user

package module
v0.0.28 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 15, 2026 License: MIT Imports: 22 Imported by: 0

README

tinywasm/user

Project Badges

User management library for the tinywasm ecosystem. Handles user entities, password authentication, OAuth providers (Google, Microsoft), LAN (local network) authentication by RUT + IP, and session management. Applications import tinywasm/user directly to configure session behaviour, and use its isomorphic UI modules for authentication workflows.

Documentation

Note: RBAC is now integrated into the User module (see ARCHITECTURE.md).

Diagrams

Initialization

import "github.com/tinywasm/user"

// ...

// Initialize the user module directly with an ORM db instance
err := user.Init(db, user.Config{
    CookieName: "session_id", // default: "session"
    TokenTTL:   86400,        // default: 86400 (24h)
    TrustProxy: true,         // default: false
    OAuthProviders: []user.OAuthProvider{
        &user.GoogleProvider{
            ClientID:     os.Getenv("GOOGLE_CLIENT_ID"),
            ClientSecret: os.Getenv("GOOGLE_CLIENT_SECRET"),
            RedirectURL:  "https://example.com/oauth/callback",
        },
    },
})
if err != nil {
    // handle error
}

For detailed API usage and module integration guidance, refer to docs/SKILL.md.

Status

Implementation pending. Documentation complete.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidCredentials = fmt.Err("access", "denied")             // EN: Access Denied                    / ES: Acceso Denegado
	ErrSuspended          = fmt.Err("user", "suspended")            // EN: User Suspended                   / ES: Usuario Suspendido
	ErrEmailTaken         = fmt.Err("email", "registered")          // EN: Email Registered                 / ES: Correo electrónico Registrado
	ErrWeakPassword       = fmt.Err("password", "weak")             // EN: Password Weak                    / ES: Contraseña Débil
	ErrSessionExpired     = fmt.Err("token", "expired")             // EN: Token Expired                    / ES: Token Expirado
	ErrNotFound           = fmt.Err("user", "not", "found")         // EN: User Not Found                   / ES: Usuario No Encontrado
	ErrProviderNotFound   = fmt.Err("provider", "not", "found")     // EN: Provider Not Found               / ES: Proveedor No Encontrado
	ErrInvalidOAuthState  = fmt.Err("state", "invalid")             // EN: State Invalid                    / ES: Estado Inválido
	ErrCannotUnlink       = fmt.Err("identity", "cannot", "unlink") // EN: Identity Cannot Unlink           / ES: Identidad No puede Desvincular
	ErrInvalidRUT         = fmt.Err("rut", "invalid")               // EN: Rut Invalid                      / ES: Rut Inválido
	ErrRUTTaken           = fmt.Err("rut", "registered")            // EN: Rut Registered                   / ES: Rut Registrado
	ErrIPTaken            = fmt.Err("ip", "registered")             // EN: Ip Registered                    / ES: Ip Registrado
)
View Source 
var Identity_ = struct {
	TableName  string
	ID         string
	UserID     string
	Provider   string
	ProviderID string
	Email      string
	CreatedAt  string
}{
	TableName:  "user_identities",
	ID:         "id",
	UserID:     "user_id",
	Provider:   "provider",
	ProviderID: "provider_id",
	Email:      "email",
	CreatedAt:  "created_at",
}
View Source 
var LANIP_ = struct {
	TableName string
	ID        string
	UserID    string
	IP        string
	Label     string
	CreatedAt string
}{
	TableName: "user_lan_ips",
	ID:        "id",
	UserID:    "user_id",
	IP:        "ip",
	Label:     "label",
	CreatedAt: "created_at",
}
View Source 
var OAuthState_ = struct {
	TableName string
	State     string
	Provider  string
	ExpiresAt string
	CreatedAt string
}{
	TableName: "user_oauth_states",
	State:     "state",
	Provider:  "provider",
	ExpiresAt: "expires_at",
	CreatedAt: "created_at",
}
View Source 
var Permission_ = struct {
	TableName string
	ID        string
	Name      string
	Resource  string
	Action    string
}{
	TableName: "rbac_permissions",
	ID:        "id",
	Name:      "name",
	Resource:  "resource",
	Action:    "action",
}
View Source 
var RolePermission_ = struct {
	TableName    string
	RoleID       string
	PermissionID string
}{
	TableName:    "rbac_role_permissions",
	RoleID:       "role_id",
	PermissionID: "permission_id",
}
View Source 
var Role_ = struct {
	TableName   string
	ID          string
	Code        string
	Name        string
	Description string
}{
	TableName:   "rbac_roles",
	ID:          "id",
	Code:        "code",
	Name:        "name",
	Description: "description",
}
View Source 
var Session_ = struct {
	TableName string
	ID        string
	UserID    string
	ExpiresAt string
	IP        string
	UserAgent string
	CreatedAt string
}{
	TableName: "user_sessions",
	ID:        "id",
	UserID:    "user_id",
	ExpiresAt: "expires_at",
	IP:        "ip",
	UserAgent: "user_agent",
	CreatedAt: "created_at",
}
View Source 
var UserRole_ = struct {
	TableName string
	UserID    string
	RoleID    string
}{
	TableName: "rbac_user_roles",
	UserID:    "user_id",
	RoleID:    "role_id",
}
View Source 
var User_ = struct {
	TableName string
	ID        string
	Email     string
	Name      string
	Phone     string
	Status    string
	CreatedAt string
}{
	TableName: "users",
	ID:        "id",
	Email:     "email",
	Name:      "name",
	Phone:     "phone",
	Status:    "status",
	CreatedAt: "created_at",
}

Functions

func UIModules added in v0.0.15 

func UIModules() []any

UIModules returns all standard authentication UI flow handlers. Isomorphic: available in both WASM and non-WASM builds.

Types

type AuthMode added in v0.0.17 

type AuthMode uint8

AuthMode selects the session strategy. 

const (
	// AuthModeCookie stores a session ID in an HttpOnly cookie.
	// Stateful: requires user_sessions table. Supports immediate revocation.
	AuthModeCookie AuthMode = iota // default

	// AuthModeJWT stores a signed JWT in an HttpOnly cookie.
	// Stateless: no DB lookup per request. No immediate revocation.
	// Ideal for SPA/PWA and multi-server deployments.
	AuthModeJWT

	// AuthModeBearer reads a signed JWT from the "Authorization: Bearer <token>" header.
	// Stateless: for API clients (MCP servers, IDEs, LLMs) that cannot use cookies.
	// Structurally implements mcp.Authorizer via InjectIdentity + CanExecute methods.
	// Requires JWTSecret.
	AuthModeBearer
)

type Config added in v0.0.2 

type Config struct {
	AuthMode AuthMode // default: AuthModeCookie

	// Shared by all modes
	CookieName string // default: "session"
	TokenTTL   int    // default: 86400 (seconds). Session TTL in cookie mode, JWT expiry in JWT mode.

	// Required when AuthMode == AuthModeJWT or AuthMode == AuthModeBearer.
	// Also required to call GenerateAPIToken regardless of AuthMode.
	JWTSecret []byte

	TrustProxy     bool
	OAuthProviders []OAuthProvider

	// Optional hook for receiving security events (e.g. tampering, brute force)
	OnSecurityEvent func(SecurityEvent)

	// OnPasswordValidate is called by SetPassword before hashing.
	// Return a non-nil error to reject the password.
	// If nil, only the built-in len >= 8 check applies.
	OnPasswordValidate func(password string) error
}

type Identity added in v0.0.2 

type Identity struct {
	ID         string `json:"id" db:"pk"`
	UserID     string `json:"user_id" db:"ref=users"`
	Provider   string `json:"provider"`
	ProviderID string `json:"provider_id"`
	Email      string `json:"email,omitempty"`
	CreatedAt  int64  `json:"created_at"`
}

Identity

func ReadAllIdentity added in v0.0.6 

func ReadAllIdentity(qb *orm.QB) ([]*Identity, error)

func ReadOneIdentity added in v0.0.6 

func ReadOneIdentity(qb *orm.QB, model *Identity) (*Identity, error)

func (*Identity) FormName added in v0.0.28 

func (m *Identity) FormName() string

func (*Identity) Pointers added in v0.0.6 

func (m *Identity) Pointers() []any

func (*Identity) Schema added in v0.0.6 

func (m *Identity) Schema() []fmt.Field

func (Identity) TableName added in v0.0.6 

func (Identity) TableName() string

type LANIP added in v0.0.6 

type LANIP struct {
	ID        string `json:"id" db:"pk"`
	UserID    string `json:"user_id" db:"ref=users"`
	IP        string `json:"ip"`
	Label     string `json:"label"`
	CreatedAt int64  `json:"created_at"`
}

LANIP

func ReadAllLANIP added in v0.0.6 

func ReadAllLANIP(qb *orm.QB) ([]*LANIP, error)

func ReadOneLANIP added in v0.0.6 

func ReadOneLANIP(qb *orm.QB, model *LANIP) (*LANIP, error)

func (*LANIP) FormName added in v0.0.28 

func (m *LANIP) FormName() string

func (*LANIP) Pointers added in v0.0.6 

func (m *LANIP) Pointers() []any

func (*LANIP) Schema added in v0.0.6 

func (m *LANIP) Schema() []fmt.Field

func (LANIP) TableName added in v0.0.6 

func (LANIP) TableName() string

type LoginData added in v0.0.2 

type LoginData struct {
	Email    string
	Password string
}

LoginData is validated by LoginModule on both frontend and backend.

func (*LoginData) Pointers added in v0.0.28 

func (m *LoginData) Pointers() []any

func (*LoginData) Schema added in v0.0.28 

func (m *LoginData) Schema() []fmt.Field

type Module added in v0.0.17 

type Module struct{}

Module is a WASM stub. The real implementation lives in user_back.go.

type OAuthProvider added in v0.0.2 

type OAuthProvider interface {
	Name() string
	AuthCodeURL(state string) string
	ExchangeCode(ctx context.Context, code string) (*oauth2.Token, error)
	GetUserInfo(ctx context.Context, token *oauth2.Token) (OAuthUserInfo, error)
}

type OAuthState added in v0.0.6 

type OAuthState struct {
	State     string `json:"state" db:"pk"`
	Provider  string `json:"provider"`
	ExpiresAt int64  `json:"expires_at"`
	CreatedAt int64  `json:"created_at"`
}

OAuthState

func ReadAllOAuthState added in v0.0.6 

func ReadAllOAuthState(qb *orm.QB) ([]*OAuthState, error)

func ReadOneOAuthState added in v0.0.6 

func ReadOneOAuthState(qb *orm.QB, model *OAuthState) (*OAuthState, error)

func (*OAuthState) FormName added in v0.0.28 

func (m *OAuthState) FormName() string

func (*OAuthState) Pointers added in v0.0.6 

func (m *OAuthState) Pointers() []any

func (*OAuthState) Schema added in v0.0.6 

func (m *OAuthState) Schema() []fmt.Field

func (OAuthState) TableName added in v0.0.6 

func (OAuthState) TableName() string

type OAuthUserInfo added in v0.0.2 

type OAuthUserInfo struct {
	ID    string
	Email string
	Name  string
}

type PasswordData added in v0.0.2 

type PasswordData struct {
	Current string
	New     string
	Confirm string
}

PasswordData is validated by ProfileModule (password change sub-form).

func (*PasswordData) Pointers added in v0.0.28 

func (m *PasswordData) Pointers() []any

func (*PasswordData) Schema added in v0.0.28 

func (m *PasswordData) Schema() []fmt.Field

type Permission added in v0.0.6 

type Permission struct {
	ID       string `json:"id" db:"pk"`
	Name     string `json:"name"`
	Resource string `json:"resource"`
	Action   string `json:"action"`
}

Permission

func ReadAllPermission added in v0.0.6 

func ReadAllPermission(qb *orm.QB) ([]*Permission, error)

func ReadOnePermission added in v0.0.6 

func ReadOnePermission(qb *orm.QB, model *Permission) (*Permission, error)

func (*Permission) FormName added in v0.0.28 

func (m *Permission) FormName() string

func (*Permission) Pointers added in v0.0.6 

func (m *Permission) Pointers() []any

func (*Permission) Schema added in v0.0.6 

func (m *Permission) Schema() []fmt.Field

func (Permission) TableName added in v0.0.6 

func (Permission) TableName() string

type ProfileData added in v0.0.2 

type ProfileData struct {
	Name  string
	Phone string
}

ProfileData is validated by ProfileModule (name/phone update).

func (*ProfileData) Pointers added in v0.0.28 

func (m *ProfileData) Pointers() []any

func (*ProfileData) Schema added in v0.0.28 

func (m *ProfileData) Schema() []fmt.Field

type RegisterData added in v0.0.2 

type RegisterData struct {
	Name     string
	Email    string
	Password string
	Phone    string
}

RegisterData is validated by RegisterModule.

func (*RegisterData) Pointers added in v0.0.28 

func (m *RegisterData) Pointers() []any

func (*RegisterData) Schema added in v0.0.28 

func (m *RegisterData) Schema() []fmt.Field

type Role added in v0.0.6 

type Role struct {
	ID          string `json:"id" db:"pk"`
	Code        string `json:"code"`
	Name        string `json:"name"`
	Description string `json:"description"`
}

Role

func ReadAllRole added in v0.0.6 

func ReadAllRole(qb *orm.QB) ([]*Role, error)

func ReadOneRole added in v0.0.6 

func ReadOneRole(qb *orm.QB, model *Role) (*Role, error)

func (*Role) FormName added in v0.0.28 

func (m *Role) FormName() string

func (*Role) Pointers added in v0.0.6 

func (m *Role) Pointers() []any

func (*Role) Schema added in v0.0.6 

func (m *Role) Schema() []fmt.Field

func (Role) TableName added in v0.0.6 

func (Role) TableName() string

type RolePermission added in v0.0.6 

type RolePermission struct {
	RoleID       string `json:"role_id"`
	PermissionID string `json:"permission_id"`
}

RolePermission

func ReadAllRolePermission added in v0.0.6 

func ReadAllRolePermission(qb *orm.QB) ([]*RolePermission, error)

func ReadOneRolePermission added in v0.0.6 

func ReadOneRolePermission(qb *orm.QB, model *RolePermission) (*RolePermission, error)

func (*RolePermission) FormName added in v0.0.28 

func (m *RolePermission) FormName() string

func (*RolePermission) Pointers added in v0.0.6 

func (m *RolePermission) Pointers() []any

func (*RolePermission) Schema added in v0.0.6 

func (m *RolePermission) Schema() []fmt.Field

func (RolePermission) TableName added in v0.0.6 

func (RolePermission) TableName() string

type SecurityEvent added in v0.0.22 

type SecurityEvent struct {
	Type      SecurityEventType
	IP        string // client IP, empty if not available
	UserID    string // empty if user not yet identified
	Provider  string // OAuth provider name, for OAuth events
	Resource  string // RBAC resource, for EventAccessDenied
	Timestamp int64  // time.Now().Unix()
}

type SecurityEventType added in v0.0.22 

type SecurityEventType uint8
const (
	EventJWTTampered        SecurityEventType = iota // ValidateJWT: HMAC mismatch
	EventOAuthReplay                                 // consumeState: state already consumed (2nd use)
	EventOAuthExpiredState                           // consumeState: state found but past ExpiresAt
	EventOAuthCrossProvider                          // consumeState: provider mismatch (state preserved)
	EventIPMismatch                                  // LoginLAN: IP not registered
	EventNonActiveAccess                             // Login/LoginLAN: status != "active"
	EventUnauthorizedAccess                          // validateSession: cookie present but session invalid
	EventAccessDenied                                // AccessCheck: RBAC denied with valid session
)

type Session added in v0.0.2 

type Session struct {
	ID        string `json:"id" db:"pk"`
	UserID    string `json:"user_id" db:"ref=users"`
	ExpiresAt int64  `json:"expires_at"`
	IP        string `json:"ip,omitempty"`
	UserAgent string `json:"user_agent,omitempty"`
	CreatedAt int64  `json:"created_at"`
}

Session

func ReadAllSession added in v0.0.6 

func ReadAllSession(qb *orm.QB) ([]*Session, error)

func ReadOneSession added in v0.0.6 

func ReadOneSession(qb *orm.QB, model *Session) (*Session, error)

func (*Session) FormName added in v0.0.28 

func (m *Session) FormName() string

func (*Session) Pointers added in v0.0.6 

func (m *Session) Pointers() []any

func (*Session) Schema added in v0.0.6 

func (m *Session) Schema() []fmt.Field

func (Session) TableName added in v0.0.6 

func (Session) TableName() string

type User 

type User struct {
	ID          string       `json:"id" db:"pk"`
	Email       string       `json:"email,omitempty" db:"unique"`
	Name        string       `json:"name"`
	Phone       string       `json:"phone,omitempty"`
	Status      string       `json:"status"` // "active", "suspended"
	CreatedAt   int64        `json:"created_at"`
	Roles       []Role       `json:"roles,omitempty" db:"-"`
	Permissions []Permission `json:"permissions,omitempty" db:"-"`
}

User

func ReadAllUser added in v0.0.6 

func ReadAllUser(qb *orm.QB) ([]*User, error)

func ReadOneUser added in v0.0.6 

func ReadOneUser(qb *orm.QB, model *User) (*User, error)

func (*User) FormName added in v0.0.28 

func (m *User) FormName() string

func (*User) Pointers added in v0.0.6 

func (m *User) Pointers() []any

func (*User) Schema added in v0.0.6 

func (m *User) Schema() []fmt.Field

func (User) TableName added in v0.0.6 

func (User) TableName() string

type UserRole added in v0.0.6 

type UserRole struct {
	UserID string `json:"user_id"`
	RoleID string `json:"role_id"`
}

UserRole

func ReadAllUserRole added in v0.0.6 

func ReadAllUserRole(qb *orm.QB) ([]*UserRole, error)

func ReadOneUserRole added in v0.0.6 

func ReadOneUserRole(qb *orm.QB, model *UserRole) (*UserRole, error)

func (*UserRole) FormName added in v0.0.28 

func (m *UserRole) FormName() string

func (*UserRole) Pointers added in v0.0.6 

func (m *UserRole) Pointers() []any

func (*UserRole) Schema added in v0.0.6 

func (m *UserRole) Schema() []fmt.Field

func (UserRole) TableName added in v0.0.6 

func (UserRole) TableName() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.