serviceauth

package
v1.22.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: MIT Imports: 4 Imported by: 0

Documentation

Overview

Package serviceauth provides constant-time validation of shared service-to-service tokens. It is intended for the IAM mono-repo's service-to-service auth edges (auth ↔ caller, dataaccess ↔ caller, ...) and answers the question "is the calling process a trusted peer service". It does NOT establish end-user identity — see pkg/userauth for that.

Each service owns its own metadata header name and interceptor; this package only owns the comparison logic.

Index

Constants

This section is empty.

Variables

View Source
var ErrUnauthorized = errors.New("unauthorized")

ErrUnauthorized is returned when the presented token does not match any of the configured tokens.

Functions

This section is empty.

Types

type Validator

type Validator struct {
	// contains filtered or unexported fields
}

Validator performs constant-time token validation against a set of pre-computed SHA-512 hashes. It is safe for concurrent use.

func NewValidator

func NewValidator(tokens ...string) *Validator

NewValidator creates a Validator that accepts the given tokens. Empty token strings are silently ignored so callers can pass an optional next-token slot without conditional logic.

func (*Validator) Validate

func (v *Validator) Validate(_ context.Context, providedToken string) error

Validate checks whether the provided token matches any of the configured tokens. Returns nil on success, ErrUnauthorized on failure.

All configured hashes are checked without short-circuiting so the total work is constant regardless of which (if any) token matches.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL