Documentation
¶
Overview ¶
Package jwt provides JWT token generation and validation (HS256) and bcrypt password comparison using config for secret and expiry.
Role in architecture:
- Infrastructure: used by auth middleware and handlers; reads config.Server.Secret and expiry settings.
Responsibilities:
- Init: load secret and expiry from config; panic if missing.
- GenerateToken, GenerateTokenWithExpiry, GenerateRefreshToken: issue signed tokens with Claims.UUID.
- ValidateToken: parse and verify; return Claims or error.
- ComparePassword: bcrypt comparison.
- GetCurrentUserUUID: read user_id from Gin context (string or uuid.UUID) and return uuid.UUID.
Constraints:
- Single secret and expiry from config; no key rotation or multi-tenant secrets in this package.
- Signing method is HS256 only.
This package must NOT:
- Contain use-case logic; only token and password operations.
Index ¶
- func ComparePassword(hashedPassword, plainPassword string) bool
- func GenerateImpersonationToken(adminID uuid.UUID, adminRole string, targetUserID uuid.UUID, ...) (string, error)
- func GenerateRefreshToken(id uuid.UUID) (string, error)
- func GenerateToken(id uuid.UUID) (string, error)
- func GenerateTokenWithExpiry(id uuid.UUID, expiry time.Duration) (string, error)
- func GetAccessTokenExpiry() time.Duration
- func GetCurrentUserUUID(ctx *gin.Context) (uuid.UUID, bool)
- func GetSecret() string
- func Init()
- type Claims
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComparePassword ¶
ComparePassword returns true if plainPassword matches the bcrypt hash hashedPassword.
func GenerateImpersonationToken ¶ added in v0.3.5
func GenerateImpersonationToken(adminID uuid.UUID, adminRole string, targetUserID uuid.UUID, requestedTTL time.Duration) (string, error)
GenerateImpersonationToken issues a signed JWT representing an administrator temporarily impersonating another user. The active user context (sub/UUID) is the impersonated user. The original admin identity is preserved in ImpersonatorID / ImpersonatorRole / OriginalSub and IsImpersonating is true.
The requestedTTL is clamped to a safe maximum (30 minutes). If requestedTTL is zero or negative, the maximum is used.
func GenerateRefreshToken ¶
GenerateRefreshToken issues a signed JWT with the given UUID and refresh token expiry from config.
func GenerateToken ¶
GenerateToken issues a signed JWT with the given UUID and default access token expiry.
func GenerateTokenWithExpiry ¶
GenerateTokenWithExpiry issues a signed JWT with the given UUID and custom expiry duration.
func GetAccessTokenExpiry ¶
GetAccessTokenExpiry returns the access token expiry duration
func GetCurrentUserUUID ¶ added in v0.3.1
GetCurrentUserUUID reads "user_id" from the Gin context (set by auth middleware). Supports string or uuid.UUID; returns (uuid.Nil, false) if missing or invalid.
Types ¶
type Claims ¶
type Claims struct {
UUID string `json:"uuid"`
jwt.RegisteredClaims
ImpersonatorID string `json:"impersonator_id,omitempty"`
ImpersonatorRole string `json:"impersonator_role,omitempty"`
IsImpersonating bool `json:"is_impersonating,omitempty"`
OriginalSub string `json:"original_sub,omitempty"`
}
Claims is the JWT payload. It embeds jwt.RegisteredClaims (exp, iat, nbf, sub, jti) and adds:
- UUID: active user context (matches sub for new tokens)
- ImpersonatorID / ImpersonatorRole: admin identity when impersonating
- IsImpersonating: true when this token was issued for impersonation
- OriginalSub: original login identity (admin) when impersonating
For non-impersonation tokens, only UUID and RegisteredClaims are populated; other fields use zero values for full backward compatibility.
func ValidateToken ¶
ValidateToken parses the token string, verifies signature and expiry, and returns Claims or an error.
Source Files