admin

package
v0.0.78 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 27, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrAdminUnauthorized = fmt.Errorf("admin authentication required")
	ErrAdminForbidden    = fmt.Errorf("admin access denied")
)

Common errors for admin auth

Functions

func MintResourceToken

func MintResourceToken(userID, appClientID, appSecret string, quota AppQuota, scopes []string, authzDetails []core.AuthorizationDetail) (string, error)

MintResourceToken creates a resource-scoped JWT for a user on behalf of a registered App, signed with the app's shared secret (HS256). This is the backwards-compatible API.

func MintResourceTokenWithKey

func MintResourceTokenWithKey(userID, appClientID string, signingKey any, quota AppQuota, scopes []string, authzDetails []core.AuthorizationDetail) (string, error)

MintResourceTokenWithKey creates a resource-scoped JWT signed with the provided key. The signing algorithm is auto-detected from the key type:

  • []byte → HS256
  • *rsa.PrivateKey → RS256
  • *ecdsa.PrivateKey → ES256

Types

type APIKeyAuth

type APIKeyAuth struct {
	// contains filtered or unexported fields
}

APIKeyAuth authenticates requests using a shared API key passed in the X-Admin-Key header.

func NewAPIKeyAuth

func NewAPIKeyAuth(key string) *APIKeyAuth

NewAPIKeyAuth creates an AdminAuth that validates the X-Admin-Key header.

func (*APIKeyAuth) Authenticate

func (a *APIKeyAuth) Authenticate(r *http.Request) error

type AdminAuth

type AdminAuth interface {
	// Authenticate checks whether the request is authorized.
	// Returns nil if authorized, or an error describing why not.
	Authenticate(r *http.Request) error
}

AdminAuth authenticates admin requests to protected endpoints (e.g., Host registration, key rotation).

type AppQuota

type AppQuota struct {
	MaxRooms   int     `json:"max_rooms,omitempty"`
	MaxMsgRate float64 `json:"max_msg_rate,omitempty"`
}

AppQuota contains per-app quota limits embedded as custom claims in resource-scoped JWTs.

type AppRegistrar

type AppRegistrar struct {
	KeyStore keys.KeyStorage
	Auth     AdminAuth

	// KidStore retains old keys during rotation grace periods so that
	// in-flight tokens signed with the previous key remain verifiable.
	// If nil, rotation replaces the key immediately with no grace period.
	KidStore *keys.KidStore

	// DefaultGracePeriod is the default grace period for key rotation
	// when not specified in the request. Defaults to 24h.
	DefaultGracePeriod time.Duration
	// contains filtered or unexported fields
}

AppRegistrar is an embeddable HTTP handler for App registration CRUD. Mount it on any admin service's mux to let apps register and obtain signing credentials. Create with NewAppRegistrar().

func NewAppRegistrar added in v0.0.53

func NewAppRegistrar(keyStore keys.KeyStorage, auth AdminAuth) *AppRegistrar

NewAppRegistrar creates an AppRegistrar with initialized internal state.

func (*AppRegistrar) Handler

func (h *AppRegistrar) Handler() http.Handler

Handler returns an http.Handler for app registration endpoints. Includes both custom OneAuth API and RFC 7591 DCR endpoint:

POST /apps/register  — OneAuth custom registration
POST /apps/dcr       — RFC 7591 Dynamic Client Registration
GET  /apps           — List all apps
GET  /apps/{id}      — Get app metadata
DELETE /apps/{id}    — Delete app
POST /apps/{id}/rotate — Rotate secret/key

func (*AppRegistrar) RLockApps

func (h *AppRegistrar) RLockApps(fn func(map[string]*AppRegistration))

RLockApps calls fn with a read-locked view of all registered apps.

type AppRegistration

type AppRegistration struct {
	ClientID                  string    `json:"client_id"`
	ClientDomain              string    `json:"client_domain"`
	SigningAlg                string    `json:"signing_alg"`
	MaxRooms                  int       `json:"max_rooms,omitempty"`
	MaxMsgRate                float64   `json:"max_msg_rate,omitempty"`
	AuthorizationDetailsTypes []string  `json:"authorization_details_types,omitempty"` // RFC 9396
	CreatedAt                 time.Time `json:"created_at"`
	Revoked                   bool      `json:"revoked"`
}

AppRegistration holds metadata about a registered App.

type DCRHandler added in v0.0.62

type DCRHandler struct {
	// KeyStore stores client credentials (same KeyStore as AppRegistrar).
	KeyStore keys.KeyStorage

	// Auth authenticates the caller. Supports both:
	//   - Initial access token via Authorization: Bearer header (RFC 7591 §3)
	//   - X-Admin-Key header (OneAuth custom, backward-compatible)
	// If nil, registration is open (not recommended for production).
	Auth AdminAuth

	// Registrar is the underlying AppRegistrar for metadata storage.
	// If nil, client metadata is not persisted (only KeyStore is used).
	Registrar *AppRegistrar
}

DCRHandler implements OAuth 2.0 Dynamic Client Registration (RFC 7591) as a conformance wrapper around AppRegistrar. It accepts standard DCR request format and maps to/from the internal AppRegistrar model.

Automatically mounted by AppRegistrar.Handler() at POST /apps/dcr. Existing /apps/* endpoints continue working unchanged.

See: https://www.rfc-editor.org/rfc/rfc7591

func (*DCRHandler) ServeHTTP added in v0.0.62

func (h *DCRHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP handles POST /register per RFC 7591.

type DCRRequest added in v0.0.62

type DCRRequest struct {
	// Client metadata
	ClientName   string   `json:"client_name,omitempty"`
	ClientURI    string   `json:"client_uri,omitempty"`
	RedirectURIs []string `json:"redirect_uris,omitempty"`
	GrantTypes   []string `json:"grant_types,omitempty"`
	Scope        string   `json:"scope,omitempty"`

	// Authentication method
	TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`

	// RFC 9396 — authorization details types this client intends to use
	AuthorizationDetailsTypes []string `json:"authorization_details_types,omitempty"`

	// Keys — for asymmetric auth methods (private_key_jwt)
	JWKS *utils.JWKSet `json:"jwks,omitempty"`
}

DCRRequest is the RFC 7591 client registration request. See: https://www.rfc-editor.org/rfc/rfc7591#section-2

type DCRResponse added in v0.0.62

type DCRResponse struct {
	ClientID                  string   `json:"client_id"`
	ClientSecret              string   `json:"client_secret,omitempty"`
	ClientIDIssuedAt          int64    `json:"client_id_issued_at"`
	ClientSecretExpiresAt     int64    `json:"client_secret_expires_at"`
	ClientName                string   `json:"client_name,omitempty"`
	ClientURI                 string   `json:"client_uri,omitempty"`
	RedirectURIs              []string `json:"redirect_uris,omitempty"`
	GrantTypes                []string `json:"grant_types,omitempty"`
	TokenEndpointAuthMethod   string   `json:"token_endpoint_auth_method,omitempty"`
	Scope                     string   `json:"scope,omitempty"`
	AuthorizationDetailsTypes []string `json:"authorization_details_types,omitempty"` // RFC 9396
}

DCRResponse is the RFC 7591 client registration response. See: https://www.rfc-editor.org/rfc/rfc7591#section-3.2.1

type NoAuth

type NoAuth struct{}

NoAuth allows all requests. For development/testing only.

func NewNoAuth

func NewNoAuth() *NoAuth

func (*NoAuth) Authenticate

func (a *NoAuth) Authenticate(r *http.Request) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL