Documentation
¶
Index ¶
- Variables
- func MintResourceToken(userID, appClientID, appSecret string, quota AppQuota, scopes []string) (string, error)
- func MintResourceTokenWithKey(userID, appClientID string, signingKey any, quota AppQuota, scopes []string) (string, error)
- type APIKeyAuth
- type AdminAuth
- type AppQuota
- type AppRegistrar
- type AppRegistration
- type NoAuth
Constants ¶
This section is empty.
Variables ¶
var ( ErrAdminForbidden = fmt.Errorf("admin access denied") )
Common errors for admin auth
Functions ¶
func MintResourceToken ¶
func MintResourceToken(userID, appClientID, appSecret string, quota AppQuota, scopes []string) (string, error)
MintResourceToken creates a resource-scoped JWT for a user on behalf of a registered App, signed with the app's shared secret (HS256). This is the backwards-compatible API.
func MintResourceTokenWithKey ¶
func MintResourceTokenWithKey(userID, appClientID string, signingKey any, quota AppQuota, scopes []string) (string, error)
MintResourceTokenWithKey creates a resource-scoped JWT signed with the provided key. The signing algorithm is auto-detected from the key type:
- []byte → HS256
- *rsa.PrivateKey → RS256
- *ecdsa.PrivateKey → ES256
Types ¶
type APIKeyAuth ¶
type APIKeyAuth struct {
// contains filtered or unexported fields
}
APIKeyAuth authenticates requests using a shared API key passed in the X-Admin-Key header.
func NewAPIKeyAuth ¶
func NewAPIKeyAuth(key string) *APIKeyAuth
NewAPIKeyAuth creates an AdminAuth that validates the X-Admin-Key header.
func (*APIKeyAuth) Authenticate ¶
func (a *APIKeyAuth) Authenticate(r *http.Request) error
type AdminAuth ¶
type AdminAuth interface {
// Authenticate checks whether the request is authorized.
// Returns nil if authorized, or an error describing why not.
Authenticate(r *http.Request) error
}
AdminAuth authenticates admin requests to protected endpoints (e.g., Host registration, key rotation).
type AppQuota ¶
type AppQuota struct {
MaxRooms int `json:"max_rooms,omitempty"`
MaxMsgRate float64 `json:"max_msg_rate,omitempty"`
}
AppQuota contains per-app quota limits embedded as custom claims in resource-scoped JWTs.
type AppRegistrar ¶
type AppRegistrar struct {
KeyStore keys.KeyStorage
Auth AdminAuth
// KidStore retains old keys during rotation grace periods so that
// in-flight tokens signed with the previous key remain verifiable.
// If nil, rotation replaces the key immediately with no grace period.
KidStore *keys.KidStore
// DefaultGracePeriod is the default grace period for key rotation
// when not specified in the request. Defaults to 24h.
DefaultGracePeriod time.Duration
// contains filtered or unexported fields
}
AppRegistrar is an embeddable HTTP handler for App registration CRUD. Mount it on any admin service's mux to let apps register and obtain signing credentials.
func (*AppRegistrar) Handler ¶
func (h *AppRegistrar) Handler() http.Handler
Handler returns an http.Handler for app registration endpoints.
func (*AppRegistrar) RLockApps ¶
func (h *AppRegistrar) RLockApps(fn func(map[string]*AppRegistration))
RLockApps calls fn with a read-locked view of all registered apps.
type AppRegistration ¶
type AppRegistration struct {
ClientID string `json:"client_id"`
ClientDomain string `json:"client_domain"`
SigningAlg string `json:"signing_alg"`
MaxRooms int `json:"max_rooms,omitempty"`
MaxMsgRate float64 `json:"max_msg_rate,omitempty"`
CreatedAt time.Time `json:"created_at"`
Revoked bool `json:"revoked"`
}
AppRegistration holds metadata about a registered App.