Documentation
¶
Index ¶
- Constants
- func IsAuthenticated(ctx context.Context) bool
- func IsAuthenticatedWithConfig(ctx context.Context, config *Config) bool
- func StreamAuthInterceptor(config *InterceptorConfig) grpc.StreamServerInterceptor
- func SubjectFromContext(ctx context.Context) string
- func SubjectFromContextWithConfig(ctx context.Context, config *Config) string
- func SubjectToOutgoingContext(ctx context.Context, subject string) context.Context
- func SubjectToOutgoingContextWithKey(ctx context.Context, subject string, key string) context.Context
- func SwitchUserToOutgoingContext(ctx context.Context, switchToUserID string) context.Context
- func SwitchUserToOutgoingContextWithKey(ctx context.Context, switchToUserID string, key string) context.Context
- func UnaryAuthInterceptor(config *InterceptorConfig) grpc.UnaryServerInterceptor
- type Config
- type InterceptorConfig
Constants ¶
const ( // DefaultMetadataKeySubject is the default gRPC metadata key for the // authenticated subject (RFC 7519 `sub` — user ID for human-driven // flows, client_id for client_credentials). DefaultMetadataKeySubject = "x-subject" // DefaultMetadataKeySwitchUser is the default gRPC metadata key for // switching to a different user (testing/impersonation only — by // nature scoped to human users, hence retains "User" naming). DefaultMetadataKeySwitchUser = "x-switch-user" )
Default metadata keys for authentication context. These can be customized via Config if needed.
Variables ¶
This section is empty.
Functions ¶
func IsAuthenticated ¶
IsAuthenticated returns true if there is an authenticated subject in the context.
func IsAuthenticatedWithConfig ¶
IsAuthenticatedWithConfig returns true if there is an authenticated subject using the specified config.
func StreamAuthInterceptor ¶
func StreamAuthInterceptor(config *InterceptorConfig) grpc.StreamServerInterceptor
StreamAuthInterceptor returns a gRPC stream interceptor that processes auth metadata.
func SubjectFromContext ¶ added in v0.1.4
SubjectFromContext extracts the authenticated subject from the gRPC context metadata. Returns empty string if no subject is present.
func SubjectFromContextWithConfig ¶ added in v0.1.4
SubjectFromContextWithConfig extracts the authenticated subject using the specified config.
func SubjectToOutgoingContext ¶ added in v0.1.4
SubjectToOutgoingContext adds the subject to outgoing gRPC context metadata.
func SubjectToOutgoingContextWithKey ¶ added in v0.1.4
func SubjectToOutgoingContextWithKey(ctx context.Context, subject string, key string) context.Context
SubjectToOutgoingContextWithKey adds the subject to outgoing gRPC context metadata under a custom key.
func SwitchUserToOutgoingContext ¶
SwitchUserToOutgoingContext adds a switch-user header to outgoing gRPC context metadata. Only effective when EnableSwitchAuth is set on the server.
func SwitchUserToOutgoingContextWithKey ¶
func SwitchUserToOutgoingContextWithKey(ctx context.Context, switchToUserID string, key string) context.Context
SwitchUserToOutgoingContextWithKey adds a switch-user header with a custom key.
func UnaryAuthInterceptor ¶
func UnaryAuthInterceptor(config *InterceptorConfig) grpc.UnaryServerInterceptor
UnaryAuthInterceptor returns a gRPC unary interceptor that processes auth metadata. It handles the switch-user header when EnableSwitchAuth is set in the config.
Types ¶
type Config ¶
type Config struct {
// MetadataKeySubject is the gRPC metadata key carrying the
// authenticated subject. Defaults to "x-subject".
MetadataKeySubject string
// MetadataKeySwitchUser is the gRPC metadata key for impersonation.
// Only used when switch auth is enabled. Defaults to "x-switch-user".
MetadataKeySwitchUser string
// EnableSwitchAuth when true allows the X-Switch-User header to
// override the subject. Should only be enabled in development /
// testing environments.
EnableSwitchAuth bool
}
Config holds the metadata key configuration for auth context.
func (*Config) EnsureDefaults ¶
func (c *Config) EnsureDefaults()
EnsureDefaults fills in default values for any unset fields.
type InterceptorConfig ¶
type InterceptorConfig struct {
// Config holds the metadata key configuration.
*Config
// RequireAuth when true rejects unauthenticated requests.
// When false, requests proceed but SubjectFromContext returns empty.
RequireAuth bool
// PublicMethods is a set of method names that don't require auth.
// Only used when RequireAuth is true.
// Keys should be full method names like "/package.Service/Method".
PublicMethods map[string]bool
}
InterceptorConfig configures the auth interceptor behavior.
func DefaultInterceptorConfig ¶
func DefaultInterceptorConfig() *InterceptorConfig
DefaultInterceptorConfig returns a config that requires auth for all methods.
func NewPublicMethodsConfig ¶
func NewPublicMethodsConfig(publicMethods ...string) *InterceptorConfig
NewPublicMethodsConfig creates a config with the specified public methods.
func OptionalAuthConfig ¶
func OptionalAuthConfig() *InterceptorConfig
OptionalAuthConfig returns a config that allows unauthenticated requests.