api

package
v0.1.1-0...-f9b01a3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 21, 2020 License: MIT Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// SignatureHeaderKey header stores HMAC signature digest.
	SignatureHeaderKey = "Digest"
	// SignatureHeaderValuePrefix is a signature prefix, indicating hash algorithm, hardcoded for now, could be dynamic in the future.
	SignatureHeaderValuePrefix = "SHA-256="
	// TimestampHeaderKey header stores timestamp.
	TimestampHeaderKey = "X-Identifo-Timestamp"
)
View Source
const (
	// ErrorAPIInternalServerError means that server got unknown error.
	ErrorAPIInternalServerError = "api.internal_server_error"
	// ErrorAPIAppAccessDenied is when access is denied.
	ErrorAPIAppAccessDenied = "api.app.access_denied"
	// ErrorAPIUserUnableToCreate is when user cannot create the resource.
	ErrorAPIUserUnableToCreate = "error.api.user.unable_to_create"
	// ErrorAPIVerificationCodeInvalid stands for invalid verification code.
	ErrorAPIVerificationCodeInvalid = "error.api.verification_code.invalid"
	// ErrorAPIUserNotFound is when user not found.
	ErrorAPIUserNotFound = "error.api.user.not_found"
	// ErrorAPIUsernameTaken is when username is already taken.
	ErrorAPIUsernameTaken = "error.api.username.taken"
	// ErrorAPIEmailTaken is when email is already taken.
	ErrorAPIEmailTaken = "error.api.email.taken"
	// ErrorAPIInviteTokenServerError is for invite token creation issues.
	ErrorAPIInviteTokenServerError = "error.api.invite_token.server_error"
	// ErrorAPIEmailNotSent means that email had not been sent.
	ErrorAPIEmailNotSent = "error.api.email.not_sent"

	// ErrorAPIRequestPasswordWeak means that password didn't pass strength validation.
	ErrorAPIRequestPasswordWeak = "error.api.request.password.weak"
	// ErrorAPIRequestIncorrectEmailOrPassword is for incorrect email or password.
	ErrorAPIRequestIncorrectEmailOrPassword = "error.api.request.incorrect_email_or_password"
	// ErrorAPIRequestScopesForbidden is for forbidden request scopes.
	ErrorAPIRequestScopesForbidden = "error.api.request.scopes.forbidden"
	// ErrorAPIRequestBodyInvalid means that request body is corrupted.
	ErrorAPIRequestBodyInvalid = "error.api.request.body.invalid"
	// ErrorAPIRequestBodyParamsInvalid means that request params are corrupted.
	ErrorAPIRequestBodyParamsInvalid = "error.api.request.body.params.invalid"
	// ErrorAPIRequestBodyOldPasswordInvalid is for invalid old password.
	ErrorAPIRequestBodyOldPasswordInvalid = "error.api.request.body.oldpassword.invalid"
	// ErrorAPIRequestBodyEmailInvalid means that email in request body is corrupted.
	ErrorAPIRequestBodyEmailInvalid = "error.api.request.body.email.invalid"
	// ErrorAPIRequestSignatureInvalid is a HMAC request signature error.
	ErrorAPIRequestSignatureInvalid = "error.api.request.signature.invalid"
	// ErrorAPIRequestAppIDInvalid means that application ID header value is invalid.
	ErrorAPIRequestAppIDInvalid = "error.api.request.app_id.invalid"
	// ErrorAPIRequestTokenInvalid means that the token is invalid or empty.
	ErrorAPIRequestTokenInvalid = "error.api.request.token.invalid"

	// ErrorAPIRequestTFACodeEmpty means that the 2FA code is empty.
	ErrorAPIRequestTFACodeEmpty = "error.api.request.2fa_code.empty"
	// ErrorAPIRequestTFACodeInvalid means that the 2FA code is invalid.
	ErrorAPIRequestTFACodeInvalid = "error.api.request.2fa_code.invalid"
	// ErrorAPIRequestTFAAlreadyEnabled means that 2FA is already enabled for the user.
	ErrorAPIRequestTFAAlreadyEnabled = "error.api.request.2fa.already_enabled"
	// ErrorAPIRequestPleaseEnableTFA means that user must request TFA and obtain TFA secret to be able to use the app.
	ErrorAPIRequestPleaseEnableTFA = "error.api.request.2fa.please_enable"
	// ErrorAPIRequestPleaseDisableTFA means that user must disable TFA to be able to use the app.
	ErrorAPIRequestPleaseDisableTFA = "error.api.request.2fa.please_disable"
	// ErrorAPIRequestMandatoryTFA means that user cannot disable TFA for the app.
	ErrorAPIRequestMandatoryTFA = "error.api.request.2fa.mandatory"
	// ErrorAPIRequestDisabledTFA means that app does not support TFA.
	ErrorAPIRequestDisabledTFA = "error.api.request.2fa.disabled"
	// ErrorAPIRequestPleaseSetPhoneForTFA means that user must set up their phone number to be able to receive TOTPs in SMS.
	ErrorAPIRequestPleaseSetPhoneForTFA = "error.api.request.2fa.set_phone"
	// ErrorAPIRequestPleaseSetEmailForTFA means that user must set up their email address to be able to receive TOTPs on the email.
	ErrorAPIRequestPleaseSetEmailForTFA = "error.api.request.2fa.set_email"

	// ErrorAPIAppInactive means that the reqesting app is inactive.
	ErrorAPIAppInactive = "error.api.app.inactive"
	// ErrorAPIAppRegistrationForbidden means that registration is forbidden.
	ErrorAPIAppRegistrationForbidden = "error.api.app.registration_forbidden"
	// ErrorAPIAppResetTokenNotCreated means that registration is forbidden.
	ErrorAPIAppResetTokenNotCreated = "error.api.app.unable_to_create_reset_token"
	// ErrorAPIAppAccessTokenNotCreated means that registration is forbidden.
	ErrorAPIAppAccessTokenNotCreated = "error.api.app.unable_to_create_access_token"
	// ErrorAPIAppRefreshTokenNotCreated means that registration is forbidden.
	ErrorAPIAppRefreshTokenNotCreated = "error.api.app.unable_to_create_refresh_token"
	// ErrorAPIAppCannotExtractTokenSubject is when we cannot extract token "sub".
	ErrorAPIAppCannotExtractTokenSubject = "error.api.request.token.sub"
	// ErrorAPIAppCannotInitAuthorizer is when we cannot init internal authorizer.
	ErrorAPIAppCannotInitAuthorizer = "error.api.request.authorizer.internal.init"

	// ErrorAPIAppFederatedProviderNotSupported means that the federated ID provider is not supported.
	ErrorAPIAppFederatedProviderNotSupported = "api.app.federated.provider.not_supported"
	// ErrorAPIAppFederatedProviderEmptyUserID means that the federated provider returns empty user ID, maybe access token does not have required permissions.
	ErrorAPIAppFederatedProviderEmptyUserID = "api.app.federated.provider.empty_user_id"
	// ErrorAPIAppFederatedProviderEmptyAppleInfo means that application does not have clientID and clientSecret needed for Sign In with Apple.
	ErrorAPIAppFederatedProviderEmptyAppleInfo = "api.app.federated.provider.empty_apple_info"

	// ErrorAPIAppFederatedLoginNotSupported means that the app does not support federated login.
	ErrorAPIAppFederatedLoginNotSupported = "api.app.federated.login.not_supported"
	// ErrorAPIAppLoginWithUsernameNotSupported means that the app does not support login by username.
	ErrorAPIAppLoginWithUsernameNotSupported = "api.app.username.login.not_supported"
	// ErrorAPIAppPhoneLoginNotSupported means that the app does not support login by phone number.
	ErrorAPIAppPhoneLoginNotSupported = "api.app.phone.login.not_supported"
)
View Source
const (
	// TokenHeaderKey is a header name for Bearer token.
	TokenHeaderKey = "Authorization"
	// TokenTypeAccess is an access token type.
	TokenTypeAccess = "access"
	// TokenTypeRefresh is a refresh token type.
	TokenTypeRefresh = "refresh"
)
View Source
const (
	// HeaderKeyAppID is a header key to keep application ID.
	HeaderKeyAppID = "X-Identifo-Clientid"
)

Variables

View Source
var ErrAppleEmptyUserID = errors.New("Apple user id is not accessible. ")

ErrAppleEmptyUserID is when Apple user ID is empty.

View Source
var ErrFacebookEmptyUserID = errors.New("Facebook user id is not accessible. ")

ErrFacebookEmptyUserID is when Facebook user ID is empty.

Functions

func CorsOption

func CorsOption(corsOptions *model.CorsOptions) func(*Router) error

CorsOption sets cors option.

func GetMessage

func GetMessage(id MessageID) string

GetMessage returns message by its ID.

func HostOption

func HostOption(host string) func(*Router) error

HostOption sets host value.

func NewRouter

NewRouter creates and initilizes new router.

func SupportedLoginWaysOption

func SupportedLoginWaysOption(loginWays model.LoginWith) func(*Router) error

SupportedLoginWaysOption is for setting supported ways of logging in into the app.

func TFATypeOption

func TFATypeOption(tfaType model.TFAType) func(*Router) error

TFATypeOption is for setting two-factor authentication type.

func WebRouterPrefixOption

func WebRouterPrefixOption(prefix string) func(*Router) error

WebRouterPrefixOption sets web prefix host value.

Types

type AuthResponse

type AuthResponse struct {
	AccessToken    string     `json:"access_token,omitempty"`
	RefreshToken   string     `json:"refresh_token,omitempty"`
	User           model.User `json:"user,omitempty"`
	NeedFurtherTFA bool       `json:"need_further_tfa,omitempty"`
}

AuthResponse is a response with successful auth data.

type FederatedLoginData

type FederatedLoginData struct {
	FederatedIDProvider string   `json:"provider,omitempty" validate:"required"`
	AccessToken         string   `json:"access_token,omitempty"`
	RegisterIfNew       bool     `json:"register_if_new,omitempty"`
	Scopes              []string `json:"scopes,omitempty"`
	AuthorizationCode   string   `json:"authorization_code,omitempty"` // Specific for Sign In with Apple.
}

FederatedLoginData represents federated login input data.

type MessageID

type MessageID string

MessageID is an error message ID.

type OIDCConfiguration

type OIDCConfiguration struct {
	Issuer                 string   `json:"issuer"`
	JwksURI                string   `json:"jwks_uri"`
	ScopesSupported        []string `json:"scopes_supported"`
	SupportedIDSigningAlgs []string `json:"id_token_signing_alg_values_supported"`
}

OIDCConfiguration describes OIDC configuration. Additional info: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. Identifo is not an OIDC provider, that's why we only provide the information for token validation.

type PhoneLogin

type PhoneLogin struct {
	PhoneNumber string   `json:"phone_number"`
	Code        string   `json:"code"`
	Scopes      []string `json:"scopes"`
}

PhoneLogin is used to parse input data from the client during phone login.

type Router

type Router struct {
	Authorizer         *authorization.Authorizer
	Host               string
	SupportedLoginWays model.LoginWith
	WebRouterPrefix    string
	// contains filtered or unexported fields
}

Router is a router that handles all API requests.

func (*Router) AppID

func (ar *Router) AppID() negroni.HandlerFunc

AppID extracts application ID from the header and writes corresponding app to the context.

func (*Router) AppleUserID

func (ar *Router) AppleUserID(authorizationCode string, appleInfo *model.AppleInfo) (string, error)

AppleUserID returns Apple user ID.

func (*Router) DumpRequest

func (ar *Router) DumpRequest() negroni.HandlerFunc

DumpRequest logs the request.

func (*Router) EnableTFA

func (ar *Router) EnableTFA() http.HandlerFunc

EnableTFA enables two-factor authentication for the user.

func (*Router) Error

func (ar *Router) Error(w http.ResponseWriter, errID MessageID, status int, details, where string)

Error writes an API error message to the response and logger.

func (*Router) FacebookUserID

func (ar *Router) FacebookUserID(accessToken string) (string, error)

FacebookUserID returns Facebook user ID.

func (*Router) FederatedLogin

func (ar *Router) FederatedLogin() http.HandlerFunc

FederatedLogin provides login/registration with federated identity. First, user sends the identity provider access token to Identifo. Then, Identifo sends request to identity provider to get user profile and identity user ID, and then search for the user with this federated identity ID in the user pool. If there is no user with such identity, function returns 404 (user not found). If register_if_new presents - function creates new user without username/password, there is a dedicated endpoint to link username/password to federated account.

func (*Router) FinalizeTFA

func (ar *Router) FinalizeTFA() http.HandlerFunc

FinalizeTFA finalizes two-factor authentication.

func (*Router) HandleHello

func (ar *Router) HandleHello() http.HandlerFunc

HandleHello returns hello message.

func (*Router) HandlePing

func (ar *Router) HandlePing() http.HandlerFunc

HandlePing returns pong message.

func (*Router) IsLoggedIn

func (ar *Router) IsLoggedIn() http.HandlerFunc

IsLoggedIn is for checking whether user is logged in or not. In fact, all needed work is done in Token middleware. If we reached this code, user is logged in (presented valid and not blacklisted access token).

func (*Router) LoginWithPassword

func (ar *Router) LoginWithPassword() http.HandlerFunc

LoginWithPassword logs user in with username and password.

func (*Router) Logout

func (ar *Router) Logout() http.HandlerFunc

Logout logs user out and deactivates their tokens.

func (*Router) MustParseJSON

func (ar *Router) MustParseJSON(w http.ResponseWriter, r *http.Request, out interface{}) error

MustParseJSON parses request body json data to the `out` struct. If error happens, writes it to ResponseWriter.

func (*Router) OIDCConfiguration

func (ar *Router) OIDCConfiguration() http.HandlerFunc

OIDCConfiguration provides an OpenID Connect Discovery information (https://openid.net/specs/openid-connect-discovery-1_0.html). It should return RFC5785-compatible documentation (https://tools.ietf.org/html/rfc5785). This endpoint allows using Identifo as Federated identity provider. For example, AWS AppSync (https://docs.aws.amazon.com/appsync/latest/devguide/security.html#openid-connect-authorization).

func (*Router) OIDCJwks

func (ar *Router) OIDCJwks() http.HandlerFunc

OIDCJwks returns JSON Web Keys object. Identifo supports two algorithms for signing JSON Web Tokens (JWTs): RS256 and ES256. RS256 and ES256 generate an asymmetric signature, which means a private key must be used to sign the JWT, and a different public key must be used to verify the signature.

At the most basic level, the JWKS is a set of keys containing the public keys that should be used to verify any JWT issued by the authorization server. This endpoint exposes a JWKS endpoint for each tenant, which can be found at https://YOUR_IDENTIFO_DOMAIN/.well-known/jwks.json. Currently Identifo only supports a single JWK for signing, however it is important to assume this endpoint technically could contain multiple JWKs.

func (*Router) PhoneLogin

func (ar *Router) PhoneLogin() http.HandlerFunc

PhoneLogin authenticates user with phone number and verification code. If user exists - create new session and return token. If user does not exist - register and then login (create session and return token). If code is invalid - return error.

func (*Router) RefreshTokens

func (ar *Router) RefreshTokens() http.HandlerFunc

RefreshTokens issues new access and, if requsted, refresh token for provided refresh token. After new tokens are issued, the old refresh token gets invalidated (via blacklisting).

func (*Router) RegisterWithPassword

func (ar *Router) RegisterWithPassword() http.HandlerFunc

RegisterWithPassword registers new user with password.

func (*Router) RequestDisabledTFA

func (ar *Router) RequestDisabledTFA() http.HandlerFunc

RequestDisabledTFA requests link for disabling TFA.

func (ar *Router) RequestInviteLink() http.HandlerFunc

RequestInviteLink requests invite link. Invite link will be returned in response even if email is not specified.

func (*Router) RequestResetPassword

func (ar *Router) RequestResetPassword() http.HandlerFunc

RequestResetPassword requests password reset.

func (*Router) RequestTFAReset

func (ar *Router) RequestTFAReset() http.HandlerFunc

RequestTFAReset requests link for resetting TFA: deleting old shared secret and establishing the new one.

func (*Router) RequestVerificationCode

func (ar *Router) RequestVerificationCode() http.HandlerFunc

RequestVerificationCode requests SMS with verification code. To authenticate, user must have a valid phone number.

func (*Router) ServeAASAFile

func (ar *Router) ServeAASAFile() http.HandlerFunc

ServeAASAFile lets Apple servers download apple-app-site-association file.

func (*Router) ServeADDAFile

func (ar *Router) ServeADDAFile() http.HandlerFunc

ServeADDAFile lets Apple servers download apple-developer-domain-association.txt.

func (*Router) ServeHTTP

func (ar *Router) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP implements identifo.Router interface.

func (*Router) ServeJSON

func (ar *Router) ServeJSON(w http.ResponseWriter, status int, v interface{})

ServeJSON sends status code, headers and data and send it back to the user

func (*Router) SignatureHandler

func (ar *Router) SignatureHandler() negroni.HandlerFunc

SignatureHandler returns middleware that handles request signature. More info: https://identifo.madappgang.com/#ca6498ab-b3dc-4c1e-a5b0-2dd633831e2d.

func (*Router) Token

func (ar *Router) Token(tokenType string) negroni.HandlerFunc

Token middleware extracts token and validates it.

func (*Router) UpdateUser

func (ar *Router) UpdateUser() http.HandlerFunc

UpdateUser allows to change user login and password.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL