Documentation
¶
Overview ¶
Package sso manages SSO provider credentials (currently Google OAuth). Credentials live in the `sso_providers` table and are cached in memory after Bootstrap — lookups don't touch the DB. Saving a provider via the admin UI refreshes the cache, so OAuth wiring reflects changes without restarting the server.
The callback URL is never stored. It's derived from configs.Service.AppURL() + "/auth/callback" every time the oauth2 config is built.
Index ¶
- Constants
- type Service
- func (s *Service) AnyEnabled() bool
- func (s *Service) Bootstrap(ctx context.Context) error
- func (s *Service) Get(provider string) (entity.SSOProvider, bool)
- func (s *Service) IsEmailAllowed(provider, email string) bool
- func (s *Service) List() []entity.SSOProvider
- func (s *Service) OAuthConfig(provider, appURL string) (*oauth2.Config, bool)
- func (s *Service) Update(ctx context.Context, provider, clientID, clientSecret string, enabled bool, ...) error
Constants ¶
const CallbackPath = "/auth/callback"
CallbackPath is the relative path the OAuth redirect lands on. Kept as a package constant so the admin UI and login handler agree on the same suffix.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
func NewService ¶
func (*Service) AnyEnabled ¶
AnyEnabled reports whether at least one provider has Enabled=true and non-empty credentials. Used by the login page to decide whether to render the "Continue with Google" button.
func (*Service) Bootstrap ¶
Bootstrap ensures every known provider has at least an empty row and populates the cache. Call once at startup.
func (*Service) Get ¶
func (s *Service) Get(provider string) (entity.SSOProvider, bool)
Get returns the cached row for a provider, or (zero, false) if the provider was never bootstrapped.
func (*Service) IsEmailAllowed ¶ added in v0.3.0
IsEmailAllowed reports whether an email's domain is permitted to sign in through this provider. Empty AllowedDomains means no restriction. Returns false for malformed emails.
func (*Service) List ¶
func (s *Service) List() []entity.SSOProvider
List returns every provider row, sorted by provider name. Used by the admin UI.
func (*Service) OAuthConfig ¶
OAuthConfig builds the oauth2.Config for a provider, with the callback URL derived from appURL. Returns (nil, false) if the provider isn't configured or isn't enabled — callers should treat that as "Google login disabled".
func (*Service) Update ¶
func (s *Service) Update(ctx context.Context, provider, clientID, clientSecret string, enabled bool, allowedDomains string) error
Update writes new credentials for a provider and refreshes the cache. allowedDomains is a comma-separated list of email domains; empty string disables the restriction.
Source Files