Documentation ¶
Overview ¶
Package dontusepasswords provides password-based authentication in a way that minimizes the inherent insecurity of passwords. If any more secure alternative to passwords exists for your application, use that. If you must handle passwords, dontusepasswords is a decent choice.
Index ¶
- type Accounts
- func (s Accounts) Auth(name string, attempt []byte) (*AuthResult, error)
- func (s Accounts) Get(name string) (*account.Account, error)
- func (s Accounts) New(name string) (*account.Account, error)
- func (s Accounts) NewChallenge(a *account.Account, v []byte) error
- func (s Accounts) Update(a *account.Account) error
- type AuthResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Accounts ¶
type Accounts struct { Store account.Store // Storage for accounts PasswordLifetime time.Duration // How long before a password should be rotated AuthType string // Name of the auth scheme to use }
Accounts is the main point of interaction with dontusepasswords.
func (Accounts) Auth ¶
func (s Accounts) Auth(name string, attempt []byte) (*AuthResult, error)
Auth attempts to verify a user by a given attempt value which is usually a password. The returned AuthResult provides status details for the authentication attempt. The returned error is only used to indicate unexpected outcomes such as backend errors. An error may be returned on authentication success and authentication failure might return no error.
If the account is not found or is locked, no challenge computation is performed. This could provide a means for an attacker to verify the existence of unlocked accounts by comparing the time it takes to process a request related to an existing, unlocked account and one that is not. It is up to the application developer to decide if such protection is warranted.
If Expired is true in the AuthResult, the application should prompt the user to update their password.
If authentication succeeds but the account challenge (hash) is stored using a different auth type than the one configured for the system (e.g. bcrypt vs scrypt), Auth will attempt to update the stored challenge using the configured auth mechanism. This may fail and return an error. In this case, the application should probably log the error for admin troubleshooting and let the user proceed.
func (Accounts) Get ¶
Get retrieves and account by name. To perform authentication use Auth() instead.
func (Accounts) New ¶
New creates a new Account object, returning an error if an account with that name already exists. The account is not yet stored and there's the potential potential for a race condition.
func (Accounts) NewChallenge ¶
Update the challenge value for the Account object and updates the expiration time. The underlying store is not updated.
No restrictions are placed on passwords here. The application should not exclude any characters. It's reasonable for the application to impose a minimum length. The application should be very generous on maximum length (e.g. 256 characters).
type AuthResult ¶
type AuthResult struct { Account *account.Account // The account object if authentication succeeded Success bool // Whether or not authentication succeeded Expired bool // Whether or not the challenge is expired Locked bool // Whether or not the account is administratively locked NotExist bool // If no account with that name is found }
AuthResult provides details about the result of an authentication attempt.
Directories ¶
Path | Synopsis |
---|---|
package account provides the structure for and account and some utility code related to the storage of Account objects.
|
package account provides the structure for and account and some utility code related to the storage of Account objects. |
json
package json provides Account storage in a simple, single JSON file.
|
package json provides Account storage in a simple, single JSON file. |
package auth provides a common interface an registry for transforming passwords into a secure form.
|
package auth provides a common interface an registry for transforming passwords into a secure form. |
bcrypt
package bcrypt implements the bcrypt algorithm as an authentication method.
|
package bcrypt implements the bcrypt algorithm as an authentication method. |