login

package

v0.5.4 Latest Latest Go to latest Published: May 2, 2026 License: MIT Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/yogasw/wick

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func GetUser(ctx context.Context) *entity.User
func GetUserTagIDs(ctx context.Context) []string
func SetAfterLoginRedirect(w http.ResponseWriter, r *http.Request, path string)
func WithUser(ctx context.Context, user *entity.User, tagIDs []string) context.Context
type Handler
- func NewHandler(svc *Service, midd *Middleware, ssoSvc *sso.Service, cfg appConfig) *Handler
- func (h *Handler) Register(mux *http.ServeMux, sessionMidd *Middleware)
type Middleware
- func NewMiddleware(svc *Service, secrets SecretProvider) *Middleware
type SecretProvider
type Service
- func NewService(db *gorm.DB, adminEmailsCSV string) *Service
type ToolMeta

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrInvalidCredentials = errors.New("invalid email or password")

Functions ¶

func GetUser ¶

func GetUser(ctx context.Context) *entity.User

GetUser retrieves the authenticated user from context. Returns nil if not logged in.

func GetUserTagIDs ¶

func GetUserTagIDs(ctx context.Context) []string

GetUserTagIDs retrieves the filter tag IDs for the authenticated user from context. Populated by the Session middleware from the encrypted cookie.

func SetAfterLoginRedirect ¶ added in v0.4.0

func SetAfterLoginRedirect(w http.ResponseWriter, r *http.Request, path string)

SetAfterLoginRedirect stores a path the next successful login should land on, instead of "/". Paths must start with "/" and not "//". Used by /oauth/authorize when the user isn't logged in yet.

func WithUser ¶ added in v0.4.0

func WithUser(ctx context.Context, user *entity.User, tagIDs []string) context.Context

WithUser stamps a user + filter-tag-ID set onto the context using the same keys the cookie-session middleware does. Useful for non-cookie auth paths (MCP bearer middleware, OAuth) that need downstream code (`login.GetUser`, `login.GetUserTagIDs`, `Service.CanAccessTool`) to behave identically.

Types ¶

type Handler ¶

type Handler struct {
	// contains filtered or unexported fields
}

func NewHandler ¶

func NewHandler(svc *Service, midd *Middleware, ssoSvc *sso.Service, cfg appConfig) *Handler

NewHandler wires the login routes. The handler reads SSO config from the sso.Service on every request so admin edits take effect without a restart.

func (*Handler) Register ¶

func (h *Handler) Register(mux *http.ServeMux, sessionMidd *Middleware)

type Middleware ¶

type Middleware struct {
	// contains filtered or unexported fields
}

func NewMiddleware ¶

func NewMiddleware(svc *Service, secrets SecretProvider) *Middleware

func (*Middleware) ClearSessionCookie ¶

func (m *Middleware) ClearSessionCookie(w http.ResponseWriter)

ClearSessionCookie wipes the session cookie.

func (*Middleware) RequireAdmin ¶

func (m *Middleware) RequireAdmin(next http.Handler) http.Handler

RequireAdmin returns 403 if the user is not an admin.

func (*Middleware) RequireAuth ¶

func (m *Middleware) RequireAuth(next http.Handler) http.Handler

RequireAuth redirects to /auth/login if there is no authenticated, approved user.

func (*Middleware) RequireJobAccess ¶

func (m *Middleware) RequireJobAccess(next http.Handler) http.Handler

RequireJobAccess enforces per-job visibility on /jobs/{key} requests. It reuses the ToolPermission table (stored under "/jobs/{key}") and CanAccessTool logic. Session + RequireAuth must have run first.

func (*Middleware) RequireToolAccess ¶

func (m *Middleware) RequireToolAccess(tools []ToolMeta) func(http.Handler) http.Handler

RequireToolAccess enforces per-tool visibility on requests under /tools/. For each request it finds the tool whose Path is the longest prefix of the request URL, then calls Service.CanAccessTool. Public tools let anyone through; Private tools require an approved login, plus a matching tag when the tool has required tags set. Session must have already populated the user in context.

func (*Middleware) Session ¶

func (m *Middleware) Session(next http.Handler) http.Handler

Session decrypts the AES-GCM session cookie and populates the user and their filter tag IDs into the request context. Tampered or expired cookies are wiped. For guests (no session), it reads the guest theme cookie.

func (*Middleware) SetSessionCookie ¶

func (m *Middleware) SetSessionCookie(w http.ResponseWriter, userID string, tagIDs []string, secure bool)

SetSessionCookie encrypts {userID, tagIDs} with AES-256-GCM and writes the result as an HttpOnly cookie. Callers should fetch filter tag IDs via svc.GetUserFilterTagIDs before calling this.

type SecretProvider ¶

type SecretProvider interface {
	SessionSecret() string
}

SecretProvider is the minimal interface Middleware needs to read the current session-signing secret. configs.Service satisfies it.

type Service ¶

type Service struct {
	// contains filtered or unexported fields
}

func NewService ¶

func NewService(db *gorm.DB, adminEmailsCSV string) *Service

func (*Service) BootstrapAdmin ¶

func (s *Service) BootstrapAdmin(ctx context.Context, defaultPassword string)

BootstrapAdmin is a one-shot seed: if no user with the admin role exists yet, it creates one account per configured admin email and sets the given password on it. When at least one admin is already present the whole thing is a no-op — so the seed can't resurrect deleted admins or overwrite a live password.

func (*Service) CanAccessTool ¶

func (s *Service) CanAccessTool(ctx context.Context, user *entity.User, toolPath string, defaultVis entity.ToolVisibility) bool

func (*Service) GetUserByID ¶

func (s *Service) GetUserByID(ctx context.Context, id string) (*entity.User, error)

func (*Service) GetUserFilterTagIDs ¶

func (s *Service) GetUserFilterTagIDs(ctx context.Context, userID string) []string

GetUserFilterTagIDs fetches the filter-type tag IDs for a user. Called at login time; the result is embedded in the encrypted session cookie so subsequent requests do not need an extra DB query for tag matching.

func (*Service) LoginWithPassword ¶

func (s *Service) LoginWithPassword(ctx context.Context, email, password string) (*entity.User, error)

func (*Service) SetHomeView ¶

func (s *Service) SetHomeView(ctx context.Context, userID, view string) error

SetHomeView updates the user's home-grid view preference.

func (*Service) SetPassword ¶

func (s *Service) SetPassword(ctx context.Context, userID, currentPassword, newPassword string) error

func (*Service) SetTheme ¶

func (s *Service) SetTheme(ctx context.Context, userID, themeID string) error

SetTheme updates the user's UI theme preference. Empty id means "no preference" and the UI falls back to the device system setting.

func (*Service) UpsertUser ¶

func (s *Service) UpsertUser(ctx context.Context, email, name, avatar string) (*entity.User, error)

type ToolMeta ¶

type ToolMeta struct {
	Path              string
	DefaultVisibility entity.ToolVisibility
}

ToolMeta is the minimal info RequireToolAccess needs about each tool. Declared here so the login package doesn't import ui (avoids a cycle).

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
view templ: version: v0.3.1001	templ: version: v0.3.1001

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL