Documentation
¶
Overview ¶
Package authkit provides plug-and-play OAuth authentication with RBAC for Go HTTP services. It wraps markbates/goth for the OAuth dance, gorilla/sessions for encrypted cookie sessions, and a YAML-based role policy for access control.
Quick start:
auth, err := authkit.New(authkit.Config{
Providers: []authkit.ProviderConfig{
{Name: "github", ClientID: os.Getenv("GITHUB_CLIENT_ID"), ClientSecret: os.Getenv("GITHUB_CLIENT_SECRET")},
},
CallbackBaseURL: "https://example.com",
SessionSecret: os.Getenv("SESSION_SECRET"),
RBAC: authkit.RBACConfig{FilePath: "policy.yaml"},
})
mux.Handle("GET /auth/{provider}", http.HandlerFunc(auth.BeginAuth))
mux.Handle("GET /auth/{provider}/callback", http.HandlerFunc(auth.Callback))
mux.Handle("POST /auth/logout", http.HandlerFunc(auth.Logout))
mux.Handle("GET /auth/me", http.HandlerFunc(auth.Me))
// Protected routes
mux.Handle("GET /api/reports", auth.RequireAuth(reportsHandler))
mux.Handle("POST /api/projects", auth.Require("projects:write")(createHandler))
Index ¶
- Constants
- Variables
- func CheckPassword(hashedPassword, password string) bool
- func HashPassword(password string) (string, error)
- func IsDeviceCapability(perm string) bool
- func TenantIDFromCtx(ctx context.Context) (id string, ok bool)
- func WithDevice(ctx context.Context, d *Device) context.Context
- func WithLogger(l Logger) func(*LayeredPolicyProvider)
- func WithTenant(ctx context.Context, tenantID string) context.Context
- type APIKeyValidator
- type AuditEvent
- type AuditSink
- type Auth
- func (a *Auth) AuthenticateDevice(ctx context.Context, rawToken string) (*Device, error)
- func (a *Auth) Authorize(w http.ResponseWriter, r *http.Request)
- func (a *Auth) BeginAuth(w http.ResponseWriter, r *http.Request)
- func (a *Auth) CSRF(next http.Handler) http.Handler
- func (a *Auth) CSRFToken(w http.ResponseWriter, r *http.Request)
- func (a *Auth) Callback(w http.ResponseWriter, r *http.Request)
- func (a *Auth) ChangePassword(w http.ResponseWriter, r *http.Request)
- func (a *Auth) ConfirmTwoFactor(w http.ResponseWriter, r *http.Request)
- func (a *Auth) DisableTwoFactor(w http.ResponseWriter, r *http.Request)
- func (a *Auth) Enroll2FA(w http.ResponseWriter, r *http.Request)
- func (a *Auth) ForgotPassword(w http.ResponseWriter, r *http.Request)
- func (a *Auth) ImpersonationContext(ctx context.Context, admin *PlatformAdmin, tenantID string) (context.Context, error)
- func (a *Auth) IssueResetToken(ctx context.Context, email, name, kind string) (string, error)
- func (a *Auth) IssueToken(w http.ResponseWriter, r *http.Request)
- func (a *Auth) JWKS(w http.ResponseWriter, _ *http.Request)
- func (a *Auth) Login(w http.ResponseWriter, r *http.Request)
- func (a *Auth) Logout(w http.ResponseWriter, r *http.Request)
- func (a *Auth) LogoutEverywhere(w http.ResponseWriter, r *http.Request)
- func (a *Auth) Me(w http.ResponseWriter, r *http.Request)
- func (a *Auth) PlatformEnroll2FA(w http.ResponseWriter, r *http.Request)
- func (a *Auth) PlatformForgotPassword(w http.ResponseWriter, r *http.Request)
- func (a *Auth) PlatformLogin(w http.ResponseWriter, r *http.Request)
- func (a *Auth) PlatformLogout(w http.ResponseWriter, r *http.Request)
- func (a *Auth) PlatformMe(w http.ResponseWriter, r *http.Request)
- func (a *Auth) PlatformResetPassword(w http.ResponseWriter, r *http.Request)
- func (a *Auth) PlatformVerify2FA(w http.ResponseWriter, r *http.Request)
- func (a *Auth) RefreshAccessToken(w http.ResponseWriter, r *http.Request)
- func (a *Auth) RegenerateRecoveryCodes(w http.ResponseWriter, r *http.Request)
- func (a *Auth) Register(w http.ResponseWriter, r *http.Request)
- func (a *Auth) Require(permission string) func(http.Handler) http.Handler
- func (a *Auth) RequireAuth(next http.Handler) http.Handler
- func (a *Auth) RequireDevice(perm string) func(http.Handler) http.Handler
- func (a *Auth) RequirePlatformAdmin(perm string) func(http.Handler) http.Handler
- func (a *Auth) RequireSession(permission string) func(http.Handler) http.Handler
- func (a *Auth) RequireSessionAuth(next http.Handler) http.Handler
- func (a *Auth) ResetPassword(w http.ResponseWriter, r *http.Request)
- func (a *Auth) RevokeUserSessions(ctx context.Context, tenantID, email string) error
- func (a *Auth) TwoFactorStatus(w http.ResponseWriter, r *http.Request)
- func (a *Auth) Verify2FA(w http.ResponseWriter, r *http.Request)
- func (a *Auth) WatchRBAC(ctx context.Context, interval time.Duration)
- type AuthMode
- type Config
- type Device
- type DeviceRecord
- type DeviceTokenValidator
- type LayeredPolicyProvider
- func (l *LayeredPolicyProvider) DeleteOverride(ctx context.Context, email string) error
- func (l *LayeredPolicyProvider) PermissionsForRole(_ context.Context, role string) []string
- func (l *LayeredPolicyProvider) Reload() error
- func (l *LayeredPolicyProvider) RoleFor(ctx context.Context, email string) (string, []string)
- func (l *LayeredPolicyProvider) SetOverride(ctx context.Context, email, role string, permissions []string) error
- func (l *LayeredPolicyProvider) Store() UserRoleStore
- type Logger
- type LoginThrottler
- type NopAuditSink
- type PasswordPolicy
- type PasswordResetStore
- type PasswordUser
- type PlatformAdmin
- type PlatformAdminRecord
- type PlatformAdminStore
- type PlatformPolicy
- type Policy
- type PolicyProvider
- type PolicyReloader
- type ProviderConfig
- type RBACConfig
- type RefreshToken
- type RefreshTokenStore
- type ResetDelivery
- type ResetRequest
- type ResetToken
- type RolePolicy
- type Session
- type SessionStore
- type SigningKey
- type TOTPManager
- type TOTPStore
- type TrustedDeviceStore
- type User
- type UserRoleStore
- type UserStore
Constants ¶
const ( AuditLogin = "login" AuditLogout = "logout" AuditRefresh = "refresh" AuditRevoke = "revoke" Audit2FAEnroll = "2fa_enroll" Audit2FAVerify = "2fa_verify" Audit2FADisable = "2fa_disable" Audit2FARecoveryRegen = "2fa_recovery_regenerate" AuditPasswordChange = "password_change" AuditRoleChange = "role_change" AuditPermissionChange = "permission_change" AuditImpersonate = "impersonate" // Password reset: a recovery token was requested, and (later) a password was // actually changed via a consumed token. AuditPasswordResetRequest = "password_reset_request" AuditPasswordReset = "password_reset" )
Well-known audit event types. Phases wire these as the corresponding features land; the set matches §7.7.
const ( CapPrintJobReceive = "print:job.receive" CapPrintStatusReport = "print:status.report" )
Device capabilities. A device principal is a print agent (§7.12) — a headless service on a shop PC, not a human. Its capability set is FIXED and tiny: it can receive print jobs and report their status, and nothing else in the API. These names are the whole of what a device may ever do; there is no policy lookup.
const ( ResetKindUser = "user" ResetKindPlatform = "platform" )
Reset kinds namespace a token to one principal axis.
const ( // PermAll grants every permission check. Use "*" in policy.yaml to assign // it to a role. All other permission strings are user-defined. PermAll = "*" )
Variables ¶
var ( ErrUserExists = errors.New("authkit: user already exists") ErrUserNotFound = errors.New("authkit: user not found") )
Sentinel errors for UserStore implementations.
var ( ErrImpersonationDisabled = errors.New("authkit: impersonation is disabled") ErrImpersonationForbidden = errors.New("authkit: platform:impersonate capability required") )
Sentinel errors for impersonation.
var ErrDeviceTokenInvalid = errors.New("authkit: invalid device token")
ErrDeviceTokenInvalid is returned by AuthenticateDevice when the presented token is missing, unknown, or revoked.
Functions ¶
func CheckPassword ¶
CheckPassword compares a plaintext password against a bcrypt hash.
func HashPassword ¶
HashPassword hashes a plaintext password using bcrypt. Exported so consumers can use it in admin/seed tooling.
func IsDeviceCapability ¶ added in v1.0.3
IsDeviceCapability reports whether perm is one of the fixed device capabilities. Used to reject a programming error where a non-print capability is required on a device route.
func TenantIDFromCtx ¶ added in v1.0.2
TenantIDFromCtx returns the tenant ID stored in ctx. ok is false when no tenant has been set (or it is empty), which callers MUST treat as fail-closed.
func WithDevice ¶ added in v1.0.3
WithDevice returns a copy of ctx carrying the device principal. RequireDevice sets this; the WS hub (§10) sets it on the connection context after a successful upgrade authentication.
func WithLogger ¶ added in v0.0.4
func WithLogger(l Logger) func(*LayeredPolicyProvider)
WithLogger configures a Logger for LayeredPolicyProvider. When set, DB errors during role lookups are logged so operators can detect store outages.
Example:
provider, err := authkit.NewLayeredProvider("policy.yaml", store,
authkit.WithLogger(myLogger),
)
func WithTenant ¶ added in v1.0.2
WithTenant returns a copy of ctx carrying the given tenant ID. authkit sets this from the authenticated principal before resolving permissions, so a tenant-aware PolicyProvider (and the host's per-transaction RLS GUC) can scope to the right tenant. It is the single owner of the tenant context key shared across the auth library and the host application.
Types ¶
type APIKeyValidator ¶ added in v0.0.3
APIKeyValidator validates a raw API key string and returns the associated user. Implementations look up the key hash in a store and return a *User with Email, Name, Provider, and Role populated. Authkit then resolves the user's permissions from the RBAC policy based on the returned Role.
Return nil, nil when the key is not found, expired, or inactive. Return nil, err only for unexpected infrastructure failures.
type AuditEvent ¶ added in v1.0.2
type AuditEvent struct {
Type string
TenantID string
Actor string
Subject string
IP string
At time.Time
Meta map[string]any
}
AuditEvent is a single auditable security event emitted by authkit. The host application wires an AuditSink to persist these to its audit log (§7.7).
Type is one of the well-known constants below. TenantID is empty for platform principals and for pre-tenant events (e.g. a failed login before the user is resolved). Actor is who performed the action (email or admin id); Subject is who/what it acted on (often the same as Actor for self-service events). Meta carries event-specific detail (provider, session id, role names, etc.).
type AuditSink ¶ added in v1.0.2
type AuditSink interface {
Emit(ctx context.Context, ev AuditEvent)
}
AuditSink receives audit events. Implementations MUST NOT block the request path on slow I/O — buffer or hand off as needed. Emit is best-effort from authkit's perspective; it never returns an error to the caller.
type Auth ¶
type Auth struct {
// contains filtered or unexported fields
}
Auth is the central object. Create one with New() and attach its methods as HTTP handlers and middleware.
func New ¶
New validates the config, registers the OAuth providers with goth, loads the RBAC policy, and returns a ready-to-use Auth instance.
func (*Auth) AuthenticateDevice ¶ added in v1.0.3
AuthenticateDevice validates a raw device token and builds the principal. It is the credential path shared by RequireDevice (HTTP) and the WS-upgrade authenticator (§10), so both bind tenant+branch identically. It does NOT touch ctx — the caller binds (RequireDevice via WithDevice + WithTenant; the hub on the connection context).
func (*Auth) Authorize ¶ added in v1.0.3
func (a *Auth) Authorize(w http.ResponseWriter, r *http.Request)
Authorize is the PKCE authorization endpoint. It requires an authenticated session, validates the client + redirect + challenge, mints an auth code, and redirects back to the app. Mount on: GET /authorize
func (*Auth) BeginAuth ¶
func (a *Auth) BeginAuth(w http.ResponseWriter, r *http.Request)
BeginAuth starts the OAuth flow for the provider named in the URL path. Mount this on: GET /auth/{provider}
The provider name is extracted from the Go 1.22+ path value {provider}.
func (*Auth) CSRF ¶ added in v1.0.3
CSRF is middleware enforcing the double-submit check on unsafe methods. On safe methods it ensures a valid token cookie is present (bootstrapping the SPA). It is a pass-through when EnableCSRF is false or the request is token-authenticated.
func (*Auth) CSRFToken ¶ added in v1.0.3
func (a *Auth) CSRFToken(w http.ResponseWriter, r *http.Request)
CSRFToken issues (or returns the existing) CSRF token and writes it as JSON, for SPAs that fetch it explicitly. Mount on: GET /auth/csrf
func (*Auth) Callback ¶
func (a *Auth) Callback(w http.ResponseWriter, r *http.Request)
Callback completes the OAuth handshake, resolves the user's role from the RBAC policy, stores the user in the session, then redirects to AfterLoginURL. Mount this on: GET /auth/{provider}/callback
func (*Auth) ChangePassword ¶ added in v1.0.3
func (a *Auth) ChangePassword(w http.ResponseWriter, r *http.Request)
ChangePassword lets a signed-in user rotate their own password. It verifies the current password, sets the new one, then revokes every session and mints a fresh one for THIS device — so other devices are logged out (a credential change must not leave old sessions live) while the user stays signed in here. Mount on: POST /auth/password/change. Form: current_password, new_password.
func (*Auth) ConfirmTwoFactor ¶ added in v1.0.3
func (a *Auth) ConfirmTwoFactor(w http.ResponseWriter, r *http.Request)
ConfirmTwoFactor activates a pending TOTP secret for a user enrolling voluntarily from their account page (as opposed to the login-time flow, which uses Verify2FA + the pending cookie). It validates a code against the freshly provisioned secret and confirms it. Mount on: POST /auth/2fa/confirm. Form: code (6-digit TOTP) or recovery_code.
func (*Auth) DisableTwoFactor ¶ added in v1.0.3
func (a *Auth) DisableTwoFactor(w http.ResponseWriter, r *http.Request)
DisableTwoFactor turns off the current user's 2FA. Refused when the user's role mandates 2FA (they would be forced to re-enroll at next login anyway). Mount on: POST /auth/2fa/disable.
func (*Auth) Enroll2FA ¶ added in v1.0.3
func (a *Auth) Enroll2FA(w http.ResponseWriter, r *http.Request)
Enroll2FA provisions a new TOTP secret + recovery codes for the user currently in the 2FA-pending state (or an authenticated session, for voluntary enrollment), and returns the otpauth URL + recovery codes to show once. Mount on: POST /auth/2fa/enroll
func (*Auth) ForgotPassword ¶ added in v1.0.3
func (a *Auth) ForgotPassword(w http.ResponseWriter, r *http.Request)
ForgotPassword starts self-service recovery for a tenant user. It ALWAYS responds 200 with the same body whether or not the email exists, leaking nothing about which emails are registered. Mount on: POST /auth/password/forgot. Expects form: email.
func (*Auth) ImpersonationContext ¶ added in v1.0.3
func (a *Auth) ImpersonationContext(ctx context.Context, admin *PlatformAdmin, tenantID string) (context.Context, error)
ImpersonationContext returns a single-tenant-scoped context for a platform admin to act within exactly one tenant (break-glass). It requires the `platform:impersonate` capability and is audited. Downstream tenant-scoped DB access then runs under normal RLS for that one tenant — the admin is confined, never able to read across tenants.
func (*Auth) IssueResetToken ¶ added in v1.0.3
IssueResetToken mints, stores, and delivers a reset token for (email, kind). It is the shared core of the self-service forgot-password handlers and any admin-initiated reset (an owner resetting a staff member). It returns the raw token so an authenticated caller can surface the reset link directly; the public handlers discard it. A delivery error is returned (the caller decides); a store error is returned without attempting delivery.
func (*Auth) IssueToken ¶ added in v1.0.3
func (a *Auth) IssueToken(w http.ResponseWriter, r *http.Request)
IssueToken exchanges an authorization code (+ PKCE verifier) for an access + refresh token pair. Mount on: POST /token Expects form values: grant_type=authorization_code, code, code_verifier, redirect_uri.
func (*Auth) JWKS ¶ added in v1.0.3
func (a *Auth) JWKS(w http.ResponseWriter, _ *http.Request)
JWKS serves the public verification keys. Mount on: GET /.well-known/jwks.json
func (*Auth) Login ¶
func (a *Auth) Login(w http.ResponseWriter, r *http.Request)
Login authenticates a user with email and password. Mount this on: POST /auth/login
Expects form values: email and password.
func (*Auth) Logout ¶
func (a *Auth) Logout(w http.ResponseWriter, r *http.Request)
Logout clears the session and redirects to AfterLogoutURL. Mount this on: POST /auth/logout
func (*Auth) LogoutEverywhere ¶ added in v1.0.3
func (a *Auth) LogoutEverywhere(w http.ResponseWriter, r *http.Request)
LogoutEverywhere revokes every session for the current user, including this one, and clears the cookie ("log out all devices"). The client should treat the response as a logout and route to login. Mount on: POST /auth/logout/all.
func (*Auth) Me ¶
func (a *Auth) Me(w http.ResponseWriter, r *http.Request)
Me returns the currently authenticated user as JSON. Returns 401 if the request has no valid session. Mount this on: GET /auth/me
func (*Auth) PlatformEnroll2FA ¶ added in v1.0.3
func (a *Auth) PlatformEnroll2FA(w http.ResponseWriter, r *http.Request)
PlatformEnroll2FA provisions a PENDING TOTP secret + recovery codes for a platform admin who passed the password step but has not enrolled 2FA yet, and returns the otpauth URL + recovery codes to show once. The admin confirms by calling PlatformVerify2FA with a code. Mount on: POST /platform/2fa/enroll.
It refuses once 2FA is confirmed: a stolen password alone must never be able to re-enroll (and thus reset) a platform admin's authenticator. Re-enrollment of a confirmed admin only happens after another admin resets their 2FA.
func (*Auth) PlatformForgotPassword ¶ added in v1.0.3
func (a *Auth) PlatformForgotPassword(w http.ResponseWriter, r *http.Request)
PlatformForgotPassword starts self-service recovery for a platform admin. Same no-enumeration contract as ForgotPassword. Mount on: POST /platform/password/forgot. Expects form: email.
func (*Auth) PlatformLogin ¶ added in v1.0.3
func (a *Auth) PlatformLogin(w http.ResponseWriter, r *http.Request)
PlatformLogin is step ONE of platform login: it verifies the email + password and, only on success, starts the mandatory TOTP challenge (no role exemption). It does NOT mint a session — the client must then call PlatformVerify2FA with the code. Mount on a separate route/subdomain: POST /platform/login. Expects form values: email, password.
func (*Auth) PlatformLogout ¶ added in v1.0.3
func (a *Auth) PlatformLogout(w http.ResponseWriter, r *http.Request)
PlatformLogout revokes the platform session and clears the cookie.
func (*Auth) PlatformMe ¶ added in v1.0.3
func (a *Auth) PlatformMe(w http.ResponseWriter, r *http.Request)
PlatformMe returns the currently signed-in platform admin (from the platform session cookie), or 401 when there is none. It is the platform counterpart to Me, letting an SPA confirm the platform session and show who is logged in. Mount on: GET /platform/me
func (*Auth) PlatformResetPassword ¶ added in v1.0.3
func (a *Auth) PlatformResetPassword(w http.ResponseWriter, r *http.Request)
PlatformResetPassword completes a platform admin's recovery: consume the token, set the new password, revoke platform sessions. 2FA enrollment is untouched — the admin still passes TOTP at next login. Mount on: POST /platform/password/reset. Expects form: token, password.
func (*Auth) PlatformVerify2FA ¶ added in v1.0.3
func (a *Auth) PlatformVerify2FA(w http.ResponseWriter, r *http.Request)
PlatformVerify2FA is step TWO: it validates the TOTP code for the admin in the platform-pending state (password already verified) and, on success, establishes the platform session. Mount on: POST /platform/2fa/verify. Expects form: code.
func (*Auth) RefreshAccessToken ¶ added in v1.0.3
func (a *Auth) RefreshAccessToken(w http.ResponseWriter, r *http.Request)
RefreshAccessToken rotates a refresh token: it issues a new access + refresh pair and invalidates the presented token. Reuse of a spent/revoked token revokes the entire chain. Mount on: POST /token/refresh Expects form value: refresh_token.
