Documentation
¶
Index ¶
- Constants
- func BlockAccount(ctx context.Context, realm, clientID string) error
- func CreateAuthorization(ctx context.Context, auth *Authorization) error
- func GetAuthorizationEndpoint(c echo.Context) error
- func GetBearerToken(r *http.Request) (string, error)
- func GetClientID(ctx context.Context, r *http.Request) (string, error)
- func LoginConfirmationEndpoint(c echo.Context) error
- func LoginRequestEndpoint(c echo.Context) error
- func LogoutAccount(ctx context.Context, realm, clientID string) error
- func LogoutRequestEndpoint(c echo.Context) error
- func SendAccountChallenge(ctx context.Context, account *Account) error
- func SendAuthToken(ctx context.Context, account *Account) error
- func UpdateAccount(ctx context.Context, account *Account) error
- func UpdateAuthorization(ctx context.Context, auth *Authorization) error
- type Account
- func ConfirmLoginChallenge(ctx context.Context, token string) (*Account, int, error)
- func CreateAccount(ctx context.Context, realm, userID string) (*Account, error)
- func FindAccountByToken(ctx context.Context, token string) (*Account, error)
- func FindAccountByUserID(ctx context.Context, realm, userID string) (*Account, error)
- func LookupAccount(ctx context.Context, realm, clientID string) (*Account, error)
- func ResetAccountChallenge(ctx context.Context, account *Account) (*Account, error)
- func ResetAuthToken(ctx context.Context, account *Account) (*Account, error)
- type Authorization
- type AuthorizationRequest
Constants ¶
const ( // DatastoreAccounts collection ACCOUNTS DatastoreAccounts string = "ACCOUNTS" // AccountActive indicates a confirmed account with a valid login AccountActive = 1 // AccountLoggedOut indicates a confirmed account without a valid login AccountLoggedOut = 0 // AccountDeactivated indicates an account that has been deactivated due to // e.g. account deletion or UserID swap AccountDeactivated = -1 // AccountBlocked signals an issue with the account that needs intervention AccountBlocked = -2 // AccountUnconfirmed well guess what? AccountUnconfirmed = -3 )
const ( DefaultScope = "production:read,production:write,production:build,resource:read,resource:write" DefaultTokenType = "user" )
const ( // DatastoreAuthorizations collection AUTHORIZATION DatastoreAuthorizations string = "AUTHORIZATIONS" // AuthTypeSimpleToken constant token AuthTypeSimpleToken = "token" // AuthTypeJWT constant jwt AuthTypeJWT = "jwt" // AuthTypeSlack constant slack AuthTypeSlack = "slack" // DefaultAuthenticationExpiration in minutes DefaultAuthenticationExpiration = 10 // DefaultAuthorizationExpiration in days DefaultAuthorizationExpiration = 90 )
Variables ¶
This section is empty.
Functions ¶
func CreateAuthorization ¶
func CreateAuthorization(ctx context.Context, auth *Authorization) error
CreateAuthorization creates all data needed for the auth fu
func GetAuthorizationEndpoint ¶
GetAuthorizationEndpoint exchanges a temporary confirmation token for a 'real' token.
POST /auth status 200: success, the real token is in the response status 401: token is expired or has already been used, token and user_id do not match status 404: token was not found
func GetBearerToken ¶
GetBearerToken extracts the bearer token
func GetClientID ¶
GetClientID extracts the ClientID from the token
func LoginConfirmationEndpoint ¶
LoginConfirmationEndpoint validates an email.
GET /login/:token status 204: account is confirmed, next step started status 400: the request could not be understood by the server due to malformed syntax status 401: token is wrong status 403: token is expired or has already been used status 404: token was not found
func LoginRequestEndpoint ¶
LoginRequestEndpoint initiates the login process.
It creates a new account if the user does not exist and sends confirmation request. Once the account is conformed, it will send the confirmation token that can be swapped for a real login token.
POST /login status 201: new account, account confirmation sent status 204: existing account, email with auth token sent status 400: invalid request data status 403: only logged-out and confirmed users can proceed
func LogoutRequestEndpoint ¶
func SendAccountChallenge ¶
SendAccountChallenge sends a notification to the user promting to confirm the account
func SendAuthToken ¶
SendAuthToken sends a notification to the user with the current authentication token
func UpdateAuthorization ¶
func UpdateAuthorization(ctx context.Context, auth *Authorization) error
UpdateAuthorization updates all data needed for the auth fu
Types ¶
type Account ¶
type Account struct {
Realm string `json:"realm"` // KEY
UserID string `json:"user_id"` // KEY external id for the entity e.g. email for a user
ClientID string `json:"client_id"` // a unique id within [realm,user_id]
// status and other metadata
Status int `json:"status"` // default == AccountUnconfirmed
// login auditing
LastLogin int64 `json:"-"`
LoginCount int `json:"-"`
LoginFrom string `json:"-"`
// internal
Ext1 string `json:"-"` // universal field, used as needed. e.g to confirm the account and then to request the real token
Ext2 string `json:"-"`
Expires int64 `json:"-"` // 0 == never
Confirmed int64 `json:"-"`
Created int64 `json:"-"`
Updated int64 `json:"-"`
}
Account represents an account for a user or client (e.g. API, bot)
func ConfirmLoginChallenge ¶
ConfirmLoginChallenge confirms the account
func CreateAccount ¶
CreateAccount creates an new account within a given realm
func FindAccountByToken ¶
FindAccountByToken retrieves an account bases on either the temporary token or the auth token
func FindAccountByUserID ¶
FindAccountUserID retrieves an account bases on the user id
func LookupAccount ¶
LookupAccount retrieves an account within a given realm
func ResetAccountChallenge ¶
ResetAccountChallenge creates a new confirmation token and resets the timer
type Authorization ¶
type Authorization struct {
ClientID string `json:"client_id" binding:"required"` // UNIQUE
Realm string `json:"realm"`
Token string `json:"token" binding:"required"`
TokenType string `json:"token_type" binding:"required"` // user,app,bot
UserID string `json:"user_id"` // depends on TokenType. UserID could equal ClientID or BotUSerID in Slack
Scope string `json:"scope"` // a comma separated list of scopes, see below
Expires int64 `json:"expires"` // 0 = never
// internal
Revoked bool `json:"-"`
Created int64 `json:"-"`
Updated int64 `json:"-"`
}
Authorization represents a user, app or bot and its permissions
func CheckAuthorization ¶
CheckAuthorization relies on the presence of a bearer token and validates the matching authorization against a list of requested scopes. If everything checks out, the function returns the authorization or an error otherwise.
func FindAuthorizationByToken ¶
func FindAuthorizationByToken(ctx context.Context, token string) (*Authorization, error)
FindAuthorizationByToken looks for an authorization by the token
func LookupAuthorization ¶
func LookupAuthorization(ctx context.Context, realm, clientID string) (*Authorization, error)
LookupAuthorization looks for an authorization
func (*Authorization) IsValid ¶
func (a *Authorization) IsValid() bool
IsValid verifies that the Authorization is still valid, i.e. is not expired and not revoked.
type AuthorizationRequest ¶
type AuthorizationRequest struct {
Realm string `json:"realm" binding:"required"`
UserID string `json:"user_id" binding:"required"`
ClientID string `json:"client_id"`
Token string `json:"token"`
}
AuthorizationRequest represents a login/authorization request from a user, app, or bot
Source Files