUsername 

func (s *Service) GetDiscordUsername(ctx context.Context, userID string) (string, error)

Convenience: Discord username Deprecated: use s.Identity().GetDiscordUsername.

func (*Service) GetEmailByUserID deprecated 

func (s *Service) GetEmailByUserID(ctx context.Context, id string) (string, error)

Deprecated: use s.Users().GetEmailByUserID.

func (*Service) GetPendingEmailChange 

func (s *Service) GetPendingEmailChange(ctx context.Context, userID string) (string, error)

GetPendingEmailChange retrieves the pending email change for a user, if any. A unified change_email record exists only for an actual change (verifying the current address uses a separate store), so its presence already means "change". Deprecated: use s.Users().GetPendingEmailChange.

func (*Service) GetPendingPhoneRegistrationByPhone 

func (s *Service) GetPendingPhoneRegistrationByPhone(ctx context.Context, phone string) (*PendingRegistration, error)

GetPendingPhoneRegistrationByPhone looks up a pending phone registration by phone number. (PendingRegistration.Email carries the phone for phone registrations, preserving prior behavior.) Deprecated: use s.Users().GetPendingPhoneRegistrationByPhone.

func (*Service) GetPendingRegistrationByEmail 

func (s *Service) GetPendingRegistrationByEmail(ctx context.Context, email string) (*PendingRegistration, error)

GetPendingRegistrationByEmail looks up a pending registration by email. Deprecated: use s.Users().GetPendingRegistrationByEmail.

func (*Service) GetPreferredLocale deprecated added in v0.14.0 

func (s *Service) GetPreferredLocale(ctx context.Context, userID string) (PreferredLocale, error)

Deprecated: use s.Users().GetPreferredLocale. 

func (s *Service) GetProviderLink(ctx context.Context, providerSlug, subject string) (string, *string, error)

Additional public helpers used by OIDC flow Deprecated: use s.Identity().GetProviderLink.

func (*Service) GetProviderLinkByIssuer 

func (s *Service) GetProviderLinkByIssuer(ctx context.Context, issuer, subject string) (string, *string, error)

Issuer-based provider link helpers (preferred) Deprecated: use s.Identity().GetProviderLinkByIssuer.

func (*Service) GetProviderUsername deprecated 

func (s *Service) GetProviderUsername(ctx context.Context, userID, provider string) (string, error)

Deprecated: use s.Identity().GetProviderUsername.

func (*Service) GetRemoteApplication added in v0.27.0 

func (s *Service) GetRemoteApplication(ctx context.Context, issuer string) (*RemoteApplication, error)

GetRemoteApplication returns a remote_application by OIDC issuer URL. Deprecated: use s.Identity().GetRemoteApplication.

func (*Service) GetRemoteApplicationBySlug added in v0.27.0 

func (s *Service) GetRemoteApplicationBySlug(ctx context.Context, slug string) (*RemoteApplication, error)

GetRemoteApplicationBySlug returns a remote_application by slug. Deprecated: use s.Identity().GetRemoteApplicationBySlug.

func (*Service) GetSolanaAddress 

func (s *Service) GetSolanaAddress(ctx context.Context, userID string) (string, error)

GetSolanaAddress retrieves the Solana wallet address linked to a user, if any. Deprecated: use s.Identity().GetSolanaAddress.

func (*Service) GetSolanaLinkedAccount added in v0.15.0 

func (s *Service) GetSolanaLinkedAccount(ctx context.Context, userID string) (*SolanaLinkedAccount, error)

GetSolanaLinkedAccount retrieves the SIWS-linked wallet and its AuthKit-owned metadata. Deprecated: use s.Identity().GetSolanaLinkedAccount.

func (*Service) GetUserByEmail deprecated 

func (s *Service) GetUserByEmail(ctx context.Context, email string) (*User, error)

Deprecated: use s.Identity().GetUserByEmail.

func (*Service) GetUserByPhone 

func (s *Service) GetUserByPhone(ctx context.Context, phone string) (*User, error)

GetUserByPhone looks up a user by phone number. Deprecated: use s.Users().GetUserByPhone.

func (*Service) GetUserBySolanaAddress 

func (s *Service) GetUserBySolanaAddress(ctx context.Context, address string) (*User, error)

GetUserBySolanaAddress looks up a user by their Solana wallet address. Deprecated: use s.Identity().GetUserBySolanaAddress.

func (*Service) GetUserByUsername deprecated 

func (s *Service) GetUserByUsername(ctx context.Context, username string) (*User, error)

Deprecated: use s.Identity().GetUserByUsername.

func (*Service) GetUserMetadata added in v0.4.8 

func (s *Service) GetUserMetadata(ctx context.Context, userID string) (map[string]any, error)

GetUserMetadata returns a user's arbitrary metadata (internal/admin flags). Deprecated: use s.Users().GetUserMetadata.

func (*Service) HardDeleteUser 

func (s *Service) HardDeleteUser(ctx context.Context, userID string) error

HardDeleteUser permanently deletes the user row and dependent AuthKit rows via ON DELETE CASCADE. Deprecated: use s.Users().HardDeleteUser.

func (*Service) HasEmailSender 

func (s *Service) HasEmailSender() bool

HasEmailSender returns true if an email sender is configured.

func (*Service) HasPassword deprecated 

func (s *Service) HasPassword(ctx context.Context, userID string) bool

Deprecated: use s.Identity().HasPassword.

func (*Service) HasSMSSender 

func (s *Service) HasSMSSender() bool

HasSMSSender returns true if an SMS sender is configured.

func (*Service) HostDeleteUser 

func (s *Service) HostDeleteUser(ctx context.Context, id string, soft bool) error

HostDeleteUser performs deletion on behalf of the host application. If soft is true, it performs a soft delete (see SoftDeleteUser). If false, it hard-deletes the user and all dependent rows via ON DELETE CASCADE. Deprecated: use s.Users().HostDeleteUser.

func (*Service) Identity added in v0.46.0 

func (s *Service) Identity() IdentityFacet

Identity returns the identity-linking facet.

func (*Service) ImportUser deprecated added in v0.9.0 

func (s *Service) ImportUser(ctx context.Context, input ImportUserInput) (*User, error)

Deprecated: use s.Users().ImportUser.

func (*Service) IsUserAllowed deprecated 

func (s *Service) IsUserAllowed(ctx context.Context, userID string) (bool, error)

Deprecated: use s.Users().IsUserAllowed.

func (*Service) IsUserReserved added in v0.5.3 

func (s *Service) IsUserReserved(ctx context.Context, userID string) (bool, error)

IsUserReserved reports whether a user is a reserved, non-loginable placeholder (the `reserved` metadata flag). The login gate (ensureUserAccess) consults it so reserved placeholders cannot authenticate. The org-namespace reservation FLOW that set this flag was removed in the permission-group hard cut (#111); the read gate stays as defense-in-depth for any externally-set flag.

func (*Service) IssueAccessToken 

func (s *Service) IssueAccessToken(ctx context.Context, userID, email string, extra map[string]any) (token string, expiresAt time.Time, err error)

IssueAccessToken builds and signs an access token (JWT) for the given user. Includes core registered claims plus: - entitlements (authoritative short-lived snapshot) Extra claims in `extra` are merged into the token body (e.g., sid). Deprecated: use s.Tokens().IssueAccessToken.

func (*Service) IssueRefreshSession 

func (s *Service) IssueRefreshSession(ctx context.Context, userID, userAgent string, ip net.IP) (sessionID, refreshToken string, expiresAt *time.Time, err error)

IssueRefreshSession creates a session row and returns a new refresh token string. Deprecated: use s.Sessions().IssueRefreshSession.

func (*Service) JWKS 

func (s *Service) JWKS() jwtkit.JWKS

JWKS returns a JWKS built from configured public keys.

func (*Service) Keyfunc 

func (s *Service) Keyfunc() func(token *jwt.Token) (any, error)

Keyfunc looks up a public key by KID, falling back to the active key if missing.

func (*Service) LinkProvider deprecated 

func (s *Service) LinkProvider(ctx context.Context, userID, provider, subject string, email *string) error

Deprecated: use s.Identity().LinkProvider.

func (*Service) LinkProviderByIssuer deprecated 

func (s *Service) LinkProviderByIssuer(ctx context.Context, userID, issuer, providerSlug, subject string, email *string) error

Deprecated: use s.Identity().LinkProviderByIssuer.

func (*Service) LinkSolanaWallet 

func (s *Service) LinkSolanaWallet(ctx context.Context, cache siws.ChallengeCache, userID string, output siws.SignInOutput) error

LinkSolanaWallet links a Solana wallet to an existing user account. Deprecated: use s.Identity().LinkSolanaWallet.

func (*Service) ListAPIKeys added in v0.41.0 

func (s *Service) ListAPIKeys(ctx context.Context, groupType, resourceRef string) ([]APIKey, error)

ListAPIKeys returns metadata for every API key of the permission-group addressed by (groupType, resourceRef), including revoked/expired ones. The secret is never returned. Deprecated: use s.APIKeys().ListAPIKeys.

func (*Service) ListEntitlements 

func (s *Service) ListEntitlements(ctx context.Context, userID string) []string

ListEntitlements returns current entitlement names for a user (fresh from the provider). A provider failure is logged and returned as none — callers (admin user views) degrade rather than fail. Deprecated: use s.Users().ListEntitlements.

func (*Service) ListGroupInvites added in v0.50.0 

func (s *Service) ListGroupInvites(ctx context.Context, groupType, resourceRef string) ([]GroupInvite, error)

ListGroupInvites returns every (non-deleted) invite of the group addressed by (groupType, resourceRef), including acted ones, newest first.

func (*Service) ListGroupMembers added in v0.49.0 

func (s *Service) ListGroupMembers(ctx context.Context, groupType, resourceRef string) ([]GroupMember, error)

ListGroupMembers returns the role-assignments in the group addressed by (groupType, resourceRef).

func (*Service) ListRemoteAppAttributeDefs added in v0.27.0 

func (s *Service) ListRemoteAppAttributeDefs(ctx context.Context, appID string) ([]RemoteAppAttributeDef, error)

ListRemoteAppAttributeDefs returns all definitions a remote_application has registered (every key + version), newest version first within each key. Deprecated: use s.Identity().ListRemoteAppAttributeDefs.

func (*Service) ListRemoteApplications added in v0.27.0 

func (s *Service) ListRemoteApplications(ctx context.Context, activeOnly bool) ([]RemoteApplication, error)

ListRemoteApplications returns registered remote_applications. When activeOnly is true, only enabled rows are returned. Deprecated: use s.Identity().ListRemoteApplications.

func (*Service) ListRemoteApplicationsForGroup added in v0.50.0 

func (s *Service) ListRemoteApplicationsForGroup(ctx context.Context, groupType, resourceRef string) ([]RemoteApplication, error)

ListRemoteApplicationsForGroup returns the remote_applications whose controlling permission_group_id is the group addressed by (groupType, resourceRef) (#111). It resolves the group via the store, then filters remote_applications by permission_group_id so a per-persona management caller sees only the issuers it controls (ListRemoteApplications lists ALL groups').

func (*Service) ListRoleSlugsByUser 

func (s *Service) ListRoleSlugsByUser(ctx context.Context, userID string) []string

Public helpers for HTTP adapters Deprecated: use s.Roles().ListRoleSlugsByUser.

func (*Service) ListSubjectGroups added in v0.49.0 

func (s *Service) ListSubjectGroups(ctx context.Context, subjectID, subjectKind string) ([]SubjectGroupMembership, error)

ListSubjectGroups returns every group membership a subject holds (the cross-persona discovery behind /me/groups).

func (*Service) ListUserSessions 

func (s *Service) ListUserSessions(ctx context.Context, userID string) ([]Session, error)

ListUserSessions lists active sessions for a user and issuer. Deprecated: use s.Sessions().ListUserSessions.

func (*Service) ListUsersDeletedBefore 

func (s *Service) ListUsersDeletedBefore(ctx context.Context, cutoff time.Time, limit int) ([]string, error)

ListUsersDeletedBefore returns user IDs for users soft-deleted before the cutoff. It is intended for retention/purge workflows in the host application. Deprecated: use s.Users().ListUsersDeletedBefore.

func (*Service) LogPasswordChanged added in v0.4.2 

func (s *Service) LogPasswordChanged(ctx context.Context, userID string, sessionID string, ip *string, ua *string)

LogPasswordChanged records a password change event for a user (best-effort). Deprecated: use s.Sessions().LogPasswordChanged.

func (*Service) LogPasswordRecovery deprecated added in v0.4.2 

func (s *Service) LogPasswordRecovery(ctx context.Context, userID string, method, sessionID string, ip *string, ua *string)

Deprecated: use s.Sessions().LogPasswordRecovery.

func (*Service) LogSessionCreated 

func (s *Service) LogSessionCreated(ctx context.Context, userID string, method string, sessionID string, ip *string, ua *string)

LogSessionCreated records a session creation event via the configured AuthEventLogger (best-effort). Deprecated: use s.Sessions().LogSessionCreated.

func (*Service) LogSessionFailed deprecated added in v0.4.2 

func (s *Service) LogSessionFailed(ctx context.Context, userID string, sessionID string, reason *string, ip *string, ua *string)

Deprecated: use s.Sessions().LogSessionFailed.

func (*Service) MarkSessionAuthenticated deprecated added in v0.8.3 

func (s *Service) MarkSessionAuthenticated(ctx context.Context, userID, sessionID string) error

Deprecated: use s.Sessions().MarkSessionAuthenticated.

func (*Service) MintAPIKey added in v0.41.0 

func (s *Service) MintAPIKey(ctx context.Context, groupType, resourceRef, name, role, createdBy string, expiresAt *time.Time) (APIKey, string, error)

MintAPIKey inserts a new API key for the permission-group addressed by (groupType, resourceRef), bound to role, and returns its metadata plus the full plaintext token (shown ONCE). The role must be valid for the group's type; no-escalation is enforced by the HTTP handler / host hook. expiresAt is optional (nil = no expiry) and is capped to APIKeyMaxTTL when set. Deprecated: use s.APIKeys().MintAPIKey.

func (*Service) MintAPIKeyWithOptions added in v0.41.0 

func (s *Service) MintAPIKeyWithOptions(ctx context.Context, groupType, resourceRef string, opts APIKeyMintOptions) (APIKey, string, error)

MintAPIKeyWithOptions inserts a new API key using the resource-aware mint contract. The key references exactly ONE role (opts.Role) valid for the owning group's TYPE; its effective permissions are resolved from the role at use time. No-escalation is the caller's responsibility. Resources are a separate binding. Deprecated: use s.APIKeys().MintAPIKeyWithOptions.

func (*Service) MintCustomJWT added in v0.26.0 

func (s *Service) MintCustomJWT(ctx context.Context, opts CustomJWTMintOptions) (string, error)

MintCustomJWT signs a JWT carrying an arbitrary first-party claim set using the Service's internal signer — the SAME signing path as MintServiceJWT / MintDelegatedAccessToken. The host passes a claim map (+ a few controlled headers) and NEVER touches the private key, the PEM, or a raw signer; the #70 hard boundary holds.

AuthKit sets the `kid`/`alg` JOSE headers (via the signer) and the registered `iss`/`iat`/`exp` claims; everything else comes from the host. See CustomJWTMintOptions for the claim-precedence rules. The host Claims map may not set `iss`/`iat`/`exp` (ErrCustomClaimsReserved). Deprecated: use s.Tokens().MintCustomJWT.

func (*Service) MintDelegatedAccessToken added in v0.26.0 

func (s *Service) MintDelegatedAccessToken(ctx context.Context, p DelegatedAccessParams) (string, error)

MintDelegatedAccessToken signs a canonical delegated access token using the Service's internal signer. The host passes claims/params only and NEVER touches the private key. When p.Issuer is empty it defaults to the Service's configured Issuer. See the package-level MintDelegatedAccessToken for the claim contract. Deprecated: use s.Tokens().MintDelegatedAccessToken.

func (*Service) MintRemoteApplicationAccessToken added in v0.28.0 

func (s *Service) MintRemoteApplicationAccessToken(ctx context.Context, p RemoteApplicationAccessParams) (string, error)

MintRemoteApplicationAccessToken signs a remote application access token using the Service's internal signer. When p.Issuer is empty it defaults to the Service's configured Issuer. Deprecated: use s.Tokens().MintRemoteApplicationAccessToken.

func (*Service) MintServiceJWT added in v0.13.1 

func (s *Service) MintServiceJWT(ctx context.Context, opts ServiceJWTMintOptions) (string, ServiceJWTClaims, error)

MintServiceJWT creates a short-lived signed service JWT from AuthKit's active signing key. It defaults to a 15-minute lifetime and stamps `token_use=service`; it does not grant host permissions by itself. Deprecated: use s.Tokens().MintServiceJWT.

func (*Service) Options 

func (s *Service) Options() Options

Options exposes immutable configuration for callers that need to validate claims.

func (*Service) PasswordLogin 

func (s *Service) PasswordLogin(ctx context.Context, email, pass string, extra map[string]any) (string, time.Time, error)

PasswordLogin verifies credentials and issues an ID token. Deprecated: use s.Users().PasswordLogin.

func (*Service) PasswordLoginByUserID 

func (s *Service) PasswordLoginByUserID(ctx context.Context, userID, pass string, extra map[string]any) (string, time.Time, error)

PasswordLoginByUserID verifies credentials for a specific user ID and issues an ID token. This supports login flows where the identifier is a phone number or username and email may be NULL. Deprecated: use s.Users().PasswordLoginByUserID.

func (*Service) PatchUserMetadata added in v0.4.8 

func (s *Service) PatchUserMetadata(ctx context.Context, userID string, patch map[string]any) error

PatchUserMetadata merges patch into a user's metadata. Deprecated: use s.Users().PatchUserMetadata.

func (*Service) PermissionGroupSchema added in v0.49.0 

func (s *Service) PermissionGroupSchema() *GroupSchema

PermissionGroupSchema returns the validated schema this Service was built with (the intrinsic root-only schema if constructed without Config groups).

func (*Service) Postgres 

func (s *Service) Postgres() *pgxpool.Pool

Postgres returns the attached pgx pool (may be nil).

func (*Service) PublicKeysByKID added in v0.6.0 

func (s *Service) PublicKeysByKID() map[string]crypto.PublicKey

PublicKeysByKID returns the public keys indexed by key ID.

func (*Service) ReconcileBootstrapManifest deprecated added in v0.37.0 

func (s *Service) ReconcileBootstrapManifest(ctx context.Context, manifest BootstrapManifest, opts BootstrapReconcileOptions) (BootstrapManifestResult, error)

Deprecated: use s.Bootstrap().ReconcileBootstrapManifest.

func (*Service) RegenerateBackupCodes 

func (s *Service) RegenerateBackupCodes(ctx context.Context, userID string) ([]string, error)

RegenerateBackupCodes generates new backup codes for a user (invalidating old ones). Returns the plaintext codes (caller must show these to user ONCE). Deprecated: use s.TwoFactor().RegenerateBackupCodes.

func (*Service) RegisterRemoteAppAttributeDef added in v0.27.0 

func (s *Service) RegisterRemoteAppAttributeDef(ctx context.Context, appID, key string, version int32, definition json.RawMessage) (*RemoteAppAttributeDef, error)

RegisterRemoteAppAttributeDef stores (or updates) a definition for the remote_application. version defaults to 1 when zero. The caller authority is the remote_application itself (it owns its users' restrictions); the http layer enforces that. Deprecated: use s.Identity().RegisterRemoteAppAttributeDef.

func (*Service) RemoteApplicationRoles added in v0.49.0 

func (s *Service) RemoteApplicationRoles(ctx context.Context, appID string) ([]string, error)

RemoteApplicationRoles returns the roles a remote_application holds in its controlling permission-group, or ErrNotGroupMember when it holds none. Deprecated: use s.Identity().RemoteApplicationRoles.

func (*Service) RemoveRemoteApplicationMember added in v0.27.0 

func (s *Service) RemoveRemoteApplicationMember(ctx context.Context, appID, role string) error

RemoveRemoteApplicationMember soft-deletes a remote_application's role in its controlling permission-group. Deprecated: use s.Identity().RemoveRemoteApplicationMember.

func (*Service) RemoveRoleBySlug deprecated 

func (s *Service) RemoveRoleBySlug(ctx context.Context, userID, slug string) error

Deprecated: use s.Roles().RemoveRoleBySlug.

func (*Service) RequestEmailChange 

func (s *Service) RequestEmailChange(ctx context.Context, userID, newEmail string) error

RequestEmailChange initiates an email change by sending a verification code to the new email. The current email is NOT changed until the user confirms via ConfirmEmailChange. Also sends a notification to the old email for security. Deprecated: use s.Users().RequestEmailChange.

func (*Service) RequestEmailVerification 

func (s *Service) RequestEmailVerification(ctx context.Context, email string, ttl time.Duration) error

RequestEmailVerification creates a verification code and dispatches an email. Deprecated: use s.Users().RequestEmailVerification.

func (*Service) RequestPasswordReset 

func (s *Service) RequestPasswordReset(ctx context.Context, email string, ttl time.Duration, ip *string, ua *string) error

RequestPasswordReset creates a password reset token and dispatches a reset link via email. Returns nil for unknown emails to prevent user enumeration (202-like behavior). Deprecated: use s.Users().RequestPasswordReset.

func (*Service) RequestPhoneChange 

func (s *Service) RequestPhoneChange(ctx context.Context, userID, newPhone string) error

RequestPhoneChange initiates a phone number change by sending a verification code to the new phone. The current phone is NOT changed until the user confirms via ConfirmPhoneChange. Deprecated: use s.Users().RequestPhoneChange.

func (*Service) RequestPhonePasswordReset 

func (s *Service) RequestPhonePasswordReset(ctx context.Context, phone string, ttl time.Duration, ip *string, ua *string) error

RequestPhonePasswordReset creates a password reset token and sends a reset link via SMS. Always returns nil for unknown phone numbers to prevent user enumeration (202-like behavior). Deprecated: use s.Users().RequestPhonePasswordReset.

func (*Service) RequestPhoneVerification 

func (s *Service) RequestPhoneVerification(ctx context.Context, phone string, ttl time.Duration) error

RequestPhoneVerification looks up the user by phone number and sends a verification code. This mirrors the RequestEmailVerification pattern - caller only needs to provide the phone number. Deprecated: use s.Users().RequestPhoneVerification.

func (*Service) Require2FAForLogin 

func (s *Service) Require2FAForLogin(ctx context.Context, userID string) (string, error)

Require2FAForLogin sends a 2FA code to the user's configured method. Returns the destination (email/phone) where the code was sent. This should be called after successful password verification. Deprecated: use s.TwoFactor().Require2FAForLogin.

func (*Service) RequireFreshSession deprecated added in v0.8.3 

func (s *Service) RequireFreshSession(ctx context.Context, userID, sessionID string, now time.Time) (SessionFreshness, error)

Deprecated: use s.Sessions().RequireFreshSession.

func (*Service) ResendEmailChangeCode 

func (s *Service) ResendEmailChangeCode(ctx context.Context, userID string) error

ResendEmailChangeCode resends the verification code for a pending email change. Deprecated: use s.Users().ResendEmailChangeCode.

func (*Service) ResendPhoneChangeCode 

func (s *Service) ResendPhoneChangeCode(ctx context.Context, userID, phone string) error

ResendPhoneChangeCode resends the verification code for a pending phone change. Deprecated: use s.Users().ResendPhoneChangeCode.

func (*Service) ResolveAPIKey added in v0.41.0 

func (s *Service) ResolveAPIKey(ctx context.Context, keyID, secret string) (groupRef string, permissions []string, err error)

ResolveAPIKey validates a presented API key (key_id + secret) and returns the owning group's id (in OrgSlug for backward-compat callers) and the key's effective permissions resolved from its role at verify time (a role edit is reflected immediately — perms are never frozen into the key). Deprecated: use s.APIKeys().ResolveAPIKey.

func (*Service) ResolveAPIKeyWithResources added in v0.41.0 

func (s *Service) ResolveAPIKeyWithResources(ctx context.Context, keyID, secret string) (ResolvedAPIKey, error)

ResolveAPIKeyWithResources validates a presented API key and returns the full resource-aware result. The key's permission-group id is carried in both OrgID and OrgSlug of ResolvedAPIKey (the authbase struct field names are retained; they now hold the controlling permission_group_id). Deprecated: use s.APIKeys().ResolveAPIKeyWithResources.

func (*Service) ResolveAndStoreSolanaSNS added in v0.15.0 

func (s *Service) ResolveAndStoreSolanaSNS(ctx context.Context, userID, address string) (SolanaLinkedAccount, error)

ResolveAndStoreSolanaSNS refreshes cached SNS metadata for an existing SIWS link. Resolver failures are recorded as stable metadata and do not invalidate the wallet link. Deprecated: use s.Identity().ResolveAndStoreSolanaSNS.

func (*Service) ResolveGroupIDForRef added in v0.50.0 

func (s *Service) ResolveGroupIDForRef(ctx context.Context, groupType, resourceRef string) (string, error)

ResolveGroupIDForRef maps the API addressing key (groupType, resourceRef) to the group's INTERNAL id. The id never goes on the wire — this is for callers that must thread the controlling permission_group_id into a sibling resource (e.g. a remote_application's permission_group_id, #111). ErrGroupNotFound if no live group matches.

func (*Service) ResolveRemoteAppAttributeDef added in v0.27.0 

func (s *Service) ResolveRemoteAppAttributeDef(ctx context.Context, appID, key string, version int32) (*RemoteAppAttributeDef, error)

ResolveRemoteAppAttributeDef returns the definition for (appID, key, version). version <= 0 resolves the LATEST version. The returned Definition is opaque. Deprecated: use s.Identity().ResolveRemoteAppAttributeDef.

func (*Service) ResolveRemoteApplicationAuthority added in v0.28.0 

func (s *Service) ResolveRemoteApplicationAuthority(ctx context.Context, appID string) ([]string, error)

ResolveRemoteApplicationAuthority resolves a remote_application's effective permissions: the additive walk-up of every role it holds across its controlling permission-group's parent chain (#111). Returns an empty slice (no error) when the app holds no roles. Deprecated: use s.Identity().ResolveRemoteApplicationAuthority.

func (*Service) ResolveRemoteApplicationGroup added in v0.49.0 

func (s *Service) ResolveRemoteApplicationGroup(ctx context.Context, issuer string) (string, error)

ResolveRemoteApplicationGroup returns the controlling permission_group_id of the remote_application registered for issuer (#111). ErrRemoteApplicationNotFound if unknown. (RemoteApplication.OrgID carries the permission_group_id; the authbase field name is retained.) Deprecated: use s.Identity().ResolveRemoteApplicationGroup.

func (*Service) ResolveSessionByRefresh 

func (s *Service) ResolveSessionByRefresh(ctx context.Context, refreshToken string) (string, error)

ResolveSessionByRefresh finds the session id for a presented refresh token, if valid and active. Deprecated: use s.Sessions().ResolveSessionByRefresh.

func (*Service) RestoreUser 

func (s *Service) RestoreUser(ctx context.Context, id string) error

RestoreUser clears deleted_at and re-enables the account. Deprecated: use s.Users().RestoreUser.

func (*Service) RevokeAPIKey added in v0.41.0 

func (s *Service) RevokeAPIKey(ctx context.Context, groupType, resourceRef, tokenID string) (bool, error)

RevokeAPIKey marks the API key revoked. It is scoped to the group so a token cannot be revoked from a different group. Returns false if no matching, not-already-revoked token exists. Deprecated: use s.APIKeys().RevokeAPIKey.

func (*Service) RevokeAllSessions deprecated 

func (s *Service) RevokeAllSessions(ctx context.Context, userID string, keepSessionID *string) error

Deprecated: use s.Sessions().RevokeAllSessions.

func (*Service) RevokeGroupInvite added in v0.50.0 

func (s *Service) RevokeGroupInvite(ctx context.Context, groupType, resourceRef, inviteID string) error

RevokeGroupInvite flips a pending invite to revoked. It is scoped to the group addressed by (groupType, resourceRef) so a manager cannot revoke an invite from another group. ErrInviteNotFound if absent; ErrInviteNotPending if already acted.

func (*Service) RevokeSessionByID deprecated 

func (s *Service) RevokeSessionByID(ctx context.Context, sessionID string) error

Deprecated: use s.Sessions().RevokeSessionByID.

func (*Service) RevokeSessionByIDForUser 

func (s *Service) RevokeSessionByIDForUser(ctx context.Context, userID, sessionID string) error

RevokeSessionByIDForUser revokes a session by id ensuring it belongs to the user. Deprecated: use s.Sessions().RevokeSessionByIDForUser.

func (*Service) Roles added in v0.46.0 

func (s *Service) Roles() RolesFacet

Roles returns the role and permission facet.

func (*Service) SMSAvailable added in v0.15.4 

func (s *Service) SMSAvailable() bool

SMSAvailable reports whether phone-based flows should be offered: a sender is configured and (if a health check has run) it was found able to deliver.

func (*Service) SMSHealthReason added in v0.15.4 

func (s *Service) SMSHealthReason() string

SMSHealthReason returns the reason SMS was last found unhealthy, if any.

func (*Service) SMSHealthy added in v0.15.4 

func (s *Service) SMSHealthy() bool

SMSHealthy reports the last CheckSMSHealth result. It is true until a check has run (legacy behavior: assume healthy when a sender is present).

func (*Service) Schema added in v0.26.0 

func (s *Service) Schema() string

Schema returns the Postgres schema AuthKit's tables live in ("profiles" unless configured otherwise via Config.Schema/Options.Schema).

func (*Service) SeedPermissionGroupContainment added in v0.49.0 

func (s *Service) SeedPermissionGroupContainment(ctx context.Context) error

SeedPermissionGroupContainment writes the declared containment schema into group_type_parents so the DB trigger can enforce tree shape. Idempotent; call once at bootstrap.

func (*Service) SendPhone2FASetupCode 

func (s *Service) SendPhone2FASetupCode(ctx context.Context, userID, phone, code string) error

SendPhone2FASetupCode generates and sends a 6-digit code for 2FA setup to the user's phone. Deprecated: use s.TwoFactor().SendPhone2FASetupCode.

func (*Service) SendPhoneVerificationToUser 

func (s *Service) SendPhoneVerificationToUser(ctx context.Context, phone, userID string, ttl time.Duration) error

SendPhoneVerificationToUser creates a verification code and sends it via SMS to a known user. Use RequestPhoneVerification if you only have a phone number and need to look up the user. Always returns nil for security. Deprecated: use s.Users().SendPhoneVerificationToUser.

func (*Service) SendWelcome 

func (s *Service) SendWelcome(ctx context.Context, userID string)

SendWelcome triggers the welcome email if an EmailSender is configured. Deprecated: use s.Users().SendWelcome.

func (*Service) SessionFreshness deprecated added in v0.8.3 

func (s *Service) SessionFreshness(ctx context.Context, userID, sessionID string, now time.Time) (SessionFreshness, error)

Deprecated: use s.Sessions().SessionFreshness.

func (*Service) Sessions added in v0.46.0 

func (s *Service) Sessions() SessionsFacet

Sessions returns the refresh-session and step-up auth facet.

func (*Service) SetEmailVerified deprecated 

func (s *Service) SetEmailVerified(ctx context.Context, id string, v bool) error

Deprecated: use s.Users().SetEmailVerified.

func (*Service) SetEntitlementsProvider added in v0.48.0 

func (s *Service) SetEntitlementsProvider(p EntitlementsProvider)

SetEntitlementsProvider installs the entitlements provider AFTER construction.

This is the ONE sanctioned post-construction setter — #108 otherwise removed every mutating builder in favor of constructor options. It exists for a genuine initialization CYCLE: an embedded billing engine (e.g. OpenRails) authenticates through this Service — it needs the Verifier/Core, so the Service must exist first — yet that same engine is the SOURCE of the entitlements provider, so the provider cannot exist at construction time. The host builds the Service, builds the engine with it, then installs the engine's provider here. Safe because entitlements are read LAZILY at token-mint time; call it during wiring, before serving requests. Hosts WITHOUT this cycle should prefer the WithEntitlements construction option instead.

func (*Service) SetPasswordAfterFreshAuth deprecated added in v0.8.3 

func (s *Service) SetPasswordAfterFreshAuth(ctx context.Context, userID, new string, keepSessionID *string) error

Deprecated: use s.Users().SetPasswordAfterFreshAuth.

func (*Service) SetPreferredLocale deprecated added in v0.14.0 

func (s *Service) SetPreferredLocale(ctx context.Context, userID, locale, source string) error

Deprecated: use s.Users().SetPreferredLocale.

func (*Service) SetProviderUsername deprecated 

func (s *Service) SetProviderUsername(ctx context.Context, userID, provider, subject, username string) error

Deprecated: use s.Identity().SetProviderUsername.

func (*Service) SoftDeleteUser 

func (s *Service) SoftDeleteUser(ctx context.Context, id string) error

SoftDeleteUser marks the user deleted and sets deleted_at without dropping rows. Also revokes all refresh sessions for this issuer. Deprecated: use s.Users().SoftDeleteUser.

func (*Service) TimeUntilUsernameRenameAvailable deprecated added in v0.8.6 

func (s *Service) TimeUntilUsernameRenameAvailable(ctx context.Context, userID string, now time.Time) (int64, error)

Deprecated: use s.Users().TimeUntilUsernameRenameAvailable.

func (*Service) Tokens added in v0.46.0 

func (s *Service) Tokens() TokensFacet

Tokens returns the token minting/issuing facet.

func (*Service) TwoFactor added in v0.46.0 

func (s *Service) TwoFactor() TwoFactorFacet

TwoFactor returns the 2FA facet.

func (*Service) UnassignGroupRole added in v0.49.0 

func (s *Service) UnassignGroupRole(ctx context.Context, groupType, resourceRef, subjectID, subjectKind, role string) error

UnassignGroupRole revokes a subject's role in a group.

func (*Service) UnbanUser 

func (s *Service) UnbanUser(ctx context.Context, userID string) error

UnbanUser clears ban metadata and re-enables the account. Deprecated: use s.Users().UnbanUser.

func (*Service) UnlinkProvider deprecated 

func (s *Service) UnlinkProvider(ctx context.Context, userID, provider string) error

Deprecated: use s.Identity().UnlinkProvider.

func (*Service) UpdateBiography deprecated 

func (s *Service) UpdateBiography(ctx context.Context, id string, bio *string) error

Deprecated: use s.Users().UpdateBiography.

func (*Service) UpdateEmail deprecated 

func (s *Service) UpdateEmail(ctx context.Context, id, email string) error

Deprecated: use s.Users().UpdateEmail.

func (*Service) UpdateImportedUser deprecated added in v0.9.0 

func (s *Service) UpdateImportedUser(ctx context.Context, userID string, input ImportUserInput) (*User, error)

Deprecated: use s.Users().UpdateImportedUser.

func (*Service) UpdateUsername deprecated 

func (s *Service) UpdateUsername(ctx context.Context, id, username string) error

Deprecated: use s.Users().UpdateUsername.

func (*Service) UpdateUsernameForce added in v0.7.0 

func (s *Service) UpdateUsernameForce(ctx context.Context, id, username string) error

UpdateUsernameForce is the admin override that skips the 72h cooldown check. Otherwise identical to UpdateUsername. Caller is responsible for gating this behind admin scope upstream. Deprecated: use s.Users().UpdateUsernameForce.

func (*Service) UpsertPasswordHash deprecated 

func (s *Service) UpsertPasswordHash(ctx context.Context, userID, hash, algo string, params []byte) error

Deprecated: use s.Users().UpsertPasswordHash.

func (*Service) UpsertRemoteApplication added in v0.27.0 

func (s *Service) UpsertRemoteApplication(ctx context.Context, in RemoteApplication) (*RemoteApplication, error)

UpsertRemoteApplication registers or updates a remote_application keyed by its issuer. OrgID is optional: empty rows are bootstrap/operator-managed. Deprecated: use s.Identity().UpsertRemoteApplication.

func (*Service) UpsertRoleBySlug deprecated added in v0.9.0 

func (s *Service) UpsertRoleBySlug(ctx context.Context, name, slug string, description *string) error

Deprecated: use s.Roles().UpsertRoleBySlug.

func (*Service) Users added in v0.46.0 

func (s *Service) Users() UsersFacet

Users returns the user/account facet.

func (*Service) ValidateUsernameForRegistration deprecated added in v0.8.6 

func (s *Service) ValidateUsernameForRegistration(ctx context.Context, username string) (string, error)

Deprecated: use s.Users().ValidateUsernameForRegistration.

func (*Service) ValidateUsernameForUser added in v0.8.6 

func (s *Service) ValidateUsernameForUser(ctx context.Context, username, userID string) (slug, excludeOrgID string, err error)

ValidateUsernameForUser validates a desired username and confirms no OTHER live user already holds it (#111: the org-slug reservation plane was removed, so username uniqueness is the only constraint). The returned slug is the lowercased username; excludeOrgID is retained in the signature for dependent adapters but is always empty under the permission-group model. Deprecated: use s.Users().ValidateUsernameForUser.

func (*Service) ValidateVerificationConfiguration added in v0.5.0 

func (s *Service) ValidateVerificationConfiguration() error

ValidateVerificationConfiguration ensures registration verification policy can be satisfied by currently configured delivery senders.

func (*Service) Verify2FAChallenge 

func (s *Service) Verify2FAChallenge(ctx context.Context, userID, challenge string) (bool, error)

Verify2FAChallenge verifies the challenge created during the password step. Deprecated: use s.TwoFactor().Verify2FAChallenge.

func (*Service) Verify2FACode 

func (s *Service) Verify2FACode(ctx context.Context, userID, code string) (bool, error)

Verify2FACode verifies a 2FA code entered by the user during login. Returns true if code is valid, false otherwise. Deprecated: use s.TwoFactor().Verify2FACode.

func (*Service) VerifyBackupCode 

func (s *Service) VerifyBackupCode(ctx context.Context, userID, backupCode string) (bool, error)

VerifyBackupCode verifies a 2FA backup code for account recovery. On success, removes the used backup code from the user's backup codes. Deprecated: use s.TwoFactor().VerifyBackupCode.

func (*Service) VerifyPendingPassword 

func (s *Service) VerifyPendingPassword(ctx context.Context, email, pass string) bool

VerifyPendingPassword checks if the provided password matches the pending registration's hash. Returns true if password is correct, false otherwise. Deprecated: use s.Users().VerifyPendingPassword.

func (*Service) VerifyPendingPhonePassword added in v0.15.4 

func (s *Service) VerifyPendingPhonePassword(ctx context.Context, phone, pass string) bool

VerifyPendingPhonePassword checks if the provided password matches the pending phone registration's hash. Returns true if password is correct, false otherwise. Deprecated: use s.Users().VerifyPendingPhonePassword.

func (*Service) VerifyPhone2FASetupCode 

func (s *Service) VerifyPhone2FASetupCode(ctx context.Context, userID, phone, code string) (bool, error)

VerifyPhone2FASetupCode checks the code for 2FA phone setup. Deprecated: use s.TwoFactor().VerifyPhone2FASetupCode.

func (*Service) VerifySIWSAndLogin 

func (s *Service) VerifySIWSAndLogin(ctx context.Context, cache siws.ChallengeCache, output siws.SignInOutput, extra map[string]any) (accessToken string, expiresAt time.Time, refreshToken, userID string, created bool, err error)

VerifySIWSAndLogin verifies a SIWS signature and logs in or creates a user. Returns access token, expiry, refresh token, user ID, and whether a new user was created. Deprecated: use s.Identity().VerifySIWSAndLogin.

func (*Service) VerifyUserPassword added in v0.5.1 

func (s *Service) VerifyUserPassword(ctx context.Context, userID, pass string) bool

VerifyUserPassword checks a user's password without issuing tokens or updating last-login. Returns true if the password is correct, false otherwise. Deprecated: use s.Users().VerifyUserPassword.

func (*Service) WithEmailSender 

func (s *Service) WithEmailSender(sender EmailSender) *Service

WithEmailSender sets the email sender dependency.

func (*Service) WithSMSSender 

func (s *Service) WithSMSSender(sender SMSSender) *Service

WithSMSSender sets the SMS sender dependency.

type ServiceJWTClaims added in v0.13.1 

type ServiceJWTClaims = authbase.ServiceJWTClaims

ServiceJWTClaims is defined in authbase (core-free) and re-exported here.

func MintServiceJWT added in v0.13.1 

func MintServiceJWT(ctx context.Context, signer jwtkit.Signer, issuer string, opts ServiceJWTMintOptions) (string, ServiceJWTClaims, error)

MintServiceJWT signs a service JWT with an explicit signer and issuer. Hosts can use this helper when they manage the signing key outside core.Service.

type ServiceJWTMintOptions added in v0.13.1 

type ServiceJWTMintOptions struct {
	Subject     string
	Audiences   []string
	Permissions []string
	Resources   []APIKeyResource
	Lifetime    time.Duration
	NotBefore   time.Time
	IssuedAt    time.Time
	JTI         string
}

ServiceJWTMintOptions controls service-JWT minting for embedded hosts.

type Session 

type Session struct {
	ID                  string
	FamilyID            string
	CreatedAt           time.Time
	LastAuthenticatedAt *time.Time
	LastUsedAt          time.Time
	ExpiresAt           *time.Time
	RevokedAt           *time.Time
	UserAgent           *string
	IPAddr              *string
}

Session represents a sanitized session view (no tokens).

type SessionEventType 

type SessionEventType string

SessionEventType identifies a session lifecycle event. 

const (
	SessionEventCreated          SessionEventType = "session_created"
	SessionEventRevoked          SessionEventType = "session_revoked"
	SessionEventPasswordChange   SessionEventType = "password_changed"
	SessionEventPasswordRecovery SessionEventType = "password_recovery"
	SessionEventFailed           SessionEventType = "session_failed"
)

type SessionFreshness added in v0.8.3 

type SessionFreshness struct {
	LastAuthenticatedAt           time.Time
	TimeUntilReauthRequired       time.Duration
	ReauthRequiredForSensitiveOps bool
}

type SessionRevokeReason 

type SessionRevokeReason string

SessionRevokeReason identifies why a session (or set of sessions) was revoked. 

const (
	SessionRevokeReasonUnknown              SessionRevokeReason = ""
	SessionRevokeReasonLogout               SessionRevokeReason = "logout"
	SessionRevokeReasonUserRevoke           SessionRevokeReason = "user_revoke"
	SessionRevokeReasonUserRevokeAll        SessionRevokeReason = "user_revoke_all"
	SessionRevokeReasonAdminRevoke          SessionRevokeReason = "admin_revoke"
	SessionRevokeReasonAdminRevokeAll       SessionRevokeReason = "admin_revoke_all"
	SessionRevokeReasonPasswordChange       SessionRevokeReason = "password_change"
	SessionRevokeReasonAdminSetPassword     SessionRevokeReason = "admin_set_password"
	SessionRevokeReasonUserDisabled         SessionRevokeReason = "user_disabled"
	SessionRevokeReasonBanned               SessionRevokeReason = "banned"
	SessionRevokeReasonSoftDeleted          SessionRevokeReason = "soft_deleted"
	SessionRevokeReasonEvicted              SessionRevokeReason = "evicted"
	SessionRevokeReasonRefreshReuseDetected SessionRevokeReason = "refresh_reuse_detected"
)

type SessionsFacet added in v0.46.0 

type SessionsFacet struct {
	// contains filtered or unexported fields
}

SessionsFacet is the refresh-session and step-up auth view of Service.

func (SessionsFacet) AdminListUserSessions added in v0.46.0 

func (f SessionsFacet) AdminListUserSessions(ctx context.Context, userID string) ([]Session, error)

AdminListUserSessions calls Service.AdminListUserSessions.

func (SessionsFacet) AdminRevokeUserSessions added in v0.46.0 

func (f SessionsFacet) AdminRevokeUserSessions(ctx context.Context, userID string) error

AdminRevokeUserSessions calls Service.AdminRevokeUserSessions.

func (SessionsFacet) CleanupExpiredAuthState added in v0.46.0 

func (f SessionsFacet) CleanupExpiredAuthState(ctx context.Context) error

CleanupExpiredAuthState calls Service.CleanupExpiredAuthState.

func (SessionsFacet) ExchangeRefreshToken added in v0.46.0 

func (f SessionsFacet) ExchangeRefreshToken(ctx context.Context, refreshToken string, ua string, ip net.IP) (idToken string, expiresAt time.Time, newRefresh string, err error)

ExchangeRefreshToken calls Service.ExchangeRefreshToken.

func (SessionsFacet) IssueRefreshSession added in v0.46.0 

func (f SessionsFacet) IssueRefreshSession(ctx context.Context, userID, userAgent string, ip net.IP) (sessionID, refreshToken string, expiresAt *time.Time, err error)

IssueRefreshSession calls Service.IssueRefreshSession.

func (SessionsFacet) ListUserSessions added in v0.46.0 

func (f SessionsFacet) ListUserSessions(ctx context.Context, userID string) ([]Session, error)

ListUserSessions calls Service.ListUserSessions.

func (SessionsFacet) LogPasswordChanged added in v0.46.0 

func (f SessionsFacet) LogPasswordChanged(ctx context.Context, userID string, sessionID string, ip *string, ua *string)

LogPasswordChanged calls Service.LogPasswordChanged.

func (SessionsFacet) LogPasswordRecovery added in v0.46.0 

func (f SessionsFacet) LogPasswordRecovery(ctx context.Context, userID string, method, sessionID string, ip *string, ua *string)

LogPasswordRecovery calls Service.LogPasswordRecovery.

func (SessionsFacet) LogSessionCreated added in v0.46.0 

func (f SessionsFacet) LogSessionCreated(ctx context.Context, userID string, method string, sessionID string, ip *string, ua *string)

LogSessionCreated calls Service.LogSessionCreated.

func (SessionsFacet) LogSessionFailed added in v0.46.0 

func (f SessionsFacet) LogSessionFailed(ctx context.Context, userID string, sessionID string, reason *string, ip *string, ua *string)

LogSessionFailed calls Service.LogSessionFailed.

func (SessionsFacet) MarkSessionAuthenticated added in v0.46.0 

func (f SessionsFacet) MarkSessionAuthenticated(ctx context.Context, userID, sessionID string) error

MarkSessionAuthenticated calls Service.MarkSessionAuthenticated.

func (SessionsFacet) RequireFreshSession added in v0.46.0 

func (f SessionsFacet) RequireFreshSession(ctx context.Context, userID, sessionID string, now time.Time) (SessionFreshness, error)

RequireFreshSession calls Service.RequireFreshSession.

func (SessionsFacet) ResolveSessionByRefresh added in v0.46.0 

func (f SessionsFacet) ResolveSessionByRefresh(ctx context.Context, refreshToken string) (string, error)

ResolveSessionByRefresh calls Service.ResolveSessionByRefresh.

func (SessionsFacet) RevokeAllSessions added in v0.46.0 

func (f SessionsFacet) RevokeAllSessions(ctx context.Context, userID string, keepSessionID *string) error

RevokeAllSessions calls Service.RevokeAllSessions.

func (SessionsFacet) RevokeSessionByID added in v0.46.0 

func (f SessionsFacet) RevokeSessionByID(ctx context.Context, sessionID string) error

RevokeSessionByID calls Service.RevokeSessionByID.

func (SessionsFacet) RevokeSessionByIDForUser added in v0.46.0 

func (f SessionsFacet) RevokeSessionByIDForUser(ctx context.Context, userID, sessionID string) error

RevokeSessionByIDForUser calls Service.RevokeSessionByIDForUser.

func (SessionsFacet) SessionFreshness added in v0.46.0 

func (f SessionsFacet) SessionFreshness(ctx context.Context, userID, sessionID string, now time.Time) (SessionFreshness, error)

SessionFreshness calls Service.SessionFreshness.

type SolanaConfig added in v0.47.0 

type SolanaConfig struct {
	// Network is a host-provided chain selector ("mainnet"/"testnet"/"devnet").
	// If empty, AuthKit derives a default from Environment.
	Network string
	// SNSEnabled enables AuthKit-owned Solana Name Service resolution for
	// SIWS-linked wallets.
	SNSEnabled bool
	// SNSResolver resolves a verified Solana wallet address to its primary .sol name.
	SNSResolver SolanaSNSResolver
	// SNSLookupTimeout bounds resolver calls. Empty defaults to 3 seconds.
	SNSLookupTimeout time.Duration
	// SNSCacheTTL controls when cached SNS metadata is stale. Empty defaults to 24h.
	SNSCacheTTL time.Duration
}

SolanaConfig controls SIWS chain selection and optional SNS resolution.

type SolanaLinkedAccount added in v0.15.0 

type SolanaLinkedAccount struct {
	Provider            string     `json:"provider"`
	Issuer              string     `json:"issuer"`
	Address             string     `json:"address"`
	Verified            bool       `json:"verified"`
	VerifiedAt          *time.Time `json:"verified_at"`
	PrimarySNSName      *string    `json:"primary_sns_name"`
	SNSResolutionStatus string     `json:"sns_resolution_status"`
	SNSResolvedAt       *time.Time `json:"sns_resolved_at"`
	SNSStale            bool       `json:"sns_stale"`
	SNSError            *string    `json:"sns_error"`
}

SolanaLinkedAccount is the AuthKit-owned normalized metadata for a SIWS-linked wallet.

type SolanaSNSResolver added in v0.15.0 

type SolanaSNSResolver interface {
	ResolvePrimaryName(ctx context.Context, address string) (string, error)
}

SolanaSNSResolver resolves a verified Solana wallet address to its primary .sol name.

type SubjectGroupMembership added in v0.49.0 

type SubjectGroupMembership struct {
	Persona     string
	ResourceRef string
	Role        string
}

SubjectGroupMembership is one (persona, resource, role) a subject holds.

type TokenConfig added in v0.47.0 

type TokenConfig struct {
	Issuer               string
	IssuedAudiences      []string // tokens issued will contain ALL of these audiences
	ExpectedAudiences    []string
	AccessTokenDuration  time.Duration
	RefreshTokenDuration time.Duration
	// SessionMaxPerUser caps concurrent refresh sessions per user. 0 = unlimited
	// (default 3 if unset by the service); eviction is always evict-oldest.
	SessionMaxPerUser int
}

TokenConfig is the JWT issuing/verification contract plus session limits.

type TokensFacet added in v0.46.0 

type TokensFacet struct {
	// contains filtered or unexported fields
}

TokensFacet is the token minting/issuing view of Service.

func (TokensFacet) IssueAccessToken added in v0.46.0 

func (f TokensFacet) IssueAccessToken(ctx context.Context, userID, email string, extra map[string]any) (token string, expiresAt time.Time, err error)

IssueAccessToken calls Service.IssueAccessToken.

func (TokensFacet) MintCustomJWT added in v0.46.0 

func (f TokensFacet) MintCustomJWT(ctx context.Context, opts CustomJWTMintOptions) (string, error)

MintCustomJWT calls Service.MintCustomJWT.

func (TokensFacet) MintDelegatedAccessToken added in v0.46.0 

func (f TokensFacet) MintDelegatedAccessToken(ctx context.Context, p DelegatedAccessParams) (string, error)

MintDelegatedAccessToken calls Service.MintDelegatedAccessToken.

func (TokensFacet) MintRemoteApplicationAccessToken added in v0.46.0 

func (f TokensFacet) MintRemoteApplicationAccessToken(ctx context.Context, p RemoteApplicationAccessParams) (string, error)

MintRemoteApplicationAccessToken calls Service.MintRemoteApplicationAccessToken.

func (TokensFacet) MintServiceJWT added in v0.46.0 

func (f TokensFacet) MintServiceJWT(ctx context.Context, opts ServiceJWTMintOptions) (string, ServiceJWTClaims, error)

MintServiceJWT calls Service.MintServiceJWT.

type TwoFactorFacet added in v0.46.0 

type TwoFactorFacet struct {
	// contains filtered or unexported fields
}

TwoFactorFacet is the 2FA view of Service.

func (TwoFactorFacet) Clear2FAChallenge added in v0.46.0 

func (f TwoFactorFacet) Clear2FAChallenge(ctx context.Context, userID string) error

Clear2FAChallenge calls Service.Clear2FAChallenge.

func (TwoFactorFacet) Create2FAChallenge added in v0.46.0 

func (f TwoFactorFacet) Create2FAChallenge(ctx context.Context, userID string) (string, error)

Create2FAChallenge calls Service.Create2FAChallenge.

func (TwoFactorFacet) Disable2FA added in v0.46.0 

func (f TwoFactorFacet) Disable2FA(ctx context.Context, userID string) error

Disable2FA calls Service.Disable2FA.

func (TwoFactorFacet) Enable2FA added in v0.46.0 

func (f TwoFactorFacet) Enable2FA(ctx context.Context, userID, method string, phoneNumber *string) ([]string, error)

Enable2FA calls Service.Enable2FA.

func (TwoFactorFacet) Get2FASettings added in v0.46.0 

func (f TwoFactorFacet) Get2FASettings(ctx context.Context, userID string) (*TwoFactorSettings, error)

Get2FASettings calls Service.Get2FASettings.

func (TwoFactorFacet) RegenerateBackupCodes added in v0.46.0 

func (f TwoFactorFacet) RegenerateBackupCodes(ctx context.Context, userID string) ([]string, error)

RegenerateBackupCodes calls Service.RegenerateBackupCodes.

func (TwoFactorFacet) Require2FAForLogin added in v0.46.0 

func (f TwoFactorFacet) Require2FAForLogin(ctx context.Context, userID string) (string, error)

Require2FAForLogin calls Service.Require2FAForLogin.

func (TwoFactorFacet) SendPhone2FASetupCode added in v0.46.0 

func (f TwoFactorFacet) SendPhone2FASetupCode(ctx context.Context, userID, phone, code string) error

SendPhone2FASetupCode calls Service.SendPhone2FASetupCode.

func (TwoFactorFacet) Verify2FAChallenge added in v0.46.0 

func (f TwoFactorFacet) Verify2FAChallenge(ctx context.Context, userID, challenge string) (bool, error)

Verify2FAChallenge calls Service.Verify2FAChallenge.

func (TwoFactorFacet) Verify2FACode added in v0.46.0 

func (f TwoFactorFacet) Verify2FACode(ctx context.Context, userID, code string) (bool, error)

Verify2FACode calls Service.Verify2FACode.

func (TwoFactorFacet) VerifyBackupCode added in v0.46.0 

func (f TwoFactorFacet) VerifyBackupCode(ctx context.Context, userID, backupCode string) (bool, error)

VerifyBackupCode calls Service.VerifyBackupCode.

func (TwoFactorFacet) VerifyPhone2FASetupCode added in v0.46.0 

func (f TwoFactorFacet) VerifyPhone2FASetupCode(ctx context.Context, userID, phone, code string) (bool, error)

VerifyPhone2FASetupCode calls Service.VerifyPhone2FASetupCode.

type TwoFactorSettings 

type TwoFactorSettings struct {
	UserID      string
	Enabled     bool
	Method      string // "email" or "sms"
	PhoneNumber *string
	BackupCodes []string // Hashed backup codes
	CreatedAt   time.Time
	UpdatedAt   time.Time
}

TwoFactorSettings represents a user's 2FA configuration

type User 

type User struct {
	ID              string
	Email           *string // Nullable - phone-only users have NULL email
	PhoneNumber     *string
	Username        *string
	DiscordUsername *string
	EmailVerified   bool
	PhoneVerified   bool
	BannedAt        *time.Time
	BannedUntil     *time.Time
	BanReason       *string
	BannedBy        *string
	DeletedAt       *time.Time
	Biography       *string
	CreatedAt       time.Time
	UpdatedAt       time.Time
	LastLogin       *time.Time
}

type UsersFacet added in v0.46.0 

type UsersFacet struct {
	// contains filtered or unexported fields
}

UsersFacet is the user/account view of Service.

func (UsersFacet) AdminCountUsers added in v0.46.0 

func (f UsersFacet) AdminCountUsers(ctx context.Context, opts AdminUserListOptions) (int64, error)

AdminCountUsers calls Service.AdminCountUsers.

func (UsersFacet) AdminDeleteUser added in v0.46.0 

func (f UsersFacet) AdminDeleteUser(ctx context.Context, id string) error

AdminDeleteUser calls Service.AdminDeleteUser.

func (UsersFacet) AdminGetUser added in v0.46.0 

func (f UsersFacet) AdminGetUser(ctx context.Context, id string) (*AdminUser, error)

AdminGetUser calls Service.AdminGetUser.

func (UsersFacet) AdminListUsers added in v0.46.0 

func (f UsersFacet) AdminListUsers(ctx context.Context, opts AdminUserListOptions) (*AdminListUsersResult, error)

AdminListUsers calls Service.AdminListUsers.

