dashauth

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 14, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package dashauth provides authentication and authorization abstractions for the dashboard extension. It is intentionally decoupled from the auth extension so the dashboard has no hard dependency on any specific auth provider.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ForgeMiddleware 

func ForgeMiddleware(checker AuthChecker) forge.Middleware

ForgeMiddleware returns forge.Middleware that runs the AuthChecker and stores the resulting UserInfo in the request context. This middleware runs on the forge.Router catch-all route, BEFORE the request reaches ForgeUI.

It does NOT block unauthenticated requests — it only populates the context. Access enforcement is handled by PageMiddleware at the ForgeUI layer.

func HasTenantInContext added in v1.2.0 

func HasTenantInContext(ctx context.Context) bool

HasTenantInContext returns true if the context contains a tenant with a non-empty ID.

func IsAuthenticated 

func IsAuthenticated(ctx context.Context) bool

IsAuthenticated returns true if the context contains an authenticated user.

func PageMiddleware 

func PageMiddleware(level AccessLevel, loginPath string) router.Middleware

PageMiddleware returns ForgeUI router.Middleware that enforces an AccessLevel on a specific page. It reads the UserInfo from the request context (placed there by ForgeMiddleware) and decides whether to allow, redirect, or pass through.

  • AccessPublic: always passes through.
  • AccessPartial: always passes through (the page handler checks auth itself).
  • AccessProtected: checks UserFromContext; redirects to loginPath if nil.

The loginPath should be the full dashboard path (e.g. "/dashboard/auth/login").

func RequireRole 

func RequireRole(role string) router.Middleware

RequireRole returns ForgeUI middleware that checks the user has a specific role. It assumes PageMiddleware(AccessProtected, ...) already ran, so the user is authenticated. If the user lacks the role, a 403 Forbidden response is returned.

func RequireScope 

func RequireScope(scope string) router.Middleware

RequireScope returns ForgeUI middleware that checks the user has a specific scope.

func TenantMiddleware added in v1.2.0 

func TenantMiddleware(resolver TenantResolver) forge.Middleware

TenantMiddleware returns forge.Middleware that runs the TenantResolver and stores the resulting TenantInfo in the request context. Like ForgeMiddleware for auth, it does NOT block requests without a tenant — it only populates the context so downstream handlers and templates can access tenant info.

func WithTenant added in v1.2.0 

func WithTenant(ctx context.Context, tenant *TenantInfo) context.Context

WithTenant stores a TenantInfo in the context.

func WithUser 

func WithUser(ctx context.Context, user *UserInfo) context.Context

WithUser stores a UserInfo in the context.

Types

type AccessLevel 

type AccessLevel int

AccessLevel defines the protection level for a dashboard page or route. 

const (
	// AccessPublic means the page is always accessible without authentication.
	AccessPublic AccessLevel = iota

	// AccessProtected means authentication is required; unauthenticated users
	// are redirected to the login page.
	AccessProtected

	// AccessPartial means the page is always accessible but may render
	// differently depending on authentication state. The page handler should
	// check UserFromContext to adapt its output.
	AccessPartial
)

func ParseAccessLevel 

func ParseAccessLevel(s string) AccessLevel

ParseAccessLevel parses a string into an AccessLevel. Accepted values: "public", "protected", "partial". Returns AccessPublic for unrecognized values.

func (AccessLevel) String 

func (a AccessLevel) String() string

String returns the string representation of the access level.

type AuthChecker 

type AuthChecker interface {
	// CheckAuth inspects the request and returns a UserInfo if authenticated.
	// Returns nil (not an error) when the request is unauthenticated.
	// Returns an error only for infrastructure failures (e.g. token validation
	// service unreachable).
	CheckAuth(ctx context.Context, r *http.Request) (*UserInfo, error)
}

AuthChecker validates authentication state from HTTP requests. It is the primary abstraction the dashboard uses to check whether a request is authenticated. Implementations typically delegate to an auth extension's registry or a custom authentication mechanism.

type AuthCheckerFunc 

type AuthCheckerFunc func(ctx context.Context, r *http.Request) (*UserInfo, error)

AuthCheckerFunc is a function adapter for AuthChecker.

func (AuthCheckerFunc) CheckAuth 

func (f AuthCheckerFunc) CheckAuth(ctx context.Context, r *http.Request) (*UserInfo, error)

CheckAuth implements AuthChecker.

type AuthPageDescriptor 

type AuthPageDescriptor struct {
	// Type identifies the kind of auth page (login, logout, register, etc.).
	Type AuthPageType

	// Path is the route path relative to the auth base path (e.g. "/login").
	Path string

	// Title is the page title shown in the browser tab.
	Title string

	// Icon is the optional icon name for the page.
	Icon string
}

AuthPageDescriptor describes an auth page contributed to the dashboard.

type AuthPageProvider 

type AuthPageProvider interface {
	// AuthPages returns the list of auth pages this provider contributes.
	AuthPages() []AuthPageDescriptor

	// RenderAuthPage renders the templ component for an auth page (GET request).
	// The page type identifies which auth page to render.
	RenderAuthPage(ctx *router.PageContext, pageType AuthPageType) (templ.Component, error)

	// HandleAuthAction handles a form submission for an auth page (POST request).
	// Returns:
	//   - redirectURL: if non-empty, the user should be redirected to this URL
	//   - errComponent: if non-nil, re-render the page with this error content
	//   - err: infrastructure errors
	HandleAuthAction(ctx *router.PageContext, pageType AuthPageType) (redirectURL string, errComponent templ.Component, err error)
}

