Documentation ¶
Overview ¶
Package auth implements authentication checks and storage.
Index ¶
- func ExtractAccessToken(req *http.Request) (string, error)
- func GenerateAccessToken() (string, error)
- func LoginFromJSONReader(req *http.Request, useraccountAPI uapi.UserLoginAPI, ...) (*Login, LoginCleanupFunc, *util.JSONResponse)
- func VerifyUserFromRequest(req *http.Request, userAPI api.QueryAcccessTokenAPI) (*api.Device, *util.JSONResponse)
- type AccountDatabase
- type Authenticator
- type CallbackResult
- type Challenge
- type DeviceDatabase
- type GetAccountByPassword
- type Login
- type LoginCleanupFunc
- type LoginIdentifier
- type LoginTypeApplicationService
- type LoginTypePassword
- type LoginTypeToken
- type PasswordRequest
- type Type
- type UserIdentifier
- type UserInteractive
- func (u *UserInteractive) AddCompletedStage(sessionID, authType string)
- func (u *UserInteractive) IsSingleStageFlow(authType string) bool
- func (u *UserInteractive) NewSession() *util.JSONResponse
- func (u *UserInteractive) ResponseWithChallenge(sessionID string, response interface{}) *util.JSONResponse
- func (u *UserInteractive) Verify(ctx context.Context, bodyBytes []byte, device *api.Device) (*Login, *util.JSONResponse)
- type UserInternalAPIForLogin
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractAccessToken ¶
ExtractAccessToken from a request, or return an error detailing what went wrong. The error message MUST be human-readable and comprehensible to the client.
func GenerateAccessToken ¶
GenerateAccessToken creates a new access token. Returns an error if failed to generate random bytes.
func LoginFromJSONReader ¶
func LoginFromJSONReader( req *http.Request, useraccountAPI uapi.UserLoginAPI, userAPI UserInternalAPIForLogin, cfg *config.ClientAPI, ) (*Login, LoginCleanupFunc, *util.JSONResponse)
LoginFromJSONReader performs authentication given a login request body reader and some context. It returns the basic login information and a cleanup function to be called after authorization has completed, with the result of the authorization. If the final return value is non-nil, an error occurred and the cleanup function is nil.
func VerifyUserFromRequest ¶
func VerifyUserFromRequest( req *http.Request, userAPI api.QueryAcccessTokenAPI, ) (*api.Device, *util.JSONResponse)
VerifyUserFromRequest authenticates the HTTP request, on success returns Device of the requester. Finds local user or an application service user. Note: For an AS user, AS dummy device is returned. On failure returns an JSON error response which can be sent to the client.
Types ¶
type AccountDatabase ¶
type AccountDatabase interface { // Look up the account matching the given localpart. GetAccountByLocalpart(ctx context.Context, localpart string) (*api.Account, error) GetAccountByPassword(ctx context.Context, localpart, password string) (*api.Account, error) }
AccountDatabase represents an account database.
type Authenticator ¶ added in v0.2.1
type Authenticator struct {
// contains filtered or unexported fields
}
An Authenticator keeps a set of identity providers and dispatches calls to one of them, based on configured ID.
func NewAuthenticator ¶ added in v0.2.1
func NewAuthenticator(cfg *config.LoginSSO) *Authenticator
func (*Authenticator) AuthorizationURL ¶ added in v0.2.1
func (*Authenticator) ProcessCallback ¶ added in v0.2.1
func (auth *Authenticator) ProcessCallback(ctx context.Context, providerID, callbackURL, nonce string, query url.Values) (*CallbackResult, error)
type CallbackResult ¶ added in v0.2.1
type CallbackResult struct { RedirectURL string Identifier UserIdentifier DisplayName string SuggestedUserID string }
type DeviceDatabase ¶
type DeviceDatabase interface { // Look up the device matching the given access token. GetDeviceByAccessToken(ctx context.Context, token string) (*api.Device, error) }
DeviceDatabase represents a device database.
type GetAccountByPassword ¶
type GetAccountByPassword func(ctx context.Context, req *api.QueryAccountByPasswordRequest, res *api.QueryAccountByPasswordResponse) error
type Login ¶
type Login struct { LoginIdentifier // Flat fields deprecated in favour of `identifier`. Identifier LoginIdentifier `json:"identifier"` // Both DeviceID and InitialDisplayName can be omitted, or empty strings ("") // Thus a pointer is needed to differentiate between the two InitialDisplayName *string `json:"initial_device_display_name"` DeviceID *string `json:"device_id"` }
Login represents the shared fields used in all forms of login/sudo endpoints.
func (*Login) ThirdPartyID ¶
ThirdPartyID returns the 3PID medium and address for this login, if it exists.
type LoginCleanupFunc ¶
type LoginCleanupFunc func(context.Context, *util.JSONResponse)
type LoginIdentifier ¶
type LoginIdentifier struct { Type string `json:"type"` // when type = m.id.user or m.id.application_service User string `json:"user"` // when type = m.id.thirdparty Medium string `json:"medium"` Address string `json:"address"` }
LoginIdentifier represents identifier types https://matrix.org/docs/spec/client_server/r0.6.1#identifier-types
type LoginTypeApplicationService ¶
LoginTypeApplicationService describes how to authenticate as an application service
func (*LoginTypeApplicationService) LoginFromJSON ¶
func (t *LoginTypeApplicationService) LoginFromJSON( ctx context.Context, reqBytes []byte, ) (*Login, LoginCleanupFunc, *util.JSONResponse)
LoginFromJSON implements Type
func (*LoginTypeApplicationService) Name ¶
func (t *LoginTypeApplicationService) Name() string
Name implements Type
type LoginTypePassword ¶
type LoginTypePassword struct { GetAccountByPassword GetAccountByPassword Config *config.ClientAPI }
LoginTypePassword implements https://matrix.org/docs/spec/client_server/r0.6.1#password-based
func (*LoginTypePassword) Login ¶
func (t *LoginTypePassword) Login(ctx context.Context, req interface{}) (*Login, *util.JSONResponse)
func (*LoginTypePassword) LoginFromJSON ¶
func (t *LoginTypePassword) LoginFromJSON(ctx context.Context, reqBytes []byte) (*Login, LoginCleanupFunc, *util.JSONResponse)
func (*LoginTypePassword) Name ¶
func (t *LoginTypePassword) Name() string
type LoginTypeToken ¶
type LoginTypeToken struct { UserAPI uapi.LoginTokenInternalAPI Config *config.ClientAPI }
LoginTypeToken describes how to authenticate with a login token.
func (*LoginTypeToken) LoginFromJSON ¶
func (t *LoginTypeToken) LoginFromJSON(ctx context.Context, reqBytes []byte) (*Login, LoginCleanupFunc, *util.JSONResponse)
LoginFromJSON implements Type. The cleanup function deletes the token from the database on success.
type PasswordRequest ¶
type Type ¶
type Type interface { // Name returns the name of the auth type e.g `m.login.password` Name() string // Login with the auth type, returning an error response on failure. // Not all types support login, only m.login.password and m.login.token // See https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-login // This function will be called when doing login and when doing 'sudo' style // actions e.g deleting devices. The response must be a 401 as per: // "If the homeserver decides that an attempt on a stage was unsuccessful, but the // client may make a second attempt, it returns the same HTTP status 401 response as above, // with the addition of the standard errcode and error fields describing the error." // // The returned cleanup function must be non-nil on success, and will be called after // authorization has been completed. Its argument is the final result of authorization. LoginFromJSON(ctx context.Context, reqBytes []byte) (login *Login, cleanup LoginCleanupFunc, errRes *util.JSONResponse) }
Type represents an auth type https://matrix.org/docs/spec/client_server/r0.6.1#authentication-types
type UserIdentifier ¶ added in v0.2.1
type UserIdentifier struct {
Issuer, Subject string
}
type UserInteractive ¶
type UserInteractive struct { sync.RWMutex Flows []userInteractiveFlow // Map of login type to implementation Types map[string]Type // Map of session ID to completed login types, will need to be extended in future Sessions map[string][]string }
UserInteractive checks that the user is who they claim to be, via a UI auth. This is used for things like device deletion and password reset where the user already has a valid access token, but we want to double-check that it isn't stolen by re-authenticating them.
func NewUserInteractive ¶
func NewUserInteractive(userAccountAPI api.UserLoginAPI, cfg *config.ClientAPI) *UserInteractive
func (*UserInteractive) AddCompletedStage ¶
func (u *UserInteractive) AddCompletedStage(sessionID, authType string)
func (*UserInteractive) IsSingleStageFlow ¶
func (u *UserInteractive) IsSingleStageFlow(authType string) bool
func (*UserInteractive) NewSession ¶
func (u *UserInteractive) NewSession() *util.JSONResponse
NewSession returns a challenge with a new session ID and remembers the session ID
func (*UserInteractive) ResponseWithChallenge ¶
func (u *UserInteractive) ResponseWithChallenge(sessionID string, response interface{}) *util.JSONResponse
ResponseWithChallenge mixes together a JSON body (e.g an error with errcode/message) with the standard challenge response.
func (*UserInteractive) Verify ¶
func (u *UserInteractive) Verify(ctx context.Context, bodyBytes []byte, device *api.Device) (*Login, *util.JSONResponse)
Verify returns an error/challenge response to send to the client, or nil if the user is authenticated. `bodyBytes` is the HTTP request body which must contain an `auth` key. Returns the login that was verified for additional checks if required.
type UserInternalAPIForLogin ¶
type UserInternalAPIForLogin interface { uapi.LoginTokenInternalAPI }
UserInternalAPIForLogin contains the aspects of UserAPI required for logging in.