auth

package
v0.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package auth provides Firebase JWT verification and token caching for the AILANG server.

Package auth provides Firestore-based access control and role lookups.

Package auth provides workspace access control with Firestore backend.

Index

Constants

View Source 
const TokenCacheTTL = 5 * time.Minute

TokenCacheTTL is the time-to-live for cached tokens.

Variables

View Source 
var ErrInsufficientPermissions = errors.New("insufficient permissions for this operation")

ErrInsufficientPermissions is returned when a user lacks required permissions.

View Source 
var ErrInvalidToken = errors.New("invalid or expired token")

ErrInvalidToken is returned when a token cannot be verified.

View Source 
var ErrMissingToken = errors.New("missing authentication token")

ErrMissingToken is returned when a token is required but not provided.

View Source 
var ErrUserNotInWorkspace = errors.New("user is not a member of this workspace")

ErrUserNotInWorkspace is returned when a user is not a member of a workspace.

Functions

func DecodeDocID 

func DecodeDocID(docID string) string

DecodeDocID decodes a Firestore document ID back to a workspace ID.

func EncodeDocID 

func EncodeDocID(id string) string

EncodeDocID encodes a workspace ID for use as a Firestore document ID. Replaces "/" with "__" since Firestore doesn't allow "/" in document IDs.

Types

type AccessControlCache 

type AccessControlCache struct {
	// contains filtered or unexported fields
}

AccessControlCache stores cached role and workspace membership information.

func NewAccessControlCache 

func NewAccessControlCache(fs *firestore.Client) *AccessControlCache

NewAccessControlCache creates a new access control cache.

func (*AccessControlCache) AddUserByEmail 

func (acc *AccessControlCache) AddUserByEmail(ctx context.Context, email, workspaceID, role string) error

AddUserByEmail adds a user to a workspace by email with the specified role. This is the recommended way to configure access control.

func (*AccessControlCache) AddUserToWorkspace 

func (acc *AccessControlCache) AddUserToWorkspace(ctx context.Context, uid, workspaceID, role string) error

AddUserToWorkspace adds a user to a workspace with the specified role.

func (*AccessControlCache) CacheStats 

func (acc *AccessControlCache) CacheStats() int

CacheStats returns the number of cached roles.

func (*AccessControlCache) GetUserRole 

func (acc *AccessControlCache) GetUserRole(ctx context.Context, uid, workspaceID string) (*WorkspaceRole, error)

GetUserRole retrieves the user's role for a workspace from Firestore. It uses caching to reduce latency on repeated lookups.

func (*AccessControlCache) GetUserRoleByEmail 

func (acc *AccessControlCache) GetUserRoleByEmail(ctx context.Context, email, workspaceID string) (*WorkspaceRole, error)

GetUserRoleByEmail retrieves the user's role by email address. This allows configuring access control by email without needing Firebase UIDs. Email-based entries use document ID: email:workspace_id

func (*AccessControlCache) InvalidateCache 

func (acc *AccessControlCache) InvalidateCache()

InvalidateCache clears all cached roles.

func (*AccessControlCache) ListWorkspaceMembers 

func (acc *AccessControlCache) ListWorkspaceMembers(ctx context.Context, workspaceID string) ([]*WorkspaceRole, error)

ListWorkspaceMembers retrieves all members of a workspace.

func (*AccessControlCache) RemoveUserFromWorkspace 

func (acc *AccessControlCache) RemoveUserFromWorkspace(ctx context.Context, uid, workspaceID string) error

RemoveUserFromWorkspace removes a user from a workspace.

func (*AccessControlCache) UpdateUserRole 

func (acc *AccessControlCache) UpdateUserRole(ctx context.Context, uid, workspaceID, newRole string) error

UpdateUserRole updates a user's role in a workspace.

type AccessibleWorkspace 

type AccessibleWorkspace struct {
	Workspace
	Role string `json:"role"` // User's role in this workspace
}

AccessibleWorkspace represents a workspace the user can access with their role.

type TokenVerifier 

type TokenVerifier struct {
	// contains filtered or unexported fields
}

TokenVerifier provides JWT token verification and caching.

func NewTokenVerifier 

func NewTokenVerifier(firebaseAuth *auth.Client) *TokenVerifier

NewTokenVerifier creates a new TokenVerifier with the given Firebase auth client.

func (*TokenVerifier) CacheStats 

func (tv *TokenVerifier) CacheStats() int

CacheStats returns the number of cached tokens.

func (*TokenVerifier) InvalidateCache 

func (tv *TokenVerifier) InvalidateCache()

InvalidateCache clears the token cache.

func (*TokenVerifier) VerifyToken 

func (tv *TokenVerifier) VerifyToken(ctx context.Context, token string) (*UserClaims, error)

VerifyToken verifies a Firebase JWT token and returns the user claims. It uses caching to reduce latency on repeated verifications.

type User 

type User struct {
	ID          string // Unique user identifier (UUID)
	FirebaseUID string // Firebase UID
	Email       string
	Name        string
	Role        string // "Viewer" or "Approver"
	WorkspaceID string
	AuthTime    time.Time
	IssuedAt    time.Time
	ExpiresAt   time.Time
	Permissions []string // Additional permission strings
}

User represents an authenticated user with workspace role information.

func NewUserFromClaims 

func NewUserFromClaims(claims *UserClaims) *User

NewUserFromClaims creates a User from token claims.

func (*User) HasPermission 

func (u *User) HasPermission(permission string) bool

HasPermission checks if the user has the specified permission.

func (*User) IsApprover 

func (u *User) IsApprover() bool

IsApprover returns true if the user has the Approver role.

func (*User) IsViewer 

func (u *User) IsViewer() bool

IsViewer returns true if the user has the Viewer role.

type UserClaims 

type UserClaims struct {
	UID       string
	Email     string
	Name      string
	AuthTime  time.Time
	IssuedAt  time.Time
	ExpiresAt time.Time
}

UserClaims represents the claims extracted from a Firebase JWT token.

type Workspace 

type Workspace struct {
	ID           string    `json:"id" firestore:"id"`                       // e.g., "sunholo-data/ailang"
	Name         string    `json:"name" firestore:"name"`                   // Human-readable name
	GitHubRepo   string    `json:"github_repo" firestore:"github_repo"`     // GitHub repo (owner/repo)
	IsPublic     bool      `json:"is_public" firestore:"is_public"`         // Anonymous users get Viewer access
	PathPatterns []string  `json:"path_patterns" firestore:"path_patterns"` // File paths that map to this workspace
	CreatedAt    time.Time `json:"created_at" firestore:"created_at"`
	CreatedBy    string    `json:"created_by" firestore:"created_by"`
}

Workspace represents a workspace with access control metadata.

type WorkspaceAccess 

type WorkspaceAccess struct {
	Email       string    `json:"email" firestore:"email"`
	WorkspaceID string    `json:"workspace_id" firestore:"workspace_id"`
	Role        string    `json:"role" firestore:"role"` // "Viewer" or "Approver"
	GrantedAt   time.Time `json:"granted_at" firestore:"granted_at"`
	GrantedBy   string    `json:"granted_by" firestore:"granted_by"`
}

WorkspaceAccess represents a user's access to a workspace.

type WorkspaceRole 

type WorkspaceRole struct {
	UID         string
	WorkspaceID string
	Role        string // "Viewer" or "Approver"
	Permissions []string
	CreatedAt   time.Time
	UpdatedAt   time.Time
}

WorkspaceRole represents a user's role in a workspace.

type WorkspaceService 

type WorkspaceService struct {
	// contains filtered or unexported fields
}

WorkspaceService provides workspace access control operations.

func NewWorkspaceService 

func NewWorkspaceService(fs *firestore.Client, config *WorkspacesConfig) *WorkspaceService

NewWorkspaceService creates a new workspace service.

func (*WorkspaceService) CacheStats 

func (ws *WorkspaceService) CacheStats() (workspaces, access int)

CacheStats returns cache statistics.

func (*WorkspaceService) CreateWorkspace 

func (ws *WorkspaceService) CreateWorkspace(ctx context.Context, workspace *Workspace) error

CreateWorkspace creates a new workspace in Firestore.

func (*WorkspaceService) GetAccessibleWorkspaceIDs 

func (ws *WorkspaceService) GetAccessibleWorkspaceIDs(ctx context.Context, email string) ([]string, error)

GetAccessibleWorkspaceIDs returns a list of workspace IDs the user can access. Useful for SQL IN clauses when filtering queries.

func (*WorkspaceService) GetWorkspace 

func (ws *WorkspaceService) GetWorkspace(ctx context.Context, workspaceID string) (*Workspace, error)

GetWorkspace retrieves a workspace by ID.

func (*WorkspaceService) GetWorkspaceByPath 

func (ws *WorkspaceService) GetWorkspaceByPath(path string) string

GetWorkspaceByPath maps a file path to a workspace ID using configured mappings. Returns the default workspace if no mapping matches.

func (*WorkspaceService) GrantAccess 

func (ws *WorkspaceService) GrantAccess(ctx context.Context, email, workspaceID, role, grantedBy string) error

GrantAccess grants a user access to a workspace with the specified role.

func (*WorkspaceService) HasWorkspaceAccess 

func (ws *WorkspaceService) HasWorkspaceAccess(ctx context.Context, email, workspaceID string) (bool, string, error)

HasWorkspaceAccess checks if a user has access to a workspace. Returns (hasAccess, role, error). For public workspaces, unauthenticated users get Viewer access.

func (*WorkspaceService) InvalidateCache 

func (ws *WorkspaceService) InvalidateCache()

InvalidateCache clears all cached data.

func (*WorkspaceService) ListAccessibleWorkspaces 

func (ws *WorkspaceService) ListAccessibleWorkspaces(ctx context.Context, email string) ([]AccessibleWorkspace, error)

ListAccessibleWorkspaces returns all workspaces the user can access. For unauthenticated users (email=""), returns only public workspaces. For authenticated users, returns public workspaces + workspaces with explicit grants.

func (*WorkspaceService) RevokeAccess 

func (ws *WorkspaceService) RevokeAccess(ctx context.Context, email, workspaceID string) error

RevokeAccess removes a user's access to a workspace.

func (*WorkspaceService) SetPublic 

func (ws *WorkspaceService) SetPublic(ctx context.Context, workspaceID string, isPublic bool) error

SetPublic updates a workspace's public visibility.

type WorkspacesConfig 

type WorkspacesConfig = coordinator.WorkspacesConfig

WorkspacesConfig is an alias to coordinator.WorkspacesConfig for convenience.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.