AuthPageProvider contributes authentication pages to the dashboard. Auth extensions implement this interface to provide login, register, and other auth-related pages that integrate into the dashboard shell.

type AuthPageType 

type AuthPageType string

AuthPageType identifies the kind of authentication page. 

const (
	PageLogin          AuthPageType = "login"
	PageLogout         AuthPageType = "logout"
	PageRegister       AuthPageType = "register"
	PageForgotPassword AuthPageType = "forgot-password"
	PageResetPassword  AuthPageType = "reset-password"
	PageCallback       AuthPageType = "callback"
	PageProfile        AuthPageType = "profile"
)

type ScopeTenantResolver added in v1.2.0 

type ScopeTenantResolver struct{}

ScopeTenantResolver is a default TenantResolver that reads forge.Scope from the request context and converts it to TenantInfo. This works out of the box when forge's scope middleware is in the chain.

func (ScopeTenantResolver) ResolveTenant added in v1.2.0 

func (s ScopeTenantResolver) ResolveTenant(ctx context.Context, _ *http.Request) (*TenantInfo, error)

ResolveTenant reads forge.Scope from context and converts to TenantInfo.

type TenantInfo added in v1.2.0 

type TenantInfo struct {
	// ID is the tenant identifier (AppID or OrgID depending on Type).
	ID string

	// Name is the human-readable display name for this tenant.
	Name string

	// Type indicates whether this is an app-level or org-level tenant.
	Type TenantType

	// AppID is always present — the application identifier.
	AppID string

	// OrgID is present only for org-level tenants.
	OrgID string

	// LogoURL is an optional URL for the tenant's logo/branding.
	LogoURL string

	// Metadata holds additional tenant-specific data.
	Metadata map[string]any
}

TenantInfo represents the current tenant context for the dashboard. It bridges forge.Scope into a richer dashboard-specific type with display metadata.

func TenantFromContext added in v1.2.0 

func TenantFromContext(ctx context.Context) *TenantInfo

TenantFromContext retrieves the TenantInfo from the context. Returns nil if no tenant is stored.

func (*TenantInfo) HasTenant added in v1.2.0 

func (t *TenantInfo) HasTenant() bool

HasTenant returns true if the tenant info is non-nil and has a non-empty ID.

func (*TenantInfo) IsApp added in v1.2.0 

func (t *TenantInfo) IsApp() bool

IsApp returns true if this is an app-level tenant.

func (*TenantInfo) IsOrg added in v1.2.0 

func (t *TenantInfo) IsOrg() bool

IsOrg returns true if this is an organization-level tenant.

type TenantResolver added in v1.2.0 

type TenantResolver interface {
	ResolveTenant(ctx context.Context, r *http.Request) (*TenantInfo, error)
}

TenantResolver resolves the current tenant from a request context. Implementations typically read forge.Scope from context and enrich it with display name, logo, etc.

type TenantResolverFunc added in v1.2.0 

type TenantResolverFunc func(ctx context.Context, r *http.Request) (*TenantInfo, error)

TenantResolverFunc is a function adapter for TenantResolver.

func (TenantResolverFunc) ResolveTenant added in v1.2.0 

func (f TenantResolverFunc) ResolveTenant(ctx context.Context, r *http.Request) (*TenantInfo, error)

ResolveTenant implements TenantResolver.

type TenantType added in v1.2.0 

type TenantType string

TenantType identifies the type of tenant scope. 

const (
	// TenantTypeApp indicates an application-level tenant.
	TenantTypeApp TenantType = "app"
	// TenantTypeOrg indicates an organization-level tenant.
	TenantTypeOrg TenantType = "org"
)

type UserInfo 

type UserInfo struct {
	// Subject is the unique user identifier (e.g. user ID, email, or sub claim).
	Subject string

	// DisplayName is the user's display name.
	DisplayName string

	// Email is the user's email address.
	Email string

	// AvatarURL is the URL of the user's avatar image.
	AvatarURL string

	// Roles holds the user's roles (e.g. "admin", "editor").
	Roles []string

	// Scopes holds the user's OAuth2 scopes or permission strings.
	Scopes []string

	// ProviderName identifies which auth provider authenticated this user.
	ProviderName string

	// Claims holds additional authentication claims.
	Claims map[string]any

	// Metadata holds provider-specific metadata.
	Metadata map[string]any
}

UserInfo represents an authenticated dashboard user. This type is decoupled from any specific auth provider — adapters convert provider-specific auth contexts into UserInfo.

func UserFromContext 

func UserFromContext(ctx context.Context) *UserInfo

UserFromContext retrieves the UserInfo from the context. Returns nil if no user is stored (i.e. unauthenticated request).

func (*UserInfo) Authenticated 

func (u *UserInfo) Authenticated() bool

Authenticated returns true if the user has a non-empty Subject.

func (*UserInfo) GetClaim 

func (u *UserInfo) GetClaim(key string) (any, bool)

GetClaim retrieves a claim by key.

func (*UserInfo) HasAnyRole 

func (u *UserInfo) HasAnyRole(roles ...string) bool

HasAnyRole checks if the user has any of the specified roles.

func (*UserInfo) HasRole 

func (u *UserInfo) HasRole(role string) bool

HasRole checks if the user has a specific role.

func (*UserInfo) HasScope 

func (u *UserInfo) HasScope(scope string) bool

HasScope checks if the user has a specific scope.

func (*UserInfo) Initials 

func (u *UserInfo) Initials() string

Initials returns the user's initials (up to 2 characters) for avatar fallback.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.