postgres

package
v1.101.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package postgres provides PostgreSQL storage for OAuth 2.1 data.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Store

type Store struct {
	// contains filtered or unexported fields
}

Store implements oauth.Storage using PostgreSQL.

func New

func New(db *sql.DB) *Store

New creates a new PostgreSQL OAuth store.

func (*Store) CleanupExpiredCodes

func (s *Store) CleanupExpiredCodes(ctx context.Context) error

CleanupExpiredCodes removes expired authorization codes.

func (*Store) CleanupExpiredStates added in v1.96.0

func (s *Store) CleanupExpiredStates(ctx context.Context, maxAge time.Duration) error

CleanupExpiredStates removes states older than maxAge.

func (*Store) CleanupExpiredTokens

func (s *Store) CleanupExpiredTokens(ctx context.Context) error

CleanupExpiredTokens removes expired refresh tokens.

func (*Store) CleanupUnusedDCRClients added in v1.101.0

func (s *Store) CleanupUnusedDCRClients(ctx context.Context, ttl time.Duration) error

CleanupUnusedDCRClients hard-deletes dynamically-registered (DCR) clients created more than ttl ago that never completed a token exchange. Eligibility is last_used_at IS NULL (set on first issuance by SaveRefreshToken), which is race-free: a client that completed an authorization-code flow is retained for good, even during the brief tokenless window of refresh-token rotation or after its refresh token later expires. Pre-registered (config-file) clients have dcr = false and are never eligible, so this only reaps the unauthenticated /register endpoint's abandoned registrations.

func (*Store) Close added in v0.15.1

func (s *Store) Close() error

Close stops the cleanup routine and releases resources.

func (*Store) ConsumeAuthorizationCode added in v1.96.0

func (s *Store) ConsumeAuthorizationCode(ctx context.Context, code string) (*oauth.AuthorizationCode, error)

ConsumeAuthorizationCode atomically deletes and returns an authorization code in a single statement, so retrieval and single-use invalidation cannot diverge. Returns oauth.ErrNotFound when the code does not exist, so the grant handler can distinguish replay from a storage outage.

func (*Store) ConsumeRefreshToken added in v1.96.0

func (s *Store) ConsumeRefreshToken(ctx context.Context, token string) (*oauth.RefreshToken, error)

ConsumeRefreshToken atomically deletes and returns a refresh token in a single statement, backing rotation: the old token is provably invalid before new tokens are issued. Returns oauth.ErrNotFound when the token does not exist, so the grant handler can distinguish an invalid token from a storage outage.

func (*Store) CreateClient

func (s *Store) CreateClient(ctx context.Context, client *oauth.Client) error

CreateClient stores a new OAuth client.

func (*Store) DeleteAuthorizationCode

func (s *Store) DeleteAuthorizationCode(ctx context.Context, code string) error

DeleteAuthorizationCode deletes an authorization code by its raw value.

func (*Store) DeleteClient

func (s *Store) DeleteClient(ctx context.Context, clientID string) error

DeleteClient marks a client as inactive.

func (*Store) DeleteRefreshToken

func (s *Store) DeleteRefreshToken(ctx context.Context, token string) error

DeleteRefreshToken deletes a refresh token by its raw value.

func (*Store) DeleteRefreshTokensForClient

func (s *Store) DeleteRefreshTokensForClient(ctx context.Context, clientID string) error

DeleteRefreshTokensForClient deletes all refresh tokens for a client.

func (*Store) DeleteState added in v1.96.0

func (s *Store) DeleteState(ctx context.Context, key string) error

DeleteState removes an authorization state.

func (*Store) GetAuthorizationCode

func (s *Store) GetAuthorizationCode(ctx context.Context, code string) (*oauth.AuthorizationCode, error)

GetAuthorizationCode retrieves an authorization code by its raw value; the comparison is against the stored SHA-256 digest.

func (*Store) GetClient

func (s *Store) GetClient(ctx context.Context, clientID string) (*oauth.Client, error)

GetClient retrieves a client by client_id.

func (*Store) GetRefreshToken

func (s *Store) GetRefreshToken(ctx context.Context, token string) (*oauth.RefreshToken, error)

GetRefreshToken retrieves a refresh token by its raw value; the comparison is against the stored SHA-256 digest.

func (*Store) GetState added in v1.96.0

func (s *Store) GetState(ctx context.Context, key string) (*oauth.AuthorizationState, error)

GetState retrieves an authorization state.

func (*Store) ListClients

func (s *Store) ListClients(ctx context.Context) (_ []*oauth.Client, retErr error)

ListClients returns all active clients.

func (*Store) SaveAuthorizationCode

func (s *Store) SaveAuthorizationCode(ctx context.Context, code *oauth.AuthorizationCode) error

SaveAuthorizationCode stores an authorization code. Only the SHA-256 digest of the code value is persisted (oauth.HashToken), so a database read never yields a usable credential.

func (*Store) SaveRefreshToken

func (s *Store) SaveRefreshToken(ctx context.Context, token *oauth.RefreshToken) error

SaveRefreshToken stores a refresh token. Only the SHA-256 digest of the token value is persisted (oauth.HashToken), so a database read never yields a usable credential.

func (*Store) SaveState added in v1.96.0

func (s *Store) SaveState(ctx context.Context, key string, state *oauth.AuthorizationState) error

SaveState stores an authorization state, replacing any existing state under the same key (the prompt=none retry path re-saves the state with PromptNoneAttempted set).

func (*Store) StartCleanupRoutine added in v0.15.1

func (s *Store) StartCleanupRoutine(interval, dcrTTL time.Duration)

StartCleanupRoutine starts a background goroutine that periodically cleans up expired authorization codes, refresh tokens, and authorization states, and (when dcrTTL > 0) reaps unused dynamically-registered clients older than dcrTTL.

func (*Store) UpdateClient

func (s *Store) UpdateClient(ctx context.Context, client *oauth.Client) error

UpdateClient updates an existing client.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL