Documentation
¶
Index ¶
- func MaskAPIKey(key string) string
- type CreateInput
- type CreateResult
- type EncryptionService
- type ListInput
- type RevokeInput
- type Service
- func (s *Service) Create(ctx context.Context, input CreateInput) (*CreateResult, error)
- func (s *Service) Delete(ctx context.Context, id, tenantIDStr string) error
- func (s *Service) Get(ctx context.Context, id, tenantIDStr string) (*apikeydom.APIKey, error)
- func (s *Service) List(ctx context.Context, input ListInput) (apikeydom.ListResult, error)
- func (s *Service) Revoke(ctx context.Context, input RevokeInput) (*apikeydom.APIKey, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MaskAPIKey ¶
MaskAPIKey returns a masked version of an API key for logging/display. Shows first 4 and last 4 characters: "sk-ab...xyz"
Types ¶
type CreateInput ¶
type CreateInput struct {
TenantID string `json:"tenant_id" validate:"required,uuid"`
UserID string `json:"user_id" validate:"omitempty,uuid"`
Name string `json:"name" validate:"required,min=1,max=255"`
Description string `json:"description" validate:"max=1000"`
Scopes []string `json:"scopes" validate:"max=50"`
RateLimit int `json:"rate_limit"`
ExpiresInDays int `json:"expires_in_days"`
CreatedBy string `json:"created_by" validate:"omitempty,uuid"`
}
CreateInput represents input for creating an API key.
type CreateResult ¶
type CreateResult struct {
Key *apikeydom.APIKey
Plaintext string // Only returned once on creation
}
CreateResult holds the created key and its plaintext (shown only once).
type EncryptionService ¶
type EncryptionService struct {
// contains filtered or unexported fields
}
EncryptionService handles encryption and decryption of tenant API keys.
func NewEncryptionService ¶
func NewEncryptionService(encryptor crypto.Encryptor) *EncryptionService
NewEncryptionService creates a new EncryptionService. If encryptor is nil, a NoOpEncryptor is used (for development only).
func (*EncryptionService) Decrypt ¶
func (s *EncryptionService) Decrypt(encryptedKey string) (string, error)
Decrypt decrypts an API key from storage. If the key is not encrypted (no prefix), returns it as-is (backward compatibility).
func (*EncryptionService) Encrypt ¶
func (s *EncryptionService) Encrypt(plainKey string) (string, error)
Encrypt encrypts an API key for secure storage. Returns a prefixed string to identify encrypted values: "enc:v1:<ciphertext>"
func (*EncryptionService) IsEncrypted ¶
func (s *EncryptionService) IsEncrypted(key string) bool
IsEncrypted checks if an API key is already encrypted.
type ListInput ¶
type ListInput struct {
TenantID string `json:"tenant_id" validate:"required,uuid"`
Status string `json:"status"`
Search string `json:"search"`
Page int `json:"page"`
PerPage int `json:"per_page"`
SortBy string `json:"sort_by"`
SortOrder string `json:"sort_order"`
}
ListInput represents input for listing API keys.
type RevokeInput ¶
type RevokeInput struct {
ID string `json:"id" validate:"required,uuid"`
TenantID string `json:"tenant_id" validate:"required,uuid"`
RevokedBy string `json:"revoked_by" validate:"required,uuid"`
}
RevokeInput represents input for revoking an API key.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service provides business logic for API key management. pepper is the server-side secret mixed into every new key's stored hash via HMAC-SHA256 (pkg/crypto.HashTokenPeppered). Empty pepper falls back to plain SHA-256 — acceptable only in dev. When the DB is leaked but APP_ENCRYPTION_KEY is not, peppered rows resist offline brute-force against the leaked key_hash column (hashcat / rainbow tables without the HMAC key cannot recover the raw key).
func NewService ¶
NewService creates a new Service. pepper should be APP_ENCRYPTION_KEY (or a dedicated secret derived from it).
func (*Service) Create ¶
func (s *Service) Create(ctx context.Context, input CreateInput) (*CreateResult, error)
Create generates and stores a new API key.
Source Files