func (*Auth) RegenerateRecoveryCodes ¶ added in v1.0.3
func (a *Auth) RegenerateRecoveryCodes(w http.ResponseWriter, r *http.Request)
RegenerateRecoveryCodes issues a fresh set of recovery codes for a user whose 2FA is already confirmed, invalidating the old set, and returns the new codes to show once. Mount on: POST /auth/2fa/recovery/regenerate.
func (*Auth) Register ¶
func (a *Auth) Register(w http.ResponseWriter, r *http.Request)
Register creates a new user account with email and password, then logs them in automatically. Mount this on: POST /auth/register
Expects form values: email, password, and optionally name.
func (*Auth) Require ¶
Require is middleware that enforces both a valid credential (API key or OAuth session) AND that the authenticated user holds the given permission. Returns 401 when there is no credential, 403 when the user lacks the permission.
func (*Auth) RequireAuth ¶
RequireAuth is middleware that enforces a valid credential — either an API key (via APIKeyValidator, if configured) or an OAuth session cookie. Responds 401 when neither is present or valid. On success it injects the User into the request context.
func (*Auth) RequireDevice ¶ added in v1.0.3
RequireDevice authenticates a device principal (opaque token via Authorization: Bearer / X-API-Key) and checks it holds the given print capability. It is a SEPARATE credential path from Require/RequireAuth — a device token never authenticates a human route, and a human credential never authenticates a device route, so a device "can do nothing else in the API" (§7.12).
On success it sets both the device principal and the device's tenant on ctx (via WithTenant), so tenant-scoped DB access runs under the right RLS GUC. It panics if perm is not a fixed device capability — a wiring mistake caught at startup, not a runtime 403.
func (*Auth) RequirePlatformAdmin ¶ added in v1.0.3
RequirePlatformAdmin authenticates a platform principal and checks a platform capability. It NEVER sets the tenant GUC (§6.6). 401 without a platform session, 403 without the capability.
func (*Auth) RequireSession ¶ added in v0.0.3
RequireSession is like Require but rejects API key credentials. Use this for permission-gated management routes that must use OAuth sessions.
func (*Auth) RequireSessionAuth ¶ added in v0.0.3
RequireSessionAuth is like RequireAuth but rejects API key credentials. Use this for routes that must only be accessed via an OAuth session (e.g. /auth/me, UI-only management actions).
func (*Auth) ResetPassword ¶ added in v1.0.3
func (a *Auth) ResetPassword(w http.ResponseWriter, r *http.Request)
ResetPassword completes self-service recovery: consume a valid reset token, set the new password, and revoke all of the user's sessions. Mount on: POST /auth/password/reset. Expects form: token, password.
func (*Auth) RevokeUserSessions ¶ added in v1.0.3
RevokeUserSessions revokes every server-side session for a user — the "log out everywhere" / fired-employee path. No-op when no SessionStore is configured. ctx must carry the user's tenant.
func (*Auth) TwoFactorStatus ¶ added in v1.0.3
func (a *Auth) TwoFactorStatus(w http.ResponseWriter, r *http.Request)
TwoFactorStatus reports whether the current user has confirmed 2FA and whether their role mandates it (§6.5#4). The SPA uses this to show enroll-vs-manage and to mark 2FA as required. Mount on: GET /auth/2fa/status.
func (*Auth) Verify2FA ¶ added in v1.0.3
func (a *Auth) Verify2FA(w http.ResponseWriter, r *http.Request)
Verify2FA completes a pending login by validating a TOTP code or a recovery code, then establishes the session. Mount on: POST /auth/2fa/verify Expects form values: code (6-digit TOTP) OR recovery_code.
type AuthMode ¶
type AuthMode string
AuthMode controls which authentication methods are enabled.
const ( // AuthModeOAuth enables only OAuth providers (default). AuthModeOAuth AuthMode = "oauth" // AuthModePassword enables only email/password authentication. AuthModePassword AuthMode = "password" // AuthModeBoth enables both OAuth and email/password authentication. AuthModeBoth AuthMode = "both" )
type Config ¶
type Config struct {
// Mode controls which authentication methods are enabled.
// Defaults to AuthModeOAuth for backward compatibility.
Mode AuthMode
// Providers is the list of OAuth providers to enable using the built-in
// convenience wrappers (github, google, gitlab).
// Required when Mode is AuthModeOAuth or AuthModeBoth, unless GothProviders
// is supplied instead.
Providers []ProviderConfig
// GothProviders is a list of pre-constructed goth.Provider values.
// Use this to enable any of the 80+ providers that goth supports beyond the
// three built-in convenience wrappers. Import the provider package you need
// from github.com/markbates/goth/providers/*, construct the provider, and
// pass it here. It is merged with any providers built from Providers.
//
// Example — add Spotify and Discord:
//
// import (
// "github.com/markbates/goth/providers/spotify"
// "github.com/markbates/goth/providers/discord"
// )
//
// GothProviders: []goth.Provider{
// spotify.New(clientID, secret, callbackURL, "user-read-email"),
// discord.New(clientID, secret, callbackURL, "identify", "email"),
// },
GothProviders []goth.Provider
// CallbackBaseURL is the externally-reachable base URL of the service
// (e.g. "https://example.com"). The OAuth callback URLs are derived as
// {CallbackBaseURL}/auth/{provider}/callback.
// Required when Mode is AuthModeOAuth or AuthModeBoth.
CallbackBaseURL string
// SessionSecret is used to sign and encrypt session cookies.
// Must be at least 32 bytes of random data.
SessionSecret string
// SecureCookie controls the Secure flag on session cookies.
// Set to true in production (HTTPS only). Defaults to false.
SecureCookie bool
// AfterLoginURL is the URL the user is redirected to after a successful login.
// Defaults to "/".
AfterLoginURL string
// AfterLogoutURL is the URL the user is redirected to after logout.
// Defaults to "/".
AfterLogoutURL string
// RBAC configures the role policy. If FilePath is empty, all authenticated
// users receive an empty role with no permissions.
RBAC RBACConfig
// UserStore provides user persistence for password-based authentication.
// Required when Mode is AuthModePassword or AuthModeBoth.
UserStore UserStore
// PasswordPolicy configures password validation rules.
// If nil, defaults are used (minimum 8 characters).
PasswordPolicy *PasswordPolicy
// Logger is used for diagnostic output. If nil, logs are written to the
// standard library log package.
Logger Logger
// APIKeyValidator enables API key authentication alongside OAuth sessions.
// When set, Require and RequireAuth middleware check the Authorization:
// Bearer (or X-API-Key) header first. RequireSession and RequireSessionAuth
// skip API key auth entirely (session-only routes).
// If nil, API key auth is disabled and only sessions are accepted.
APIKeyValidator APIKeyValidator
// AuditSink receives security audit events (login, logout, refresh, revoke,
// 2fa_*, role_change, permission_change, impersonate). If nil, a
// NopAuditSink is installed so authkit can emit unconditionally.
AuditSink AuditSink
// LivePermissionResolution makes Require/RequireAuth re-resolve a session
// user's permissions from the PolicyProvider on every request (through a
// short TTL cache), so role and permission changes take effect within the
// cache window rather than only on next login. Multi-tenant deploys want
// this on; single-shop deploys can leave it off (cheaper login-time cache).
// API-key credentials always resolve live regardless of this flag.
LivePermissionResolution bool
// PermissionCacheTTL bounds how stale a live-resolved permission set may be.
// Defaults to 30s when LivePermissionResolution is enabled.
PermissionCacheTTL time.Duration
// SessionStore enables revocable, server-side sessions. When set, the cookie
// carries only an opaque session ID and all identity state lives in the
// store, allowing instant revocation and "log out everywhere". When nil,
// authkit falls back to the legacy encrypted-cookie session.
SessionStore SessionStore
// IdleTimeout expires a session after inactivity (sliding). Defaults to 30m.
// Only used with SessionStore.
IdleTimeout time.Duration
// AbsoluteTimeout caps a session's total lifetime regardless of activity.
// Defaults to 24h. Only used with SessionStore.
AbsoluteTimeout time.Duration
// EnableCSRF turns on the CSRF middleware (signed double-submit) for
// cookie-authenticated, state-changing requests. Token-authenticated
// requests are always exempt.
EnableCSRF bool
// Throttler rate-limits password login attempts (per account+IP). When nil,
// no throttling is applied.
Throttler LoginThrottler
// TOTPStore enables two-step auth (TOTP). When set, a user whose role is in
// Require2FAForRoles must complete a TOTP challenge after the password step.
// When nil, 2FA is disabled.
TOTPStore TOTPStore
// Require2FAForRoles lists the roles that must complete 2FA (e.g. owner,
// manager). Only consulted when TOTPStore is set.
Require2FAForRoles []string
// AppName is the issuer shown in authenticator apps (the TOTP provisioning
// URL). Defaults to "App".
AppName string
// ── Trusted devices ("remember this device", skip 2FA) ────────────────
// TrustedDeviceStore enables a "trust this device" option at the 2FA step: a
// remembered device skips the TOTP prompt (the password is still required) for
// TrustedDeviceTTL. The token is opaque + server-side, so it is revocable
// (logout-everywhere, password change/reset, and disabling 2FA all drop it).
// When nil, every 2FA login prompts for TOTP. NOT used for platform admins.
TrustedDeviceStore TrustedDeviceStore
// TrustedDeviceTTL bounds how long a trusted device skips 2FA. Defaults to 30d.
TrustedDeviceTTL time.Duration
// ── Mobile token layer (§7.6) ─────────────────────────────────────────
// EnableTokens turns on the OAuth2/PKCE token endpoints and the bearer-JWT
// verifier. Requires SigningKeys and RefreshTokenStore.
EnableTokens bool
// SigningKeys is the Ed25519 rotation ring; the first key signs new access
// tokens, all keys verify (and are published via JWKS).
SigningKeys []SigningKey
// AccessTokenTTL is the access-JWT lifetime (default 15m); RefreshTokenTTL
// the refresh lifetime (default 30d).
AccessTokenTTL time.Duration
RefreshTokenTTL time.Duration
// RefreshTokenStore persists opaque refresh tokens (rotation + reuse
// detection).
RefreshTokenStore RefreshTokenStore
// TokenIssuer is the JWT `iss` claim; TokenClientID the public mobile
// client id (also the JWT audience); TokenRedirectURIs the allowed PKCE
// redirect URIs.
TokenIssuer string
TokenClientID string
TokenRedirectURIs []string
// ── Platform / super-admin (§6.6, §7.11) ──────────────────────────────
// PlatformAdminStore + PlatformPolicy enable the platform principal axis
// (separate from tenant users). EnableImpersonation gates break-glass
// single-tenant access.
PlatformAdminStore PlatformAdminStore
PlatformPolicy PlatformPolicy
EnableImpersonation bool
// ── Password reset (§6, "Forget Password") ────────────────────────────
// PasswordResetStore persists single-use, hashed reset tokens; ResetDelivery
// sends the raw token out-of-band (email/SMS). Both are required to enable the
// ForgotPassword/ResetPassword (and platform) handlers. PasswordResetTTL bounds
// a token's validity (default 30m).
PasswordResetStore PasswordResetStore
ResetDelivery ResetDelivery
PasswordResetTTL time.Duration
// ── Device principals / print agents (§7.12) ──────────────────────────
// DeviceTokenValidator enables the device principal axis (print agents).
// When set, RequireDevice and AuthenticateDevice validate opaque device
// tokens against it. A device principal is confined to the fixed print:*
// capabilities and is a separate credential path from the human/API-key
// flow, so a device can do nothing else in the API. When nil, device auth
// is disabled.
DeviceTokenValidator DeviceTokenValidator
}
Config holds all configuration needed to create an Auth instance.
type Device ¶ added in v1.0.3
Device is a device principal — a print agent bound to exactly one tenant and branch. It carries no human identity and resolves no permissions from a policy provider: its reach is the fixed deviceCaps set. The branch binds job routing (§10): the hub delivers a job only to agents whose tenant+branch match.
func DeviceFromCtx ¶ added in v1.0.3
DeviceFromCtx returns the device principal on ctx, or nil.
type DeviceRecord ¶ added in v1.0.3
DeviceRecord is what DeviceTokenValidator returns for a valid token. The store looks the token up by hash (pre-tenant, via a SECURITY DEFINER function) and returns only the binding the principal needs — never the token itself.
type DeviceTokenValidator ¶ added in v1.0.3
type DeviceTokenValidator interface {
ValidateDeviceToken(ctx context.Context, rawToken string) (*DeviceRecord, error)
}
DeviceTokenValidator validates an opaque device token and returns the bound agent. Implementations hash the token at rest and look it up before any tenant is known (a device authenticates with only the token). Return nil, nil when the token is unknown, revoked, or inactive; nil, err only on infrastructure failure.
type LayeredPolicyProvider ¶ added in v0.0.4
type LayeredPolicyProvider struct {
// contains filtered or unexported fields
}
LayeredPolicyProvider combines a YAML baseline with per-user database overrides. The YAML file defines roles and their initial members. A management UI can call SetOverride to change individual users without editing the file.
Lookup order per request:
- Database override for this email (UI-managed, takes precedence)
- YAML baseline (file-managed, fallback)
Implements PolicyProvider and PolicyReloader.
func NewLayeredProvider ¶ added in v0.0.4
func NewLayeredProvider(filePath string, store UserRoleStore, opts ...func(*LayeredPolicyProvider)) (*LayeredPolicyProvider, error)
NewLayeredProvider creates a LayeredPolicyProvider that reads the initial policy from filePath and looks up per-user overrides from store.
Example:
provider, err := authkit.NewLayeredProvider("policy.yaml", myDBStore,
authkit.WithLogger(myLogger),
)
auth, err := authkit.New(authkit.Config{
RBAC: authkit.RBACConfig{Provider: provider},
...
})
go auth.WatchRBAC(ctx, 30*time.Second) // reloads YAML baseline
func (*LayeredPolicyProvider) DeleteOverride ¶ added in v0.0.4
func (l *LayeredPolicyProvider) DeleteOverride(ctx context.Context, email string) error
DeleteOverride removes the role override for email, reverting that user to the YAML baseline on their next login.
func (*LayeredPolicyProvider) PermissionsForRole ¶ added in v0.0.4
func (l *LayeredPolicyProvider) PermissionsForRole(_ context.Context, role string) []string
PermissionsForRole implements PolicyProvider. Resolves permissions for a named role from the YAML baseline — role definitions are always file-managed. ctx is unused: the layered provider's role definitions are not per-tenant.
func (*LayeredPolicyProvider) Reload ¶ added in v0.0.4
func (l *LayeredPolicyProvider) Reload() error
Reload implements PolicyReloader. Re-reads the YAML baseline without affecting any database overrides. Called automatically by WatchRBAC.
func (*LayeredPolicyProvider) RoleFor ¶ added in v0.0.4
RoleFor implements PolicyProvider. Checks the DB override first, then falls back to the YAML baseline. If the DB returns an error the fallback is used and the error is logged (if a Logger was configured). This prevents a store outage from locking users out, but means a user whose DB override was a demotion will temporarily regain their YAML role. Monitor store errors.
func (*LayeredPolicyProvider) SetOverride ¶ added in v0.0.4
func (l *LayeredPolicyProvider) SetOverride(ctx context.Context, email, role string, permissions []string) error
SetOverride validates and stores a per-user role override. Returns an error if the email format is invalid, the role name is not defined in the current YAML policy, or any permission string is invalid.
NOTE: role changes take effect on the user's next login — existing sessions retain their current permissions until they expire or the user logs out and back in. There is no built-in session invalidation.
func (*LayeredPolicyProvider) Store ¶ added in v0.0.4
func (l *LayeredPolicyProvider) Store() UserRoleStore
Store returns the raw UserRoleStore for operations not covered by SetOverride/DeleteOverride (e.g. listing all overrides in a management UI).
type Logger ¶
type Logger interface {
// Info logs informational messages (e.g. startup warnings).
Info(msg string, args ...any)
// Error logs error messages (e.g. failed OAuth callbacks, session errors).
Error(msg string, args ...any)
}
Logger is the interface authkit uses for diagnostic output. Provide your own implementation to route authkit logs into your application's logging system (e.g. slog, zap, zerolog). If not set in Config, a default logger that writes to the standard library log package is used.
type LoginThrottler ¶ added in v1.0.3
type LoginThrottler interface {
// Allow reports whether an attempt for key may proceed. When locked out, ok
// is false and retryAfter is the remaining lockout duration.
Allow(ctx context.Context, key string) (retryAfter time.Duration, ok bool)
// RecordFailure registers a failed attempt (advancing backoff/lockout).
RecordFailure(ctx context.Context, key string) error
// Reset clears the failure state for key after a successful login.
Reset(ctx context.Context, key string) error
}
LoginThrottler rate-limits authentication attempts to blunt credential stuffing and brute force. The host implements it (e.g. backed by Redis); authkit calls it around the password login flow. Keys are per account+IP.
type NopAuditSink ¶ added in v1.0.2
type NopAuditSink struct{}
NopAuditSink discards every event. It is the default when Config.AuditSink is nil, so callers can emit unconditionally without nil checks.
func (NopAuditSink) Emit ¶ added in v1.0.2
func (NopAuditSink) Emit(context.Context, AuditEvent)
Emit implements AuditSink and does nothing.
type PasswordPolicy ¶
type PasswordPolicy struct {
// MinLength is the minimum password length. Defaults to 8.
MinLength int
}
PasswordPolicy configures password validation constraints.
type PasswordResetStore ¶ added in v1.0.3
type PasswordResetStore interface {
// CreateResetToken stores a hashed token bound to (email, kind) with expiry.
CreateResetToken(ctx context.Context, tokenHash, email, kind string, expiresAt time.Time) error
// ConsumeResetToken atomically marks the token used (only if unused and
// unexpired) and returns the email it binds. ok is false when the token is
// unknown, already used, expired, or of the wrong kind.
ConsumeResetToken(ctx context.Context, tokenHash, kind string) (email string, ok bool, err error)
}
PasswordResetStore persists single-use password-reset tokens. The raw token is delivered out-of-band (email today, SMS later); only its hash is stored. Consume MUST be atomic and single-use.
type PasswordUser ¶
type PasswordUser struct {
Email string
Name string
HashedPassword string
// TenantID binds this credential to one tenant; BranchID is an optional
// in-tenant scope. The store populates them (email is global, so the lookup
// determines the tenant). They are copied onto the authenticated User.
TenantID string
BranchID string
}
PasswordUser is the record returned by UserStore.GetUserByEmail.
type PlatformAdmin ¶ added in v1.0.3
type PlatformAdmin struct {
Email string
Name string
Role string
// contains filtered or unexported fields
}
PlatformAdmin is a platform principal — a super-admin operating the SaaS across tenants. It is a different axis from tenant RBAC and has NO TenantID (§6.6). Its reach comes from application logic + explicit single-tenant impersonation, never from the DB role (which has no BYPASSRLS).
func PlatformAdminFromCtx ¶ added in v1.0.3
func PlatformAdminFromCtx(ctx context.Context) *PlatformAdmin
PlatformAdminFromCtx returns the platform principal on ctx, or nil.
func (*PlatformAdmin) Can ¶ added in v1.0.3
func (p *PlatformAdmin) Can(perm string) bool
Can reports whether the admin holds a platform capability ("*" passes all).
type PlatformAdminRecord ¶ added in v1.0.3
type PlatformAdminRecord struct {
Email string
Name string
HashedPassword string
Role string
TOTPSecret string
TOTPConfirmed bool
}
PlatformAdminRecord is what PlatformAdminStore returns for login. TOTPSecret is the decrypted TOTP secret (the store handles encryption at rest), and is empty for an admin who has not enrolled yet; TOTPConfirmed reports whether that secret has been activated by a first successful verification. 2FA is mandatory, but a console-created admin enrolls on first login (pending→confirmed), so the secret is not always present immediately (only after bootstrap, or post-enroll).
type PlatformAdminStore ¶ added in v1.0.3
type PlatformAdminStore interface {
GetPlatformAdmin(ctx context.Context, email string) (*PlatformAdminRecord, error)
// UpdatePassword sets the bcrypt-hashed password for the platform admin with
// this email. Called by the platform password-reset flow; it does NOT touch
// the TOTP secret (2FA stays mandatory). Runs on the pool — platform_admins
// has no RLS.
UpdatePassword(ctx context.Context, email, hashedPassword string) error
// EnrollPlatformTOTP stores (or replaces) a PENDING secret + recovery hashes
// for an admin who has not confirmed 2FA yet (mirrors the tenant TOTPStore).
EnrollPlatformTOTP(ctx context.Context, email, secret string, recoveryCodeHashes []string) error
// ConfirmPlatformTOTP activates a pending secret on first successful verify.
// Idempotent: a no-op once confirmed.
ConfirmPlatformTOTP(ctx context.Context, email string) error
// ConsumePlatformRecovery atomically marks a recovery code used (single-use)
// and reports whether it matched an unused code.
ConsumePlatformRecovery(ctx context.Context, email, codeHash string) (bool, error)
}
PlatformAdminStore looks up platform admins (separate from UserStore) and backs their TOTP enrollment. Admin lifecycle (create/list/remove) lives in the host app's own store methods; this interface is only what authkit's auth flow needs.
type PlatformPolicy ¶ added in v1.0.3
PlatformPolicy maps a platform role to its capabilities (a small, static catalog independent of the per-tenant PolicyProvider).
type Policy ¶
type Policy struct {
// Roles maps role names to their definition.
Roles map[string]RolePolicy `yaml:"roles"`
// DefaultRole is assigned to authenticated users whose email is not listed
// under any role. Leave empty to deny access to unlisted users.
DefaultRole string `yaml:"default_role"`
}
Policy is the top-level structure of an rbac.yaml file.
type PolicyProvider ¶ added in v0.0.4
type PolicyProvider interface {
// RoleFor returns the role name and permission list for the given email.
// Called on every login and API key auth. Return empty strings/nil when
// the user has no assigned role.
RoleFor(ctx context.Context, email string) (role string, permissions []string)
// PermissionsForRole returns the permissions for a named role. The ctx
// carries the tenant (via TenantIDFromCtx) so role definitions can be
// per-tenant — a DB-backed provider scopes its lookup to that tenant.
// Used to resolve permissions for API key users and for per-request live
// resolution (LivePermissionResolution).
PermissionsForRole(ctx context.Context, role string) []string
}
PolicyProvider resolves a user's role and permissions at login time. Implement this interface to back RBAC with any storage system. The built-in implementations are the YAML file provider (default) and LayeredPolicyProvider (YAML baseline + database overrides).
type PolicyReloader ¶ added in v0.0.4
type PolicyReloader interface {
Reload() error
}
PolicyReloader is an optional interface that PolicyProvider implementations can satisfy to support live policy reloading via WatchRBAC.
type ProviderConfig ¶
type ProviderConfig struct {
// Name is the provider identifier for the built-in wrappers: "bitbucket", "github", "google", or "gitlab".
// For any other provider, use Config.GothProviders instead.
Name string
// ClientID and ClientSecret are the OAuth application credentials.
ClientID string
ClientSecret string
// Scopes overrides the default scopes for the provider.
// Leave nil to use the sensible defaults (email + profile).
Scopes []string
}
ProviderConfig holds the OAuth credentials for a single provider.
type RBACConfig ¶
type RBACConfig struct {
// FilePath is the path to the rbac.yaml policy file.
// Used when Provider is nil.
FilePath string
// Provider supplies a custom PolicyProvider implementation (e.g. a
// database-backed or layered provider). When set, FilePath is ignored.
Provider PolicyProvider
}
RBACConfig tells the Auth instance how to load the role policy.
type RefreshToken ¶ added in v1.0.3
type RefreshToken struct {
ID string
UserEmail string
TenantID string
ChainID string
ParentID string
IssuedAt time.Time
ExpiresAt time.Time
UsedAt *time.Time
RevokedAt *time.Time
}
RefreshToken is one opaque refresh token in a rotation chain. A successful refresh marks the presented token used and issues a child (same ChainID, ParentID = the used token). Presenting an already-used or revoked token is treated as theft and revokes the whole chain.
ID is the raw token at the authkit boundary; the store MUST hash it at rest and hash lookups, so the database never holds a usable token.
type RefreshTokenStore ¶ added in v1.0.3
type RefreshTokenStore interface {
// Create stores a new refresh token.
Create(ctx context.Context, t *RefreshToken) error
// Get returns the token for the raw value, or nil if not found.
Get(ctx context.Context, rawToken string) (*RefreshToken, error)
// Rotate atomically marks rawOld used and stores next (its child). It MUST
// fail (and change nothing) if rawOld is already used or revoked.
Rotate(ctx context.Context, rawOld string, next *RefreshToken) error
// RevokeChain revokes every token sharing chainID (reuse response).
RevokeChain(ctx context.Context, chainID string) error
}
RefreshTokenStore persists refresh tokens with rotation lineage and reuse detection. Implementations hash ID at rest.
type ResetDelivery ¶ added in v1.0.3
type ResetDelivery interface {
SendPasswordReset(ctx context.Context, req ResetRequest) error
}
ResetDelivery delivers a password-reset token to the principal. The host owns the channel (email now, SMS later) — authkit is channel-agnostic. Sending is best-effort from the request's perspective: the "forgot" endpoint logs a delivery error but still returns 200, so it leaks neither which emails exist nor which channel succeeded.
type ResetRequest ¶ added in v1.0.3
ResetRequest is handed to ResetDelivery to deliver a reset token. authkit stores only the hash; Token here is the raw secret that goes in the link/code. Kind selects the template/channel and which reset page the link points to.
type ResetToken ¶ added in v1.0.3
type ResetToken struct {
TokenHash string
Email string
Kind string
ExpiresAt time.Time
UsedAt *time.Time
}
ResetToken is a single-use, hashed password-reset token record. UsedAt is nil until the token is consumed.
type RolePolicy ¶
type RolePolicy struct {
// Permissions is the list of allowed permissions for this role.
// Use "*" to grant all permissions (admin).
Permissions []string `yaml:"permissions"`
// Members is the list of email addresses assigned to this role.
Members []string `yaml:"members"`
}
RolePolicy defines the permissions and member emails for a single role.
type Session ¶ added in v1.0.3
type Session struct {
ID string
TenantID string
BranchID string
Email string
Name string
Provider string
Role string
Permissions []string
// Platform marks a super-admin (platform principal) session — no tenant.
// Tenant and platform sessions use different cookies, so they never cross.
Platform bool
// CreatedAt anchors the absolute timeout; LastSeenAt anchors the idle
// timeout (advanced by Touch on a sliding basis).
CreatedAt time.Time
LastSeenAt time.Time
}
Session is a server-side session record. The cookie holds only the opaque ID; all identity state lives in the SessionStore, enabling instant revocation and "log out everywhere" — things a stateless cookie cannot do.
type SessionStore ¶ added in v1.0.3
type SessionStore interface {
// Create persists a new session. Returns an error only on infrastructure failure.
Create(ctx context.Context, s *Session) error
// Get returns the session for id, or nil when it does not exist.
Get(ctx context.Context, id string) (*Session, error)
// Touch advances LastSeenAt for sliding idle renewal.
Touch(ctx context.Context, id string, lastSeen time.Time) error
// Revoke deletes a single session (logout / fixation rotation).
Revoke(ctx context.Context, id string) error
// RevokeAllForUser deletes every session for a user ("log out everywhere").
RevokeAllForUser(ctx context.Context, tenantID, email string) error
}
SessionStore is the revocable, server-side session backend (DB or Redis). The host application implements it; authkit generates the opaque IDs and enforces the idle/absolute timeouts.
Get is called before the tenant is known (it resolves the session by its unguessable ID), so implementations MUST be able to read by ID without a tenant scope. Create/Touch/Revoke/RevokeAllForUser are always called with the session's tenant already on the context.
type SigningKey ¶ added in v1.0.3
type SigningKey struct {
KID string
Private ed25519.PrivateKey
}
SigningKey is one Ed25519 key in the rotation ring. The current key (the first in Config.SigningKeys) signs new access tokens; all keys verify, so a key can be retired without invalidating tokens it already signed.
func NewSigningKey ¶ added in v1.0.3
func NewSigningKey(kid string, seed []byte) (SigningKey, error)
NewSigningKey builds a SigningKey from a 32-byte Ed25519 seed.
type TOTPManager ¶ added in v1.0.3
type TOTPManager interface {
// Disable removes the user's TOTP secret and all recovery codes (turning 2FA
// off). Idempotent: a no-op when none is stored.
Disable(ctx context.Context, tenantID, email string) error
// ReplaceRecoveryCodes deletes the user's existing recovery codes and stores
// the given hashed set, without touching the confirmed TOTP secret.
ReplaceRecoveryCodes(ctx context.Context, tenantID, email string, recoveryCodeHashes []string) error
}
TOTPManager is an OPTIONAL extension of TOTPStore for self-service 2FA management (disable, regenerate recovery codes). authkit type-asserts the configured TOTPStore to this — a store that does not implement it simply makes those endpoints return 501, leaving the base enroll/verify flow intact. Kept separate from TOTPStore so adding management never breaks existing implementers (e.g. the platform-admin store, whose 2FA is mandatory).
type TOTPStore ¶ added in v1.0.3
type TOTPStore interface {
// Enroll stores (or replaces) the user's TOTP secret and the hashed recovery
// codes as PENDING — provisioned but NOT yet confirmed. The user is not
// considered to have working 2FA until they prove possession of the
// authenticator with a valid code (see Confirm). This two-phase model is what
// lets a user who abandons enrollment (got the QR, never added it) be sent
// back to enroll on the next login instead of being locked at the verify step.
Enroll(ctx context.Context, tenantID, email, secret string, recoveryCodeHashes []string) error
// Confirm marks a pending secret confirmed (activated). Called once, on the
// user's first successful verification. MUST be idempotent: a no-op when the
// secret is already confirmed or absent.
Confirm(ctx context.Context, tenantID, email string) error
// Secret returns the user's TOTP secret (empty when none is stored) and whether
// it has been CONFIRMED. A non-empty secret with confirmed=false is a pending
// enrollment: it can be validated (to confirm it) but does not by itself mean
// the user has set up 2FA.
Secret(ctx context.Context, tenantID, email string) (secret string, confirmed bool, err error)
// ConsumeRecovery atomically marks a recovery code used (single-use) and
// reports whether it matched an unused code.
ConsumeRecovery(ctx context.Context, tenantID, email, codeHash string) (bool, error)
}
TOTPStore persists a user's TOTP secret and recovery codes. The host implementation is responsible for encrypting the secret at rest; authkit passes/receives the plaintext secret at this boundary. All methods are called with the user's tenant already on the context (TOTP access is tenant-scoped).
type TrustedDeviceStore ¶ added in v1.0.3
type TrustedDeviceStore interface {
// Trust records a trusted device for (tenant, email) and returns the opaque
// cookie token. ttl bounds its lifetime.
Trust(ctx context.Context, tenantID, email string, ttl time.Duration) (token string, err error)
// IsTrusted reports whether token is a live trusted device for (tenant, email).
IsTrusted(ctx context.Context, tenantID, email, token string) (bool, error)
// RevokeAllForUser drops every trusted device for a user.
RevokeAllForUser(ctx context.Context, tenantID, email string) error
}
TrustedDeviceStore persists "remember this device" tokens so a user whose role requires 2FA can skip the TOTP step on a device they previously trusted. The token is opaque and server-side, so it is revocable: "log out everywhere", a password change/reset, and disabling 2FA all drop a user's trusted devices. Password is still required on every login; only the second factor is skipped. NOT used for platform admins (their 2FA is mandatory). All calls carry the user's tenant on the context.
type User ¶
type User struct {
Email string `json:"email"`
Name string `json:"name"`
AvatarURL string `json:"avatarUrl"`
Provider string `json:"provider"`
Role string `json:"role"`
// TenantID binds the principal to one tenant (the hard security boundary).
// Populated in every credential path: UserStore (password), the OAuth
// callback mapping, and APIKeyValidator. Used to set the per-transaction
// RLS GUC and to key tenant-scoped permission resolution.
TenantID string `json:"tenantId"`
// BranchID is an optional authorization scope within a tenant (not an RLS
// boundary). Carried into queries as a row filter, never as a permission.
BranchID string `json:"branchId,omitempty"`
// contains filtered or unexported fields
}
User represents an authenticated user resolved from an OAuth session. It is injected into every request context after successful authentication.
func UserFromCtx ¶
UserFromCtx returns the authenticated User stored in ctx, or nil if the request has not passed through RequireAuth middleware.
type UserRoleStore ¶ added in v0.0.4
type UserRoleStore interface {
// GetOverride returns the role and permissions for email if a UI-managed
// override exists. Return found=false when no override has been set for
// this user — authkit will fall back to the YAML baseline.
// The email argument is always lower-cased and trimmed before being passed.
GetOverride(ctx context.Context, email string) (role string, permissions []string, found bool, err error)
// SetOverride creates or replaces the role override for a user.
// Prefer calling LayeredPolicyProvider.SetOverride instead — it validates
// the role name and permission strings before writing to the store.
SetOverride(ctx context.Context, email, role string, permissions []string) error
// DeleteOverride removes the override for email, reverting that user to
// whatever the YAML baseline assigns them.
DeleteOverride(ctx context.Context, email string) error
}
UserRoleStore persists per-user role overrides to a database. Implement this interface against your preferred database (Postgres, SQLite, etc.) and pass it to NewLayeredProvider.
Only users whose roles have been changed via your UI need a row in the store. Everyone else falls through to the YAML baseline automatically.
type UserStore ¶
type UserStore interface {
// CreateUser persists a new user with the given email and bcrypt-hashed
// password. Implementations MUST return ErrUserExists if the email is
// already taken.
CreateUser(ctx context.Context, email, name, hashedPassword string) error
// GetUserByEmail retrieves a user by email. Returns ErrUserNotFound if
// no user matches.
GetUserByEmail(ctx context.Context, email string) (*PasswordUser, error)
// UpdatePassword sets the bcrypt-hashed password for the user with this
// (global) email. Called by the password-reset flow after a valid token is
// consumed. ctx carries the user's tenant, so a tenant-scoped store can run
// the update under RLS.
UpdatePassword(ctx context.Context, email, hashedPassword string) error
}
UserStore is the interface consumers implement to provide user persistence for password-based authentication. authkit is storage-agnostic — the consumer chooses the backing store (PostgreSQL, SQLite, in-memory, etc.).