admin

package
v0.0.49 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 2, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrAdminUnauthorized = fmt.Errorf("admin authentication required")
	ErrAdminForbidden    = fmt.Errorf("admin access denied")
)

Common errors for admin auth

Functions

func MintResourceToken

func MintResourceToken(userID, appClientID, appSecret string, quota AppQuota, scopes []string) (string, error)

MintResourceToken creates a resource-scoped JWT for a user on behalf of a registered App, signed with the app's shared secret (HS256). This is the backwards-compatible API.

func MintResourceTokenWithKey

func MintResourceTokenWithKey(userID, appClientID string, signingKey any, quota AppQuota, scopes []string) (string, error)

MintResourceTokenWithKey creates a resource-scoped JWT signed with the provided key. The signing algorithm is auto-detected from the key type:

  • []byte → HS256
  • *rsa.PrivateKey → RS256
  • *ecdsa.PrivateKey → ES256

Types

type APIKeyAuth

type APIKeyAuth struct {
	// contains filtered or unexported fields
}

APIKeyAuth authenticates requests using a shared API key passed in the X-Admin-Key header.

func NewAPIKeyAuth

func NewAPIKeyAuth(key string) *APIKeyAuth

NewAPIKeyAuth creates an AdminAuth that validates the X-Admin-Key header.

func (*APIKeyAuth) Authenticate

func (a *APIKeyAuth) Authenticate(r *http.Request) error

type AdminAuth

type AdminAuth interface {
	// Authenticate checks whether the request is authorized.
	// Returns nil if authorized, or an error describing why not.
	Authenticate(r *http.Request) error
}

AdminAuth authenticates admin requests to protected endpoints (e.g., Host registration, key rotation).

type AppQuota

type AppQuota struct {
	MaxRooms   int     `json:"max_rooms,omitempty"`
	MaxMsgRate float64 `json:"max_msg_rate,omitempty"`
}

AppQuota contains per-app quota limits embedded as custom claims in resource-scoped JWTs.

type AppRegistrar

type AppRegistrar struct {
	KeyStore keys.KeyStorage
	Auth     AdminAuth

	// KidStore retains old keys during rotation grace periods so that
	// in-flight tokens signed with the previous key remain verifiable.
	// If nil, rotation replaces the key immediately with no grace period.
	KidStore *keys.KidStore

	// DefaultGracePeriod is the default grace period for key rotation
	// when not specified in the request. Defaults to 24h.
	DefaultGracePeriod time.Duration
	// contains filtered or unexported fields
}

AppRegistrar is an embeddable HTTP handler for App registration CRUD. Mount it on any admin service's mux to let apps register and obtain signing credentials.

func (*AppRegistrar) Handler

func (h *AppRegistrar) Handler() http.Handler

Handler returns an http.Handler for app registration endpoints.

func (*AppRegistrar) RLockApps

func (h *AppRegistrar) RLockApps(fn func(map[string]*AppRegistration))

RLockApps calls fn with a read-locked view of all registered apps.

type AppRegistration

type AppRegistration struct {
	ClientID     string    `json:"client_id"`
	ClientDomain string    `json:"client_domain"`
	SigningAlg   string    `json:"signing_alg"`
	MaxRooms     int       `json:"max_rooms,omitempty"`
	MaxMsgRate   float64   `json:"max_msg_rate,omitempty"`
	CreatedAt    time.Time `json:"created_at"`
	Revoked      bool      `json:"revoked"`
}

AppRegistration holds metadata about a registered App.

type NoAuth

type NoAuth struct{}

NoAuth allows all requests. For development/testing only.

func NewNoAuth

func NewNoAuth() *NoAuth

func (*NoAuth) Authenticate

func (a *NoAuth) Authenticate(r *http.Request) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL