admin

package
v0.0.54 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 3, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrAdminUnauthorized = fmt.Errorf("admin authentication required")
	ErrAdminForbidden    = fmt.Errorf("admin access denied")
)

Common errors for admin auth

Functions

func MintResourceToken

func MintResourceToken(userID, appClientID, appSecret string, quota AppQuota, scopes []string) (string, error)

MintResourceToken creates a resource-scoped JWT for a user on behalf of a registered App, signed with the app's shared secret (HS256). This is the backwards-compatible API.

func MintResourceTokenWithKey

func MintResourceTokenWithKey(userID, appClientID string, signingKey any, quota AppQuota, scopes []string) (string, error)

MintResourceTokenWithKey creates a resource-scoped JWT signed with the provided key. The signing algorithm is auto-detected from the key type:

  • []byte → HS256
  • *rsa.PrivateKey → RS256
  • *ecdsa.PrivateKey → ES256

Types

type APIKeyAuth

type APIKeyAuth struct {
	// contains filtered or unexported fields
}

APIKeyAuth authenticates requests using a shared API key passed in the X-Admin-Key header.

func NewAPIKeyAuth

func NewAPIKeyAuth(key string) *APIKeyAuth

NewAPIKeyAuth creates an AdminAuth that validates the X-Admin-Key header.

func (*APIKeyAuth) Authenticate

func (a *APIKeyAuth) Authenticate(r *http.Request) error

type AdminAuth

type AdminAuth interface {
	// Authenticate checks whether the request is authorized.
	// Returns nil if authorized, or an error describing why not.
	Authenticate(r *http.Request) error
}

AdminAuth authenticates admin requests to protected endpoints (e.g., Host registration, key rotation).

type AppQuota

type AppQuota struct {
	MaxRooms   int     `json:"max_rooms,omitempty"`
	MaxMsgRate float64 `json:"max_msg_rate,omitempty"`
}

AppQuota contains per-app quota limits embedded as custom claims in resource-scoped JWTs.

type AppRegistrar

type AppRegistrar struct {
	KeyStore keys.KeyStorage
	Auth     AdminAuth

	// KidStore retains old keys during rotation grace periods so that
	// in-flight tokens signed with the previous key remain verifiable.
	// If nil, rotation replaces the key immediately with no grace period.
	KidStore *keys.KidStore

	// DefaultGracePeriod is the default grace period for key rotation
	// when not specified in the request. Defaults to 24h.
	DefaultGracePeriod time.Duration
	// contains filtered or unexported fields
}

AppRegistrar is an embeddable HTTP handler for App registration CRUD. Mount it on any admin service's mux to let apps register and obtain signing credentials. Create with NewAppRegistrar().

func NewAppRegistrar added in v0.0.53

func NewAppRegistrar(keyStore keys.KeyStorage, auth AdminAuth) *AppRegistrar

NewAppRegistrar creates an AppRegistrar with initialized internal state.

func (*AppRegistrar) Handler

func (h *AppRegistrar) Handler() http.Handler

Handler returns an http.Handler for app registration endpoints.

func (*AppRegistrar) RLockApps

func (h *AppRegistrar) RLockApps(fn func(map[string]*AppRegistration))

RLockApps calls fn with a read-locked view of all registered apps.

type AppRegistration

type AppRegistration struct {
	ClientID     string    `json:"client_id"`
	ClientDomain string    `json:"client_domain"`
	SigningAlg   string    `json:"signing_alg"`
	MaxRooms     int       `json:"max_rooms,omitempty"`
	MaxMsgRate   float64   `json:"max_msg_rate,omitempty"`
	CreatedAt    time.Time `json:"created_at"`
	Revoked      bool      `json:"revoked"`
}

AppRegistration holds metadata about a registered App.

type NoAuth

type NoAuth struct{}

NoAuth allows all requests. For development/testing only.

func NewNoAuth

func NewNoAuth() *NoAuth

func (*NoAuth) Authenticate

func (a *NoAuth) Authenticate(r *http.Request) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL