Documentation
¶
Index ¶
- Variables
- type Grant
- type MemoryStore
- func (s *MemoryStore) Get(_ context.Context, id string) (*Grant, error)
- func (s *MemoryStore) Put(_ context.Context, g *Grant) error
- func (s *MemoryStore) Revoke(_ context.Context, id string) error
- func (s *MemoryStore) RevokeFamily(_ context.Context, familyID string) error
- func (s *MemoryStore) Rotate(_ context.Context, oldID string, newGrant *Grant) (string, error)
- func (s *MemoryStore) Touch(_ context.Context, id string, at time.Time) error
- type Store
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ErrNotFound indicates no grant was found for the given id. ErrNotFound = errors.New("auth grant not found") )
Functions ¶
This section is empty.
Types ¶
type Grant ¶
type Grant struct {
// ID is the opaque identifier stored in the httpOnly cookie.
ID string
// FamilyID groups rotated grants for logout-all semantics.
FamilyID string
// Subject identifies the authenticated principal (e.g., user id or account id).
Subject string
// Scopes or roles associated with this grant (optional).
Scopes []string
// CreatedAt is when the grant was issued.
CreatedAt time.Time
// LastUsedAt is updated on use (for sliding TTL logic).
LastUsedAt time.Time
// ExpiresAt is the idle expiration time (sliding TTL).
ExpiresAt time.Time
// MaxExpiresAt is the absolute expiration cap.
MaxExpiresAt time.Time
// Device binding hints (optional; tolerant matching recommended).
UAHash string
IPHint string
// Arbitrary metadata to support implementers (optional).
Meta map[string]string
}
Grant represents a durable BFF authentication grant held server-side. It is referenced by an opaque cookie id (e.g., BFF-Auth-Session) and used to rehydrate user authentication without exposing tokens to the client.
type MemoryStore ¶
type MemoryStore struct {
// contains filtered or unexported fields
}
MemoryStore is an in-memory AuthStore for development and tests. It supports sliding idle TTL and absolute max TTL semantics.
func NewMemoryStore ¶
func NewMemoryStore(idleTTL, maxTTL, rotateGrace time.Duration) *MemoryStore
NewMemoryStore creates a MemoryStore with given TTL settings.
func (*MemoryStore) RevokeFamily ¶
func (s *MemoryStore) RevokeFamily(_ context.Context, familyID string) error
type Store ¶
type Store interface {
// Put inserts or updates a grant. Implementations may enforce TTLs based on grant fields.
Put(ctx context.Context, g *Grant) error
// Get retrieves a grant by id. Should return ErrNotFound if missing or expired.
Get(ctx context.Context, id string) (*Grant, error)
// Touch updates last-used timestamp and extends idle expiry (sliding TTL) as appropriate.
Touch(ctx context.Context, id string, at time.Time) error
// Rotate atomically replaces an existing grant id with a new one.
// Returns the new id; implementations may keep the old id valid for a short grace window.
Rotate(ctx context.Context, oldID string, newGrant *Grant) (string, error)
// Revoke deletes a specific grant id immediately.
Revoke(ctx context.Context, id string) error
// RevokeFamily deletes all grants in the same family (logout-all across devices/tabs).
RevokeFamily(ctx context.Context, familyID string) error
}
Store defines the contract for a durable BFF authentication grant store. Implementations should be safe for concurrent use and resilient across restarts. A Redis-based implementation is recommended for production deployments.
Source Files
Click to show internal directories.
Click to hide internal directories.