func (UsersFacet) AdminSetPassword added in v0.46.0 

func (f UsersFacet) AdminSetPassword(ctx context.Context, userID, new string) error

AdminSetPassword calls Service.AdminSetPassword.

func (UsersFacet) BanUser added in v0.46.0 

func (f UsersFacet) BanUser(ctx context.Context, userID string, reason *string, until *time.Time, bannedBy string) error

BanUser calls Service.BanUser.

func (UsersFacet) BeginPasswordReset added in v0.46.0 

func (f UsersFacet) BeginPasswordReset(ctx context.Context, token string, sessionTTL time.Duration) (string, error)

BeginPasswordReset calls Service.BeginPasswordReset.

func (UsersFacet) CancelEmailChange added in v0.46.0 

func (f UsersFacet) CancelEmailChange(ctx context.Context, userID string) error

CancelEmailChange calls Service.CancelEmailChange.

func (UsersFacet) CancelPhoneChange added in v0.46.0 

func (f UsersFacet) CancelPhoneChange(ctx context.Context, userID, phone string) error

CancelPhoneChange calls Service.CancelPhoneChange.

func (UsersFacet) ChangePassword added in v0.46.0 

func (f UsersFacet) ChangePassword(ctx context.Context, userID, current, new string, keepSessionID *string) error

ChangePassword calls Service.ChangePassword.

func (UsersFacet) CheckPendingRegistrationConflict added in v0.46.0 

func (f UsersFacet) CheckPendingRegistrationConflict(ctx context.Context, email, username string) (bool, bool, error)

CheckPendingRegistrationConflict calls Service.CheckPendingRegistrationConflict.

func (UsersFacet) CheckPhoneRegistrationConflict added in v0.46.0 

func (f UsersFacet) CheckPhoneRegistrationConflict(ctx context.Context, phone, username string) (bool, bool, error)

CheckPhoneRegistrationConflict calls Service.CheckPhoneRegistrationConflict.

func (UsersFacet) CheckUserPassword added in v0.46.0 

func (f UsersFacet) CheckUserPassword(ctx context.Context, userID, pass string) error

CheckUserPassword calls Service.CheckUserPassword.

func (UsersFacet) ConfirmEmailChange added in v0.46.0 

func (f UsersFacet) ConfirmEmailChange(ctx context.Context, userID, code string) error

ConfirmEmailChange calls Service.ConfirmEmailChange.

func (UsersFacet) ConfirmEmailVerification added in v0.46.0 

func (f UsersFacet) ConfirmEmailVerification(ctx context.Context, token string) (userID string, err error)

ConfirmEmailVerification calls Service.ConfirmEmailVerification.

func (UsersFacet) ConfirmPasswordReset added in v0.46.0 

func (f UsersFacet) ConfirmPasswordReset(ctx context.Context, token, newPassword string) (string, error)

ConfirmPasswordReset calls Service.ConfirmPasswordReset.

func (UsersFacet) ConfirmPasswordResetWithSession added in v0.46.0 

func (f UsersFacet) ConfirmPasswordResetWithSession(ctx context.Context, resetSession, newPassword string) (string, error)

ConfirmPasswordResetWithSession calls Service.ConfirmPasswordResetWithSession.

func (UsersFacet) ConfirmPendingPhoneRegistration added in v0.46.0 

func (f UsersFacet) ConfirmPendingPhoneRegistration(ctx context.Context, phone, code string) (userID string, err error)

ConfirmPendingPhoneRegistration calls Service.ConfirmPendingPhoneRegistration.

func (UsersFacet) ConfirmPendingPhoneRegistrationByToken added in v0.46.0 

func (f UsersFacet) ConfirmPendingPhoneRegistrationByToken(ctx context.Context, token string) (string, error)

ConfirmPendingPhoneRegistrationByToken calls Service.ConfirmPendingPhoneRegistrationByToken.

func (UsersFacet) ConfirmPendingRegistration added in v0.46.0 

func (f UsersFacet) ConfirmPendingRegistration(ctx context.Context, token string) (userID string, err error)

ConfirmPendingRegistration calls Service.ConfirmPendingRegistration.

func (UsersFacet) ConfirmPhoneChange added in v0.46.0 

func (f UsersFacet) ConfirmPhoneChange(ctx context.Context, userID, phone, code string) error

ConfirmPhoneChange calls Service.ConfirmPhoneChange.

func (UsersFacet) ConfirmPhoneVerification added in v0.46.0 

func (f UsersFacet) ConfirmPhoneVerification(ctx context.Context, phone, code string) error

ConfirmPhoneVerification calls Service.ConfirmPhoneVerification.

func (UsersFacet) ConfirmPhoneVerificationByToken added in v0.46.0 

func (f UsersFacet) ConfirmPhoneVerificationByToken(ctx context.Context, token string) error

ConfirmPhoneVerificationByToken calls Service.ConfirmPhoneVerificationByToken.

func (UsersFacet) ConfirmPhoneVerificationByTokenUserID added in v0.46.0 

func (f UsersFacet) ConfirmPhoneVerificationByTokenUserID(ctx context.Context, token string) (string, error)

ConfirmPhoneVerificationByTokenUserID calls Service.ConfirmPhoneVerificationByTokenUserID.

func (UsersFacet) ConfirmPhoneVerificationUserID added in v0.46.0 

func (f UsersFacet) ConfirmPhoneVerificationUserID(ctx context.Context, phone, code string) (string, error)

ConfirmPhoneVerificationUserID calls Service.ConfirmPhoneVerificationUserID.

func (UsersFacet) CreatePendingPhoneRegistration added in v0.46.0 

func (f UsersFacet) CreatePendingPhoneRegistration(ctx context.Context, phone, username, passwordHash string) (string, error)

CreatePendingPhoneRegistration calls Service.CreatePendingPhoneRegistration.

func (UsersFacet) CreatePendingPhoneRegistrationWithLocale added in v0.46.0 

func (f UsersFacet) CreatePendingPhoneRegistrationWithLocale(ctx context.Context, phone, username, passwordHash, preferredLocale string) (string, error)

CreatePendingPhoneRegistrationWithLocale calls Service.CreatePendingPhoneRegistrationWithLocale.

func (UsersFacet) CreatePendingRegistration added in v0.46.0 

func (f UsersFacet) CreatePendingRegistration(ctx context.Context, email, username, passwordHash string, ttl time.Duration) (string, error)

CreatePendingRegistration calls Service.CreatePendingRegistration.

func (UsersFacet) CreatePendingRegistrationWithLocale added in v0.46.0 

func (f UsersFacet) CreatePendingRegistrationWithLocale(ctx context.Context, email, username, passwordHash string, ttl time.Duration, preferredLocale string) (string, error)

CreatePendingRegistrationWithLocale calls Service.CreatePendingRegistrationWithLocale.

func (UsersFacet) CreateUser added in v0.46.0 

func (f UsersFacet) CreateUser(ctx context.Context, email, username string) (*User, error)

CreateUser calls Service.CreateUser.

func (UsersFacet) DeletePendingPhoneRegistrationByPhone added in v0.46.0 

func (f UsersFacet) DeletePendingPhoneRegistrationByPhone(ctx context.Context, phone string) error

DeletePendingPhoneRegistrationByPhone calls Service.DeletePendingPhoneRegistrationByPhone.

func (UsersFacet) DeletePendingRegistrationByEmail added in v0.46.0 

func (f UsersFacet) DeletePendingRegistrationByEmail(ctx context.Context, email string) error

DeletePendingRegistrationByEmail calls Service.DeletePendingRegistrationByEmail.

func (UsersFacet) DeriveUsername added in v0.46.0 

func (f UsersFacet) DeriveUsername(email string) string

DeriveUsername calls Service.DeriveUsername.

func (UsersFacet) DeriveUsernameForOAuth added in v0.46.0 

func (f UsersFacet) DeriveUsernameForOAuth(ctx context.Context, provider, preferred, email, displayName string) string

DeriveUsernameForOAuth calls Service.DeriveUsernameForOAuth.

func (UsersFacet) GenerateAvailableUsername added in v0.46.0 

func (f UsersFacet) GenerateAvailableUsername(ctx context.Context, base string) string

GenerateAvailableUsername calls Service.GenerateAvailableUsername.

func (UsersFacet) GetEmailByUserID added in v0.46.0 

func (f UsersFacet) GetEmailByUserID(ctx context.Context, id string) (string, error)

GetEmailByUserID calls Service.GetEmailByUserID.

func (UsersFacet) GetPendingEmailChange added in v0.46.0 

func (f UsersFacet) GetPendingEmailChange(ctx context.Context, userID string) (string, error)

GetPendingEmailChange calls Service.GetPendingEmailChange.

func (UsersFacet) GetPendingPhoneRegistrationByPhone added in v0.46.0 

func (f UsersFacet) GetPendingPhoneRegistrationByPhone(ctx context.Context, phone string) (*PendingRegistration, error)

GetPendingPhoneRegistrationByPhone calls Service.GetPendingPhoneRegistrationByPhone.

func (UsersFacet) GetPendingRegistrationByEmail added in v0.46.0 

func (f UsersFacet) GetPendingRegistrationByEmail(ctx context.Context, email string) (*PendingRegistration, error)

GetPendingRegistrationByEmail calls Service.GetPendingRegistrationByEmail.

func (UsersFacet) GetPreferredLocale added in v0.46.0 

func (f UsersFacet) GetPreferredLocale(ctx context.Context, userID string) (PreferredLocale, error)

GetPreferredLocale calls Service.GetPreferredLocale.

func (UsersFacet) GetUserByPhone added in v0.46.0 

func (f UsersFacet) GetUserByPhone(ctx context.Context, phone string) (*User, error)

GetUserByPhone calls Service.GetUserByPhone.

func (UsersFacet) GetUserMetadata added in v0.46.0 

func (f UsersFacet) GetUserMetadata(ctx context.Context, userID string) (map[string]any, error)

GetUserMetadata calls Service.GetUserMetadata.

func (UsersFacet) HardDeleteUser added in v0.46.0 

func (f UsersFacet) HardDeleteUser(ctx context.Context, userID string) error

HardDeleteUser calls Service.HardDeleteUser.

func (UsersFacet) HostDeleteUser added in v0.46.0 

func (f UsersFacet) HostDeleteUser(ctx context.Context, id string, soft bool) error

HostDeleteUser calls Service.HostDeleteUser.

func (UsersFacet) ImportUser added in v0.46.0 

func (f UsersFacet) ImportUser(ctx context.Context, input ImportUserInput) (*User, error)

ImportUser calls Service.ImportUser.

func (UsersFacet) IsUserAllowed added in v0.46.0 

func (f UsersFacet) IsUserAllowed(ctx context.Context, userID string) (bool, error)

IsUserAllowed calls Service.IsUserAllowed.

func (UsersFacet) ListEntitlements added in v0.46.0 

func (f UsersFacet) ListEntitlements(ctx context.Context, userID string) []string

ListEntitlements calls Service.ListEntitlements.

func (UsersFacet) ListUsersDeletedBefore added in v0.46.0 

func (f UsersFacet) ListUsersDeletedBefore(ctx context.Context, cutoff time.Time, limit int) ([]string, error)

ListUsersDeletedBefore calls Service.ListUsersDeletedBefore.

func (UsersFacet) PasswordLogin added in v0.46.0 

func (f UsersFacet) PasswordLogin(ctx context.Context, email, pass string, extra map[string]any) (string, time.Time, error)

PasswordLogin calls Service.PasswordLogin.

func (UsersFacet) PasswordLoginByUserID added in v0.46.0 

func (f UsersFacet) PasswordLoginByUserID(ctx context.Context, userID, pass string, extra map[string]any) (string, time.Time, error)

PasswordLoginByUserID calls Service.PasswordLoginByUserID.

func (UsersFacet) PatchUserMetadata added in v0.46.0 

func (f UsersFacet) PatchUserMetadata(ctx context.Context, userID string, patch map[string]any) error

PatchUserMetadata calls Service.PatchUserMetadata.

func (UsersFacet) RequestEmailChange added in v0.46.0 

func (f UsersFacet) RequestEmailChange(ctx context.Context, userID, newEmail string) error

RequestEmailChange calls Service.RequestEmailChange.

func (UsersFacet) RequestEmailVerification added in v0.46.0 

func (f UsersFacet) RequestEmailVerification(ctx context.Context, email string, ttl time.Duration) error

RequestEmailVerification calls Service.RequestEmailVerification.

func (UsersFacet) RequestPasswordReset added in v0.46.0 

func (f UsersFacet) RequestPasswordReset(ctx context.Context, email string, ttl time.Duration, ip *string, ua *string) error

RequestPasswordReset calls Service.RequestPasswordReset.

func (UsersFacet) RequestPhoneChange added in v0.46.0 

func (f UsersFacet) RequestPhoneChange(ctx context.Context, userID, newPhone string) error

RequestPhoneChange calls Service.RequestPhoneChange.

func (UsersFacet) RequestPhonePasswordReset added in v0.46.0 

func (f UsersFacet) RequestPhonePasswordReset(ctx context.Context, phone string, ttl time.Duration, ip *string, ua *string) error

RequestPhonePasswordReset calls Service.RequestPhonePasswordReset.

func (UsersFacet) RequestPhoneVerification added in v0.46.0 

func (f UsersFacet) RequestPhoneVerification(ctx context.Context, phone string, ttl time.Duration) error

RequestPhoneVerification calls Service.RequestPhoneVerification.

func (UsersFacet) ResendEmailChangeCode added in v0.46.0 

func (f UsersFacet) ResendEmailChangeCode(ctx context.Context, userID string) error

ResendEmailChangeCode calls Service.ResendEmailChangeCode.

func (UsersFacet) ResendPhoneChangeCode added in v0.46.0 

func (f UsersFacet) ResendPhoneChangeCode(ctx context.Context, userID, phone string) error

ResendPhoneChangeCode calls Service.ResendPhoneChangeCode.

func (UsersFacet) RestoreUser added in v0.46.0 

func (f UsersFacet) RestoreUser(ctx context.Context, id string) error

RestoreUser calls Service.RestoreUser.

func (UsersFacet) SendPhoneVerificationToUser added in v0.46.0 

func (f UsersFacet) SendPhoneVerificationToUser(ctx context.Context, phone, userID string, ttl time.Duration) error

SendPhoneVerificationToUser calls Service.SendPhoneVerificationToUser.

func (UsersFacet) SendWelcome added in v0.46.0 

func (f UsersFacet) SendWelcome(ctx context.Context, userID string)

SendWelcome calls Service.SendWelcome.

func (UsersFacet) SetEmailVerified added in v0.46.0 

func (f UsersFacet) SetEmailVerified(ctx context.Context, id string, v bool) error

SetEmailVerified calls Service.SetEmailVerified.

func (UsersFacet) SetPasswordAfterFreshAuth added in v0.46.0 

func (f UsersFacet) SetPasswordAfterFreshAuth(ctx context.Context, userID, new string, keepSessionID *string) error

SetPasswordAfterFreshAuth calls Service.SetPasswordAfterFreshAuth.

func (UsersFacet) SetPreferredLocale added in v0.46.0 

func (f UsersFacet) SetPreferredLocale(ctx context.Context, userID, locale, source string) error

SetPreferredLocale calls Service.SetPreferredLocale.

func (UsersFacet) SoftDeleteUser added in v0.46.0 

func (f UsersFacet) SoftDeleteUser(ctx context.Context, id string) error

SoftDeleteUser calls Service.SoftDeleteUser.

func (UsersFacet) TimeUntilUsernameRenameAvailable added in v0.46.0 

func (f UsersFacet) TimeUntilUsernameRenameAvailable(ctx context.Context, userID string, now time.Time) (int64, error)

TimeUntilUsernameRenameAvailable calls Service.TimeUntilUsernameRenameAvailable.

func (UsersFacet) UnbanUser added in v0.46.0 

func (f UsersFacet) UnbanUser(ctx context.Context, userID string) error

UnbanUser calls Service.UnbanUser.

func (UsersFacet) UpdateBiography added in v0.46.0 

func (f UsersFacet) UpdateBiography(ctx context.Context, id string, bio *string) error

UpdateBiography calls Service.UpdateBiography.

func (UsersFacet) UpdateEmail added in v0.46.0 

func (f UsersFacet) UpdateEmail(ctx context.Context, id, email string) error

UpdateEmail calls Service.UpdateEmail.

func (UsersFacet) UpdateImportedUser added in v0.46.0 

func (f UsersFacet) UpdateImportedUser(ctx context.Context, userID string, input ImportUserInput) (*User, error)

UpdateImportedUser calls Service.UpdateImportedUser.

func (UsersFacet) UpdateUsername added in v0.46.0 

func (f UsersFacet) UpdateUsername(ctx context.Context, id, username string) error

UpdateUsername calls Service.UpdateUsername.

func (UsersFacet) UpdateUsernameForce added in v0.46.0 

func (f UsersFacet) UpdateUsernameForce(ctx context.Context, id, username string) error

UpdateUsernameForce calls Service.UpdateUsernameForce.

func (UsersFacet) UpsertPasswordHash added in v0.46.0 

func (f UsersFacet) UpsertPasswordHash(ctx context.Context, userID, hash, algo string, params []byte) error

UpsertPasswordHash calls Service.UpsertPasswordHash.

func (UsersFacet) ValidateUsernameForRegistration added in v0.46.0 

func (f UsersFacet) ValidateUsernameForRegistration(ctx context.Context, username string) (string, error)

ValidateUsernameForRegistration calls Service.ValidateUsernameForRegistration.

func (UsersFacet) ValidateUsernameForUser added in v0.46.0 

func (f UsersFacet) ValidateUsernameForUser(ctx context.Context, username, userID string) (slug, excludeOrgID string, err error)

ValidateUsernameForUser calls Service.ValidateUsernameForUser.

func (UsersFacet) VerifyPendingPassword added in v0.46.0 

func (f UsersFacet) VerifyPendingPassword(ctx context.Context, email, pass string) bool

VerifyPendingPassword calls Service.VerifyPendingPassword.

func (UsersFacet) VerifyPendingPhonePassword added in v0.46.0 

func (f UsersFacet) VerifyPendingPhonePassword(ctx context.Context, phone, pass string) bool

VerifyPendingPhonePassword calls Service.VerifyPendingPhonePassword.

func (UsersFacet) VerifyUserPassword added in v0.46.0 

func (f UsersFacet) VerifyUserPassword(ctx context.Context, userID, pass string) bool

VerifyUserPassword calls Service.VerifyUserPassword.

type ValidationError added in v0.8.6 

type ValidationError struct {
	Code              string
	RetryAfterSeconds int64
}

ValidationError is the stable identity-policy error returned by AuthKit validation helpers. Code is intended to be exposed directly in route responses as {"error":"code"}.

func (*ValidationError) Error added in v0.8.6 

func (e *ValidationError) Error() string

type VerificationMessage added in v0.5.0 

type VerificationMessage struct {
	// Fixed-length numeric code for manual entry (optional).
	Code string
	// High-entropy token for one-click verification link flow (optional).
	LinkToken string
}

func (VerificationMessage) Validate added in v0.5.0 

func (m VerificationMessage) Validate() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.