Documentation
¶
Overview ¶
Package session wraps alexedwards/scs/v2 with a kv.Store-backed session store and the small amount of glue that turns scs payloads into our app/actor.Actor.
Why scs? Mature, well-tested session manager that handles cookie attributes, ID generation, rotation, and expiry correctly. We supply the storage backend (kv.Store, the same abstraction used by rate-limits and the key-pool) and the typed payload schema.
What's NOT in scope: authentication (password verification — see internal/identity.Verify) or authorization (see app/authz). This package only manages "is there a valid session, and what's in it."
Index ¶
- type Manager
- func (m *Manager) Login(ctx context.Context, userID, username string, roles ...string) error
- func (m *Manager) LoginOIDC(ctx context.Context, userID, username, oidcSubject, idpSessionID string, ...) error
- func (m *Manager) Logout(ctx context.Context) error
- func (m *Manager) Middleware(h http.Handler) http.Handler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager is the session layer. Construct via New(); attach the chi middleware via Middleware(); use Login/Logout/Actor in handlers.
func New ¶
New constructs a Manager backed by store. Cookies use the supplied attributes; secure=true is recommended in any deployment running behind HTTPS (which is everything except local dev).
keyPrefix is prepended to every kv key the manager writes — pick a namespace like "sess:" so it doesn't collide with rate-limits or key-pool state.
func (*Manager) Login ¶
Login records userID/username (and any roles) into the current session, rotating the session ID to prevent session fixation. Call after credential validation.
func (*Manager) LoginOIDC ¶ added in v0.9.9
func (m *Manager) LoginOIDC(ctx context.Context, userID, username, oidcSubject, idpSessionID string, roles ...string) error
LoginOIDC is Login for the OIDC path: it additionally records the IdP subject ("issuer|sub") and IdP session id (the id_token sid claim) on the session — the lookup keys a back-channel-logout receiver needs to find and destroy the relay sessions minted from a given IdP session.
func (*Manager) Middleware ¶
Middleware wraps h with scs's LoadAndSave middleware (reads cookie, loads session from kv, persists changes on response). It also reads the session payload after load and stamps an Actor onto the request context so handlers can call actor.From(ctx) directly.