Documentation
¶
Index ¶
- type Authenticator
- func (a *Authenticator) Annotator(ctx context.Context, r *http.Request) metadata.MD
- func (a *Authenticator) CookieRefreshMiddleware(next http.Handler) http.Handler
- func (a *Authenticator) CookieToAuthHeader(next http.Handler) http.Handler
- func (a *Authenticator) HTTPMiddleware(next http.Handler) http.Handler
- func (a *Authenticator) HTTPMiddlewareLenient(next http.Handler) http.Handler
- func (a *Authenticator) RegisterEndpoints(mux *http.ServeMux, limiter ratelimit.Limiter, issuer *auth.Issuer)
- func (a *Authenticator) StreamServerInterceptor() grpc.StreamServerInterceptor
- func (a *Authenticator) UnaryServerInterceptor() grpc.UnaryServerInterceptor
- type AuthenticatorOptions
- type Claims
- type DeviceCodeResponse
- type OwnerType
- type TokenRequest
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator wraps functionality for admin server auth. It provides endpoints for login/logout, creates users, issues cookie-based auth tokens, and provides middleware for authenticating requests. The implementation was derived from: https://auth0.com/docs/quickstart/webapp/golang/01-login.
func NewAuthenticator ¶
func NewAuthenticator(logger *zap.Logger, adm *admin.Service, cookieStore *cookies.Store, opts *AuthenticatorOptions) (*Authenticator, error)
NewAuthenticator creates an Authenticator.
func (*Authenticator) Annotator ¶
Annotator is a gRPC-gateway annotator that moves access tokens in HTTP cookies to the "authorization" gRPC metadata.
func (*Authenticator) CookieRefreshMiddleware ¶ added in v0.78.0
func (a *Authenticator) CookieRefreshMiddleware(next http.Handler) http.Handler
CookieRefreshMiddleware is a middleware that refreshes the auth cookie. This enables us to do rolling cookie refreshes so we can have a relatively short cookie max age. Note that it does not update the auth token encrypted inside the cookie.
func (*Authenticator) CookieToAuthHeader ¶ added in v0.78.0
func (a *Authenticator) CookieToAuthHeader(next http.Handler) http.Handler
CookieToAuthHeader is a middleware that reads the access token from the cookie and sets it in the "Authorization" header only if the Authorization header isn't already present.
func (*Authenticator) HTTPMiddleware ¶
func (a *Authenticator) HTTPMiddleware(next http.Handler) http.Handler
HTTPMiddleware is a HTTP middleware variant of UnaryServerInterceptor. It additionally supports reading access tokens from cookies. It should be used for non-gRPC HTTP endpoints (CookieAuthAnnotator takes care of handling cookies in gRPC-gateway requests).
func (*Authenticator) HTTPMiddlewareLenient ¶ added in v0.42.0
func (a *Authenticator) HTTPMiddlewareLenient(next http.Handler) http.Handler
HTTPMiddlewareLenient is a lenient variant of HTTPMiddleware. If the authoriztion header is malformed or invalid, it will still succeed, setting anonClaims on the request.
func (*Authenticator) RegisterEndpoints ¶
func (a *Authenticator) RegisterEndpoints(mux *http.ServeMux, limiter ratelimit.Limiter, issuer *auth.Issuer)
RegisterEndpoints adds HTTP endpoints for auth. The mux must be served on the ExternalURL of the Authenticator since the logic in these handlers relies on knowing the full external URIs. Note that these are not gRPC handlers, just regular HTTP endpoints that we mount on the gRPC-gateway mux.
Since we support optional custom domains for orgs, we need to jump through some hoops to ensure the auth redirects work correctly, and that the auth token cookie is set on the correct domain. Below follows an overview of the redirect flows for login and logout. Login flow without custom domain configured:
1 . UI requests <canonical-domain>/auth/login?redirect=<redirect> - Set a cookie with state=YYY - If a redirect URL is provided, store it in the cookie 2. Redirect to Auth0 /login?state=YYY - User completes login 3. Redirect to <canonical-domain>/auth/callback?state=YYY&<oauth-params> - Verify cookie state matches YYY - Save the long-lived token in a cookie - Redirect to the saved redirect URL (or the frontend root if none was provided)
Login flow when a custom domain is configured:
UI requests <custom-domain>/auth/login?redirect=<redirect> - Set a cookie with state=XXX - If a redirect URL is provided, store it in the cookie
Redirect to <canonical-domain>/auth/login?redirect=https://<custom-domain>/auth/custom-domain-callback?state=XXX&custom_domain_flow=true - Set a cookie with state=YYY and custom_domain_flow=true
Redirect to Auth0 /login?state=YYY - User completes login
Redirect to <canonical-domain>/auth/callback?state=YYY&<oauth-params> - Verify cookie state matches YYY - Issue a noune token
Redirect to <custom-domain>/auth/custom-domain-callback?state=XXX&noune_token=<short-lived-token> - Verify cookie state matches XXX - Exchange short-lived token for a long-lived token - Save the long-lived token in a cookie - Redirect to the saved redirect URL (or the frontend root if none was provided)
Logout flow:
- Frontend calls <custom domain>/auth/logout?redirect=<frontend return URL>
- It redirects to <canonical domain>/auth/logout/provider?redirect=<frontend return URL>
- It redirects to <auth provider> for logout
- The auth provider redirects to <canonical domain>/auth/logout/callback
- It redirects to <frontend return URL>
The "canonical domain" is the Rill-managed external URL of the current service (e.g. "admin.rilldata.com"). The "custom domain" is the custom domain of the current org with path suffix for the admin service (e.g. "myorg.com/api"). If the current org doesn't have a custom domain, the custom domain can be substituted for the canonical domain (without path suffix).
There are more details in the type doc for `admin.URLs` and in the individual handler docstrings below.
func (*Authenticator) StreamServerInterceptor ¶
func (a *Authenticator) StreamServerInterceptor() grpc.StreamServerInterceptor
StreamServerInterceptor is the streaming variant of UnaryServerInterceptor.
func (*Authenticator) UnaryServerInterceptor ¶
func (a *Authenticator) UnaryServerInterceptor() grpc.UnaryServerInterceptor
UnaryServerInterceptor is a middleware for setting claims on runtime server requests. It authenticates the user and acquires the claims using the bearer token in the "authorization" request metadata field. If no bearer token is found, it will still succeed, setting anonClaims on the request. The assigned claims can be retrieved using GetClaims. If the interceptor succeeds, a Claims value is guaranteed to be set on the ctx.
type AuthenticatorOptions ¶
AuthenticatorOptions provides options for Authenticator
type Claims ¶
type Claims interface {
OwnerType() OwnerType
OwnerID() string
AuthTokenID() string
AuthTokenModel() any
Superuser(ctx context.Context) bool
OrganizationPermissions(ctx context.Context, orgID string) *adminv1.OrganizationPermissions
ProjectPermissions(ctx context.Context, orgID, projectID string) *adminv1.ProjectPermissions
}
Claims resolves permissions for a requester.
type DeviceCodeResponse ¶
type DeviceCodeResponse struct {
DeviceCode string `json:"device_code"`
UserCode string `json:"user_code"`
VerificationURI string `json:"verification_uri"`
VerificationCompleteURI string `json:"verification_uri_complete"`
ExpiresIn int `json:"expires_in"`
PollingInterval int `json:"interval"`
}
DeviceCodeResponse encapsulates the response for obtaining a device code.
type TokenRequest ¶
type TokenRequest struct {
GrantType string `json:"grant_type"`
DeviceCode string `json:"device_code"`
ClientID string `json:"client_id"`
}
TokenRequest encapsulates the request for obtaining an access token.
Source Files