Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Broker ¶
type Broker interface {
// Refresh uses a refresh token to obtain new access/ID tokens.
Refresh(ctx context.Context, key Key, refreshToken string) (*scyauth.Token, error)
// Exchange converts an authorization code to tokens (for OOB/scheduled flows).
Exchange(ctx context.Context, key Key, code string) (*scyauth.Token, error)
}
Broker handles token refresh and exchange operations. When nil on Manager, the manager operates in cache-only mode.
type InstanceID ¶
type InstanceID string
InstanceID uniquely identifies a running process instance (hostname:pid:uuid). The UUID suffix handles container recycling where hostname+PID may be reused.
func NewInstanceID ¶
func NewInstanceID() InstanceID
NewInstanceID creates a new InstanceID for the current process.
type Key ¶
type Key struct {
Subject string // user identifier (from EffectiveUserID)
Provider string // oauth provider name (e.g. "google", "default")
}
Key identifies a token set for a user+provider pair.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager is the default in-process Provider implementation. It layers an in-memory cache over an optional persistent TokenStore and uses an optional Broker for refresh/exchange.
func NewManager ¶
func NewManager(opts ...ManagerOption) *Manager
NewManager creates a new token Manager. When a TokenStore is provided and no explicit InstanceID is set, distributed refresh coordination is automatically enabled with an auto-generated InstanceID. To explicitly disable distributed mode, use WithInstanceID("").
func (*Manager) EnsureTokens ¶
EnsureTokens checks if tokens in context are fresh; if not, refreshes from cache or via Broker, and returns updated context.
func (*Manager) Invalidate ¶
Invalidate removes cached tokens for a key.
type ManagerOption ¶
type ManagerOption func(*Manager)
ManagerOption configures a Manager.
func WithBroker ¶
func WithBroker(b Broker) ManagerOption
WithBroker sets the token broker for refresh/exchange.
func WithInstanceID ¶
func WithInstanceID(id InstanceID) ManagerOption
WithInstanceID sets the instance identity for distributed refresh coordination. Pass a non-empty InstanceID to enable, or "" to explicitly disable auto-detection.
func WithLeaseTTL ¶
func WithLeaseTTL(d time.Duration) ManagerOption
WithLeaseTTL sets the distributed refresh lease duration (default 30s).
func WithMinTTL ¶
func WithMinTTL(d time.Duration) ManagerOption
WithMinTTL sets the minimum remaining TTL before a refresh is triggered.
func WithTokenStore ¶
func WithTokenStore(s TokenStore) ManagerOption
WithTokenStore sets the persistent token store.
type OAuthToken ¶
type OAuthToken struct {
Username string
Provider string
AccessToken string
IDToken string
RefreshToken string
ExpiresAt time.Time
}
OAuthToken represents a stored OAuth token set for a user/provider pair. This mirrors service/auth.OAuthToken to avoid import cycles.
type Provider ¶
type Provider interface {
// EnsureTokens checks if tokens in context are fresh; if not, refreshes
// from cache or via Broker, and returns updated context.
EnsureTokens(ctx context.Context, key Key) (context.Context, error)
// Store persists tokens for later retrieval (called by auth middleware on login/callback).
Store(ctx context.Context, key Key, tok *scyauth.Token) error
// Invalidate removes cached tokens for a key (called on logout).
Invalidate(ctx context.Context, key Key) error
}
Provider supplies fresh tokens for a user+provider pair.
type SecurityData ¶
type SecurityData struct {
AccessToken string `json:"accessToken,omitempty"`
IDToken string `json:"idToken,omitempty"`
RefreshToken string `json:"refreshToken,omitempty"`
ExpiresAt time.Time `json:"expiresAt,omitempty"`
Subject string `json:"subject,omitempty"`
Provider string `json:"provider,omitempty"`
}
SecurityData is the JSON-serializable auth state saved to run.SecurityContext.
func RestoreSecurityContext ¶
func RestoreSecurityContext(ctx context.Context, data string) (context.Context, *SecurityData, error)
RestoreSecurityContext deserializes auth state from a run.SecurityContext string and injects tokens into the context.
type TokenStore ¶
type TokenStore interface {
Get(ctx context.Context, username, provider string) (*OAuthToken, error)
Put(ctx context.Context, token *OAuthToken) error
Delete(ctx context.Context, username, provider string) error
// TryAcquireRefreshLease atomically attempts to acquire a distributed lease
// for refreshing the token identified by (username, provider). Returns the
// current version and whether the lease was acquired.
TryAcquireRefreshLease(ctx context.Context, username, provider, owner string, ttl time.Duration) (version int64, acquired bool, err error)
// ReleaseRefreshLease releases a previously acquired lease (e.g. on failure).
ReleaseRefreshLease(ctx context.Context, username, provider, owner string) error
// CASPut atomically updates the token only if the current version matches
// expectedVersion and the lease is held by owner. Returns whether the swap succeeded.
CASPut(ctx context.Context, token *OAuthToken, expectedVersion int64, owner string) (swapped bool, err error)
}
TokenStore abstracts encrypted OAuth token persistence. This mirrors service/auth.TokenStore to avoid import cycles. Implementations from service/auth satisfy this interface.
Source Files