auth

Documentation

Overview

Package auth provides authentication and authorization support. Authentication: You are who you say you are. Authorization: You have permission to do what you are requesting to do.

Index

• Constants
• Variables
• type Auth
  • func New(cfg Config) (*Auth, error)
  • func (a *Auth) Authenticate(ctx context.Context, bearerToken string) (Claims, error)
  • func (a *Auth) Authorize(ctx context.Context, claims Claims, userID uuid.UUID, rule string) error
  • func (a *Auth) GenerateToken(kid string, claims Claims) (string, error)
  • func (a *Auth) Issuer() string
• type Claims
• type Config
• type KeyLookup

Constants

const (
	RuleAuthenticate   = "auth"
	RuleAny            = "rule_any"
	RuleAdminOnly      = "rule_admin_only"
	RuleUserOnly       = "rule_user_only"
	RuleAdminOrSubject = "rule_admin_or_subject"
)

These are the current set of rules we have for auth.

Variables

var ErrForbidden = errors.New("attempted action is not allowed")

ErrForbidden is returned when a auth issue is identified.

Types

type Auth

type Auth struct {
	// contains filtered or unexported fields
}

Auth is used to authenticate clients. It can generate a token for a set of user claims and recreate the claims by parsing the token.

func New

func New(cfg Config) (*Auth, error)

New creates an Auth to support authentication/authorization.

func (*Auth) Authenticate

func (a *Auth) Authenticate(ctx context.Context, bearerToken string) (Claims, error)

Authenticate processes the token to validate the sender's token is valid.

func (*Auth) Authorize

func (a *Auth) Authorize(ctx context.Context, claims Claims, userID uuid.UUID, rule string) error

Authorize attempts to authorize the user with the provided input roles, if none of the input roles are within the user's claims, we return an error otherwise the user is authorized.

func (*Auth) GenerateToken

func (a *Auth) GenerateToken(kid string, claims Claims) (string, error)

GenerateToken generates a signed JWT token string representing the user Claims.

func (*Auth) Issuer

func (a *Auth) Issuer() string

Issuer provides the configured issuer used to authenticate tokens.

type Claims

type Claims struct {
	jwt.RegisteredClaims
	Roles []string `json:"roles"`
}

Claims represents the authorization claims transmitted via a JWT.

type Config

type Config struct {
	Log       *logger.Logger
	DB        *sqlx.DB
	KeyLookup KeyLookup
	Issuer    string
}

Config represents information required to initialize auth.

type KeyLookup

type KeyLookup interface {
	PrivateKey(kid string) (key string, err error)
	PublicKey(kid string) (key string, err error)
}

KeyLookup declares a method set of behavior for looking up private and public keys for JWT use. The return could be a PEM encoded string or a JWS based key.