Documentation
¶
Index ¶
- Constants
- func AccountSessionMaxAge() time.Duration
- func AccountSessionTTL() time.Duration
- func ClearAccountCookie(w http.ResponseWriter, r *http.Request)
- func GenerateAccountToken(jwtSigner *jwt.Signer, accountID string, sessionStart time.Time, ...) (string, error)
- func GetOrganizationIdFromMetadata(ctx context.Context) (string, bool)
- func GetScopedTokenScopesFromMetadata(ctx context.Context) ([]string, bool)
- func GetUserIdFromMetadata(ctx context.Context) (string, bool)
- func IsAccountSessionWithinMaxAge(claims jwtLib.MapClaims) bool
- func IssueAccountSession(w http.ResponseWriter, r *http.Request, jwtSigner *jwt.Signer, ...) error
- func MaybeRefreshAccountSession(w http.ResponseWriter, r *http.Request, jwtSigner *jwt.Signer, ...)
- func ResetAccountSessionTTLForTests()
- func SessionStartFromClaims(claims jwtLib.MapClaims) (time.Time, bool)
- func SetAccountCookie(w http.ResponseWriter, r *http.Request, token string, ttl time.Duration)
- func SetUserIdInMetadata(ctx context.Context, userId string) context.Context
- type Handler
- type ProviderConfig
Constants ¶
const SignupDisabledError = "signup is currently disabled"
const TokenScopesMetadataKey = "x-token-scopes"
Variables ¶
This section is empty.
Functions ¶
func AccountSessionMaxAge ¶ added in v0.25.0
AccountSessionMaxAge returns the absolute lifetime of a login session, measured from the first sign-in, regardless of sliding refresh. Override with ACCOUNT_SESSION_MAX_AGE.
func AccountSessionTTL ¶ added in v0.25.0
AccountSessionTTL returns how long account_token cookies remain valid between activity refreshes. Override with ACCOUNT_SESSION_TTL.
func ClearAccountCookie ¶
func ClearAccountCookie(w http.ResponseWriter, r *http.Request)
func GenerateAccountToken ¶ added in v0.25.0
func GenerateAccountToken(jwtSigner *jwt.Signer, accountID string, sessionStart time.Time, ttl time.Duration) (string, error)
GenerateAccountToken creates a signed account_token JWT with session tracking.
func GetScopedTokenScopesFromMetadata ¶ added in v0.14.0
func IsAccountSessionWithinMaxAge ¶ added in v0.25.0
IsAccountSessionWithinMaxAge reports whether the session is still within its absolute lifetime cap. Tokens without ses are rejected.
func IssueAccountSession ¶ added in v0.25.0
func IssueAccountSession(w http.ResponseWriter, r *http.Request, jwtSigner *jwt.Signer, accountID string) error
IssueAccountSession mints a fresh account_token for a new login session.
func MaybeRefreshAccountSession ¶ added in v0.25.0
func MaybeRefreshAccountSession(w http.ResponseWriter, r *http.Request, jwtSigner *jwt.Signer, account *models.Account)
MaybeRefreshAccountSession extends active sessions using a sliding window. Any authenticated activity reissues the token for another full TTL, except when the token was just minted or the absolute session max age is reached.
func ResetAccountSessionTTLForTests ¶ added in v0.25.0
func ResetAccountSessionTTLForTests()
ResetAccountSessionTTLForTests clears cached session duration settings.
func SessionStartFromClaims ¶ added in v0.25.0
SessionStartFromClaims returns when the login session began from the ses claim. Tokens without ses cannot be used for absolute max-age enforcement.
func SetAccountCookie ¶ added in v0.21.0
SetAccountCookie writes the account_token cookie with the same flags used by every login path. Centralized so callers (login, signup, magic code, change-password reissue) cannot drift on cookie attributes.
Types ¶
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func (*Handler) FindOrCreateAccountForProvider ¶
func (*Handler) InitializeProviders ¶
func (a *Handler) InitializeProviders(providers map[string]ProviderConfig)
func (*Handler) PasswordLoginEnabled ¶ added in v0.21.0
PasswordLoginEnabled reports whether email/password authentication is currently enabled for this installation. Used by handlers outside this package (e.g. the change-password endpoint) that should refuse work when the feature is disabled.
Source Files