Documentation ¶
Overview ¶
Package server implements authentication for inbound HTTP requests on GAE. It provides adapters for GAE Users and OAuth2 APIs to make them usable by server/auth package.
It also provides GAE-specific implementation of some other interface used by server/auth package, such as SessionStore.
By defualt, gaeauth must have its handlers installed into the "default" AppEngine module, and must be running on an instance with read/write datastore access.
Index ¶
Constants ¶
const EmailScope = "https://www.googleapis.com/auth/userinfo.email"
EmailScope is a scope used to identifies user's email. Present in most tokens by default. Can be used as a base scope for authentication.
Variables ¶
var CookieAuth auth.Method
CookieAuth is default cookie-based auth method to use on GAE.
On dev server it is based on dev server cookies, in prod it is based on OpenID. Works only if appropriate handlers have been installed into the router. See InstallHandlers.
Functions ¶
func GetAuthDB ¶
GetAuthDB fetches AuthDB snapshot from the datastore and returns authdb.DB interface wrapping it.
It may reuse existing one (`prev`), if no changes were made. If `prev` is nil, always fetches a new copy from the datastore.
If auth_service URL is not configured, returns special kind of authdb.DB that implements some default authorization rules (allow everything on dev server, forbid everything and emit errors on real GAE).
func InstallHandlers ¶
func InstallHandlers(r *router.Router, base router.MiddlewareChain)
InstallHandlers installs HTTP handlers for various default routes related to authentication system.
Must be installed in server HTTP router for authentication to work.
Types ¶
type InboundAppIDAuthMethod ¶
type InboundAppIDAuthMethod struct{}
InboundAppIDAuthMethod implements auth.Method by checking special HTTP header (X-Appengine-Inbound-Appid), that is set iff one GAE app talks to another.
func (InboundAppIDAuthMethod) Authenticate ¶
func (m InboundAppIDAuthMethod) Authenticate(c context.Context, r *http.Request) (*auth.User, error)
Authenticate extracts peer's identity from the incoming request.
type OAuth2Method ¶
type OAuth2Method struct { // Scopes is a list of OAuth scopes to check when authenticating the token. Scopes []string }
OAuth2Method implements auth.Method on top of GAE OAuth2 API. It doesn't implement auth.UsersAPI.
func (*OAuth2Method) Authenticate ¶
Authenticate extracts peer's identity from the incoming request.
func (*OAuth2Method) GetUserCredentials ¶
func (m *OAuth2Method) GetUserCredentials(c context.Context, r *http.Request) (*oauth2.Token, error)
GetUserCredentials implements auth.UserCredentialsGetter.
type SessionStore ¶
type SessionStore struct {
Prefix string // used as prefix for datastore keys
}
SessionStore stores auth sessions in the datastore (always in the default namespace). It implements auth.SessionStore.
func (*SessionStore) CloseSession ¶
func (s *SessionStore) CloseSession(c context.Context, sessionID string) error
CloseSession closes a session given its ID. Does nothing if session is already closed or doesn't exist. Returns only transient errors.
func (*SessionStore) GetSession ¶
GetSession returns existing non-expired session given its ID. Returns nil if session doesn't exist, closed or expired. Returns only transient errors.
type UsersAPIAuthMethod ¶
type UsersAPIAuthMethod struct{}
UsersAPIAuthMethod implements auth.Method and auth.UsersAPI interfaces on top of GAE Users API (that uses HTTP cookies internally to track user sessions).
func (UsersAPIAuthMethod) Authenticate ¶
Authenticate extracts peer's identity from the incoming request.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package gaesigner implements signing.Signer interface using GAE App Identity API.
|
Package gaesigner implements signing.Signer interface using GAE App Identity API. |
internal
|
|
authdbimpl
Package authdbimpl implements datastore-based storage and update of AuthDB snapshots used for authorization decisions by server/auth/*.
|
Package authdbimpl implements datastore-based storage and update of AuthDB snapshots used for authorization decisions by server/auth/*. |