Documentation
¶
Index ¶
- Constants
- func ClearPKCECookie(w http.ResponseWriter)
- func GenerateCodeVerifier() (string, error)
- func GetPKCEVerifier(r *http.Request) string
- func OauthRedirector(oauthConfig *oauth2.Config) func(w http.ResponseWriter, r *http.Request)
- func OauthRedirectorNoPKCE(oauthConfig *oauth2.Config) func(w http.ResponseWriter, r *http.Request)
- func OauthRedirectorWithPKCE(oauthConfig *oauth2.Config, secure bool) func(w http.ResponseWriter, r *http.Request)
- func SetPKCECookie(w http.ResponseWriter, verifier string, secure bool)
- type BaseOAuth2
- type GithubOAuth2
- type GoogleOAuth2
- type HandleUserFunc
Constants ¶
const ( // PKCECookieName is the cookie name for storing the code verifier. PKCECookieName = "pkce_verifier" // PKCECookieTTL is how long the verifier cookie lives (covers the OAuth round-trip). PKCECookieTTL = 10 * time.Minute // CodeVerifierLength is the length of the random verifier in bytes (before base64). // 32 bytes → 43 base64url characters, which is the minimum per RFC 7636. CodeVerifierLength = 32 )
Variables ¶
This section is empty.
Functions ¶
func ClearPKCECookie ¶ added in v0.0.47
func ClearPKCECookie(w http.ResponseWriter)
ClearPKCECookie removes the PKCE verifier cookie after use.
func GenerateCodeVerifier ¶ added in v0.0.47
GenerateCodeVerifier creates a cryptographically random code verifier per RFC 7636 §4.1. Returns a 43-character base64url-encoded string.
func GetPKCEVerifier ¶ added in v0.0.47
GetPKCEVerifier reads the code verifier from the request cookie. Returns empty string if the cookie is not present.
func OauthRedirector ¶
OauthRedirector creates a redirect handler with PKCE enabled (default).
func OauthRedirectorNoPKCE ¶ added in v0.0.47
OauthRedirectorNoPKCE creates a redirect handler WITHOUT PKCE. Use only for OAuth providers that don't support PKCE.
func OauthRedirectorWithPKCE ¶ added in v0.0.47
func OauthRedirectorWithPKCE(oauthConfig *oauth2.Config, secure bool) func(w http.ResponseWriter, r *http.Request)
OauthRedirectorWithPKCE creates a redirect handler with PKCE support (RFC 7636). When secure is true, the PKCE cookie is marked Secure (HTTPS only).
func SetPKCECookie ¶ added in v0.0.47
func SetPKCECookie(w http.ResponseWriter, verifier string, secure bool)
SetPKCECookie stores the code verifier in an HttpOnly cookie for the duration of the OAuth flow. The cookie is read back in the callback handler and sent as the code_verifier in the token exchange.
Types ¶
type BaseOAuth2 ¶
type BaseOAuth2 struct {
ClientId string
ClientSecret string
CallbackURL string
HandleUser HandleUserFunc
AuthFailureUrl string
// HTTPClient is used for making HTTP requests during OAuth flows.
// If nil, http.DefaultClient is used. This can be set for testing.
HTTPClient *http.Client
// DisablePKCE disables Proof Key for Code Exchange (RFC 7636).
// PKCE is enabled by default (zero value = enabled) because OAuth 2.1
// requires it for all clients. Set to true only for providers that
// don't support PKCE — a warning will be logged on startup.
DisablePKCE bool
// SecureCookies sets the Secure flag on PKCE and state cookies (HTTPS only).
SecureCookies bool
// contains filtered or unexported fields
}
func NewBaseOAuth2 ¶
func NewBaseOAuth2(clientId string, clientSecret string, callbackUrl string, handleUser HandleUserFunc) *BaseOAuth2
func (*BaseOAuth2) ExchangeContext ¶
func (b *BaseOAuth2) ExchangeContext() context.Context
ExchangeContext returns a context configured with the HTTP client for token exchange
func (*BaseOAuth2) Handler ¶
func (b *BaseOAuth2) Handler() http.Handler
func (*BaseOAuth2) SetHTTPClient ¶
func (b *BaseOAuth2) SetHTTPClient(client *http.Client)
SetHTTPClient sets the HTTP client used for OAuth requests. This is primarily used for testing with mock servers.
func (*BaseOAuth2) SetOAuthEndpoint ¶
func (b *BaseOAuth2) SetOAuthEndpoint(endpoint oauth2.Endpoint)
SetOAuthEndpoint sets the OAuth endpoint (auth URL and token URL). This is primarily used for testing with mock servers.
type GithubOAuth2 ¶
type GithubOAuth2 struct {
*BaseOAuth2
// UserInfoURL is the URL to fetch user info from. Defaults to GitHub's API.
// Can be overridden for testing.
UserInfoURL string
}
func NewGithubOAuth2 ¶
func NewGithubOAuth2(clientId string, clientSecret string, callbackUrl string, handleUser HandleUserFunc) *GithubOAuth2
type GoogleOAuth2 ¶
type GoogleOAuth2 struct {
*BaseOAuth2
// UserInfoURL is the URL to fetch user info from. Defaults to Google's API.
// Can be overridden for testing.
UserInfoURL string
}
func NewGoogleOAuth2 ¶
func NewGoogleOAuth2(clientId string, clientSecret string, callbackUrl string, handleUser HandleUserFunc) *GoogleOAuth2