contexts

package
v0.0.15 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2026 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AppContextKey is the context key for the current app ID (platform tenant).
	AppContextKey contextKey = "app_id"

	// EnvironmentContextKey is the context key for the current environment ID.
	EnvironmentContextKey contextKey = "environment_id"

	// OrganizationContextKey is the context key for the current organization ID (end-user workspace).
	OrganizationContextKey contextKey = "organization_id"

	// UserContextKey is the context key for the current authenticated user ID.
	UserContextKey contextKey = "user_id"
)

Variables

View Source 
var (
	// ErrAppContextRequired is returned when app context is required but not found.
	ErrAppContextRequired = errors.New("app context is required")

	// ErrEnvironmentContextRequired is returned when environment context is required but not found.
	ErrEnvironmentContextRequired = errors.New("environment context is required")

	// ErrOrganizationContextRequired is returned when organization context is required but not found.
	ErrOrganizationContextRequired = errors.New("organization context is required")

	// ErrUserContextRequired is returned when user context is required but not found.
	ErrUserContextRequired = errors.New("user context is required")

	// ErrAuthContextRequired is returned when auth context is required but not found.
	ErrAuthContextRequired = errors.New("authentication context is required")

	// ErrUserAuthRequired is returned when user authentication is required.
	ErrUserAuthRequired = errors.New("user authentication is required")

	// ErrAPIKeyRequired is returned when API key authentication is required.
	ErrAPIKeyRequired = errors.New("API key authentication is required")

	// ErrInsufficientScope is returned when API key lacks required scope.
	ErrInsufficientScope = errors.New("insufficient API key scope")

	// ErrInsufficientPermission is returned when lacking required RBAC permission.
	ErrInsufficientPermission = errors.New("insufficient permission")
)

Context-related errors.

Functions

func GetAPIKey 

func GetAPIKey(ctx context.Context) *base.APIKey

GetAPIKey safely retrieves the API key from context (returns nil if not present).

func GetAppID 

func GetAppID(ctx context.Context) (xid.ID, bool)

GetAppID retrieves the app ID from context Returns the app ID and true if found, or xid.NilID() and false if not found.

func GetEnvironmentID 

func GetEnvironmentID(ctx context.Context) (xid.ID, bool)

GetEnvironmentID retrieves the environment ID from context.

func GetOrganizationID 

func GetOrganizationID(ctx context.Context) (xid.ID, bool)

GetOrganizationID retrieves the organization ID from context.

func GetSession 

func GetSession(ctx context.Context) *base.Session

GetSession safely retrieves the session from context (returns nil if not present).

func GetUser 

func GetUser(ctx context.Context) *base.User

GetUser safely retrieves the user from context (returns nil if not present).

func GetUserID 

func GetUserID(ctx context.Context) (xid.ID, bool)

GetUserID retrieves the user ID from context.

func RequireAPIKey 

func RequireAPIKey(ctx context.Context) (*base.APIKey, error)

RequireAPIKey ensures an API key is present.

func RequireAppID 

func RequireAppID(ctx context.Context) (xid.ID, error)

RequireAppID retrieves the app ID from context or returns an error.

func RequireEnvironmentID 

func RequireEnvironmentID(ctx context.Context) (xid.ID, error)

RequireEnvironmentID retrieves the environment ID from context or returns an error.

func RequireOrganizationID 

func RequireOrganizationID(ctx context.Context) (xid.ID, error)

RequireOrganizationID retrieves the organization ID from context or returns an error.

func RequireUser 

func RequireUser(ctx context.Context) (*base.User, error)

RequireUser ensures a user is authenticated.

func RequireUserID 

func RequireUserID(ctx context.Context) (xid.ID, error)

RequireUserID retrieves the user ID from context or returns an error.

func SetAppID 

func SetAppID(ctx context.Context, appID xid.ID) context.Context

SetAppID sets the app ID in context.

func SetAuthContext 

func SetAuthContext(ctx context.Context, ac *AuthContext) context.Context

SetAuthContext stores the auth context in the request context.

func SetEnvironmentID 

func SetEnvironmentID(ctx context.Context, envID xid.ID) context.Context

SetEnvironmentID sets the environment ID in context.

func SetOrganizationID 

func SetOrganizationID(ctx context.Context, orgID xid.ID) context.Context

SetOrganizationID sets the organization ID in context.

func SetUserID 

func SetUserID(ctx context.Context, userID xid.ID) context.Context

SetUserID sets the user ID in context.

func WithAll 

func WithAll(ctx context.Context, appID, envID, orgID, userID xid.ID) context.Context

WithAll sets all context values.

func WithAppAndOrganization 

func WithAppAndOrganization(ctx context.Context, appID, orgID xid.ID) context.Context

WithAppAndOrganization sets both app and organization context.

func WithAppAndUser 

func WithAppAndUser(ctx context.Context, appID, userID xid.ID) context.Context

WithAppAndUser sets both app and user context.

func WithAppEnvironmentAndOrganization 

func WithAppEnvironmentAndOrganization(ctx context.Context, appID, envID, orgID xid.ID) context.Context

WithAppEnvironmentAndOrganization sets app, environment, and organization context.

Types

type AuthContext 

type AuthContext struct {
	// Platform/App Authentication (via API key)
	APIKey       *base.APIKey `json:"apiKey,omitempty"`
	APIKeyScopes []string     `json:"apiKeyScopes,omitempty"`

	// End-User Authentication (via session/bearer token)
	Session *base.Session `json:"session,omitempty"`
	User    *base.User    `json:"user,omitempty"`

	// Resolved Context (from either API key or session)
	AppID          xid.ID  `json:"appID"`
	EnvironmentID  xid.ID  `json:"environmentID"`
	OrganizationID *xid.ID `json:"organizationID,omitempty"`

	// Authentication Metadata
	Method          AuthMethod `json:"method"`
	IsAuthenticated bool       `json:"isAuthenticated"`
	IsAPIKeyAuth    bool       `json:"isAPIKeyAuth"`
	IsUserAuth      bool       `json:"isUserAuth"`

	// Security Metadata
	IPAddress string `json:"ipAddress"`
	UserAgent string `json:"userAgent"`

	// RBAC Integration (Hybrid Approach)
	APIKeyRoles        []string `json:"apiKeyRoles,omitempty"`        // Roles assigned to API key
	APIKeyPermissions  []string `json:"apiKeyPermissions,omitempty"`  // Permissions from API key roles
	CreatorPermissions []string `json:"creatorPermissions,omitempty"` // Permissions from key creator (if delegated)
	UserRoles          []string `json:"userRoles,omitempty"`          // Roles from session user
	UserPermissions    []string `json:"userPermissions,omitempty"`    // Permissions from session user roles

	// Effective (computed) permissions - union of all applicable permissions
	EffectivePermissions []string `json:"effectivePermissions,omitempty"`
}

AuthContext holds complete authentication state for a request This provides a unified view of both API key (app) authentication and user session authentication, following production patterns like Clerk.

func GetAuthContext 

func GetAuthContext(ctx context.Context) (*AuthContext, bool)

GetAuthContext retrieves the auth context from the request context.

func RequireAuthContext 

func RequireAuthContext(ctx context.Context) (*AuthContext, error)

RequireAuthContext retrieves auth context or returns error.

func (*AuthContext) CanAccess 

func (ac *AuthContext) CanAccess(action, resource string) bool

CanAccess checks if the auth context can perform an action on a resource This is the main permission check method that combines: 1. Legacy scope strings (e.g., "users:read") 2. RBAC permissions (e.g., action="view", resource="users") 3. Delegated permissions (from creator) 4. User session permissions.

func (*AuthContext) CanAccessOrgData 

func (ac *AuthContext) CanAccessOrgData(targetOrgID xid.ID) bool

CanAccessOrgData checks if the context can access data for a specific org Returns true if: - The user belongs to the org, OR - The API key is scoped to the org, OR - The API key has admin privileges.

func (*AuthContext) CanAccessUserData 

func (ac *AuthContext) CanAccessUserData(targetUserID xid.ID) bool

CanAccessUserData checks if the context can access data for a specific user Returns true if: - The authenticated user is the target user, OR - The API key has admin privileges.

func (*AuthContext) CanPerformAdminOp 

func (ac *AuthContext) CanPerformAdminOp() bool

CanPerformAdminOp returns true if can perform admin operations Must have secret key with admin scope.

func (*AuthContext) GetEffectiveAppID 

func (ac *AuthContext) GetEffectiveAppID() xid.ID

GetEffectiveAppID returns the app ID to use for the request Priority: API key app > Session app.

func (*AuthContext) GetEffectiveEnvironmentID 

func (ac *AuthContext) GetEffectiveEnvironmentID() xid.ID

GetEffectiveEnvironmentID returns the environment ID to use Priority: API key env > Session env.

func (*AuthContext) GetEffectiveOrgID 

func (ac *AuthContext) GetEffectiveOrgID() *xid.ID

GetEffectiveOrgID returns the organization ID to use for the request Priority: Session org > API key org.

func (*AuthContext) GetImpersonatedUserID 

func (ac *AuthContext) GetImpersonatedUserID() *xid.ID

GetImpersonatedUserID returns the user ID being impersonated (if any).

func (*AuthContext) GetUserOrAPIKeyUser 

func (ac *AuthContext) GetUserOrAPIKeyUser() *base.User

GetUserOrAPIKeyUser returns the session user or nil In production auth systems, the session user takes precedence.

func (*AuthContext) HasAPIKey 

func (ac *AuthContext) HasAPIKey() bool

HasAPIKey returns true if authenticated via API key.

func (*AuthContext) HasAllPermissions 

func (ac *AuthContext) HasAllPermissions(permissions ...string) bool

HasAllPermissions checks if context has all of the specified permissions.

func (*AuthContext) HasAllScopesOf 

func (ac *AuthContext) HasAllScopesOf(scopes ...string) bool

HasAllScopesOf checks if the API key has all of the specified scopes.

func (*AuthContext) HasAnyPermission 

func (ac *AuthContext) HasAnyPermission(permissions ...string) bool

HasAnyPermission checks if context has any of the specified permissions.

func (*AuthContext) HasAnyScopeOf 

func (ac *AuthContext) HasAnyScopeOf(scopes ...string) bool

HasAnyScopeOf checks if the API key has any of the specified scopes.

func (*AuthContext) HasRBACPermission 

func (ac *AuthContext) HasRBACPermission(action, resource string) bool

HasRBACPermission checks if the auth context has a specific RBAC permission Permission format: "action:resource" (e.g., "view:users", "edit:posts").

func (*AuthContext) HasScope 

func (ac *AuthContext) HasScope(scope string) bool

HasScope checks if the API key has a specific scope.

func (*AuthContext) HasSession 

func (ac *AuthContext) HasSession() bool

HasSession returns true if authenticated via user session.

func (*AuthContext) IsAdmin 

func (ac *AuthContext) IsAdmin() bool

IsAdmin returns true if the API key has admin privileges.

func (*AuthContext) IsDelegatingCreatorPermissions 

func (ac *AuthContext) IsDelegatingCreatorPermissions() bool

IsDelegatingCreatorPermissions returns true if API key is delegating creator's permissions.

func (*AuthContext) IsImpersonating 

func (ac *AuthContext) IsImpersonating() bool

IsImpersonating returns true if API key is impersonating a user.

func (*AuthContext) IsPublishableKey 

func (ac *AuthContext) IsPublishableKey() bool

IsPublishableKey returns true if authenticated with a publishable key.

func (*AuthContext) IsRestrictedKey 

func (ac *AuthContext) IsRestrictedKey() bool

IsRestrictedKey returns true if authenticated with a restricted key.

func (*AuthContext) IsSecretKey 

func (ac *AuthContext) IsSecretKey() bool

IsSecretKey returns true if authenticated with a secret key.

func (*AuthContext) RequireCanAccess 

func (ac *AuthContext) RequireCanAccess(action, resource string) error

RequireCanAccess ensures the context can access (scopes OR RBAC).

func (*AuthContext) RequireRBACPermission 

func (ac *AuthContext) RequireRBACPermission(action, resource string) error

RequireRBACPermission ensures the context has a specific RBAC permission.

func (*AuthContext) RequireScope 

func (ac *AuthContext) RequireScope(scope string) error

RequireScope ensures the API key has a specific scope.

func (*AuthContext) String 

func (ac *AuthContext) String() string

String returns a human-readable representation of the auth context.

type AuthMethod 

type AuthMethod string

AuthMethod indicates how the request was authenticated. 

const (
	AuthMethodNone    AuthMethod = "none"
	AuthMethodSession AuthMethod = "session"
	AuthMethodAPIKey  AuthMethod = "apikey"
	AuthMethodBoth    AuthMethod = "both"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.