authschemes

package
v0.0.0-...-0fdad32 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2024 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateNewAuthForUserGeneric 

func CreateNewAuthForUserGeneric(db *database.Connection, authSchemeName, authSchemeType string, data UserAuthData) error

CreateNewAuthForUserGeneric provides a mechanism for non-auth providers to generate new authentications on behalf of auth providers. This is only intended for recovery.

Proper usage: authschemes.CreateNewAuthForUser(db, recoveryauth.constants.Code, authschemes.UserAuthData{}) note: you will need to provide your own database instance

func GenerateNonce 

func GenerateNonce() (string, error)

GenerateNonce creates a random base64 string. This is used to help prevent replay attacks. see: https://en.wikipedia.org/wiki/Cryptographic_nonce

Types

type AShirtAuthBridge 

type AShirtAuthBridge struct {
	// contains filtered or unexported fields
}

AShirtAuthBridge provides a set of functionality that bridges the identity resolution (the AuthScheme) and persistent user/session management

func MakeAuthBridge 

func MakeAuthBridge(db *database.Connection, sessionStore *session.Store, authSchemeName, authSchemeType string) AShirtAuthBridge

MakeAuthBridge constructs returns a set of functions to interact with the underlying AShirt authentication scheme

func (AShirtAuthBridge) AddScheduledEmail 

func (ah AShirtAuthBridge) AddScheduledEmail(emailAddress string, userID int64, emailTemplate string) error

AddScheduledEmail creates a database entry for an outgoing email, for the given email address and related user_id

func (AShirtAuthBridge) CheckIfUserEmailTaken 

func (ah AShirtAuthBridge) CheckIfUserEmailTaken(email string, allowUserID int64, includeDeleted bool) (bool, error)

CheckIfUserEmailTaken attempts to find an account with the provided email. If found, returns true, otherwise, returns false. Note that if the user found is the one with the ID matching allowUserID, then false is returned.

func (AShirtAuthBridge) CreateNewAuthForUser 

func (ah AShirtAuthBridge) CreateNewAuthForUser(data UserAuthData) error

CreateNewAuthForUser adds a new entry to the auth_scheme_data table for the given UserAuthData.

Returns nil if no error was occurred, BadInputErr if the user account already exists, or DatabaseErr if any other issue occurs

func (AShirtAuthBridge) CreateNewUser 

func (ah AShirtAuthBridge) CreateNewUser(profile UserProfile) (*dtos.CreateUserOutput, error)

CreateNewUser allows new users to be registered into the system, if they do not already exist. Note that slug must be unique

func (AShirtAuthBridge) DeleteSession 

func (ah AShirtAuthBridge) DeleteSession(w http.ResponseWriter, r *http.Request) error

DeleteSession removes a user's session. Useful in situtations where authentication fails, and we want to treat the user as not-logged-in

func (AShirtAuthBridge) FindUserAuth 

func (ah AShirtAuthBridge) FindUserAuth(username string) (UserAuthData, error)

FindUserAuth retrieves the row (codified by UserAuthData) corresponding to the provided username and the auth scheme name provided from the caller.

Returns a fully populated UserAuthData object, or an error if no such row exists

func (AShirtAuthBridge) FindUserAuthByContext 

func (ah AShirtAuthBridge) FindUserAuthByContext(ctx context.Context) (UserAuthData, error)

FindUserAuthByContext acts as a proxy to calling FindUserByUserID with the userID extracted from the provided context 

see FindUserAuthByUserID

func (AShirtAuthBridge) FindUserAuthByUserID 

func (ah AShirtAuthBridge) FindUserAuthByUserID(userID int64) (UserAuthData, error)

FindUserAuthByUserID retrieves the row (codified by UserAuthData) corresponding to the provided userID

Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserAuthsByUserEmail 

func (ah AShirtAuthBridge) FindUserAuthsByUserEmail(email string) ([]UserAuthData, error)

FindUserAuthsByUserEmail retrieves the rows (codified by UserAuthData) corresponding to the provided userEmail for NON-DELETED accounts. Note that a user may have multiple authentications based on a single email, so each of these records are returned.

See FindUserAuthsByUserEmailIncludeDeleted to retreive all users irrespective of if they have been deleted Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserAuthsByUserEmailIncludeDeleted 

func (ah AShirtAuthBridge) FindUserAuthsByUserEmailIncludeDeleted(email string) ([]UserAuthData, error)

FindUserAuthsByUserEmailIncludeDeleted retrieves the rows (codified by UserAuthData) corresponding to the provided userEmail for ALL accounts. Note that a user may have multiple authentications based on a single email, so each of these records are returned.

Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserAuthsByUserSlug 

func (ah AShirtAuthBridge) FindUserAuthsByUserSlug(slug string) ([]UserAuthData, error)

FindUserAuthsByUserSlug retrieves the row (codified by UserAuthData) corresponding to the provided user slug and the auth scheme name provided from the caller.

Returns a fully populated UserAuthData object, or nil if no such row exists

func (AShirtAuthBridge) FindUserByEmail 

func (ah AShirtAuthBridge) FindUserByEmail(email string, includeDeleted bool) (models.User, error)

FindUserByEmail retrieves the user record associated with the specified email address. Returns the found record, or an error if no such record exists

func (AShirtAuthBridge) GetDatabase 

func (ah AShirtAuthBridge) GetDatabase() *database.Connection

GetDatabase provides raw access to the database. In general, this should not be used by authschemes, but is provided in situations where unique-access to the database is required.

func (AShirtAuthBridge) GetUserFromAuthnID 

func (ah AShirtAuthBridge) GetUserFromAuthnID(authnID string) (models.User, error)

func (AShirtAuthBridge) GetUserFromID 

func (ah AShirtAuthBridge) GetUserFromID(userID int64) (models.User, error)

func (AShirtAuthBridge) GetUserIDFromSlug 

func (ah AShirtAuthBridge) GetUserIDFromSlug(userSlug string) (int64, error)

GetUserIDFromSlug retrieves a userid from the provided user slug.

func (AShirtAuthBridge) IsAccountEnabled 

func (ah AShirtAuthBridge) IsAccountEnabled(userID int64) (bool, error)

IsAccountEnabled checks if the provided userid has an enabled account (specifically, it does not have the disabled flag set) returns (false, err) if the account cannot be found or another database error occurred.

func (AShirtAuthBridge) IsUsernameTaken 

func (ah AShirtAuthBridge) IsUsernameTaken(username string, allowUserID int64) (bool, error)

func (AShirtAuthBridge) LoginUser 

func (ah AShirtAuthBridge) LoginUser(w http.ResponseWriter, r *http.Request, userID int64, authSchemeSessionData interface{}) error

LoginUser denotes that a user shall be logged in. In addition to the required userID, a user can also provide custom authscheme specific session data

func (AShirtAuthBridge) OneTimeVerification 

func (ah AShirtAuthBridge) OneTimeVerification(ctx context.Context, username string, expirationInMinutes int64) (int64, error)

OneTimeVerification looks for a matching record in the auth_scheme_data table with the following conditions: username matches && created_at less than <expirationInMinutes> minutes If this record exists, then the record is deleted. If there is no error _either_ for the lookup OR the deletion, then (userID for the user, nil) is returned. At this point, the user has been validated and LoginUser can be called.

If an error occurs, _either_ the record does not exist, or some database issue prevented deletion, and in either event, the user cannot be approved. In this case (0, <error>) will be returned

func (AShirtAuthBridge) ReadAuthSchemeSession 

func (ah AShirtAuthBridge) ReadAuthSchemeSession(r *http.Request) interface{}

ReadAuthSchemeSession retrieves previously saved session data set by SetAuthSchemeSession

func (AShirtAuthBridge) SetAuthSchemeSession 

func (ah AShirtAuthBridge) SetAuthSchemeSession(w http.ResponseWriter, r *http.Request, data interface{}) error

SetAuthSchemeSession sets authscheme specific session data to the current user session. Session data should be a struct and registered with `gob.Register` in an init function of the authscheme

func (AShirtAuthBridge) UpdateAuthForUser 

func (ah AShirtAuthBridge) UpdateAuthForUser(data UserAuthData) error

UpdateAuthForUser updates a user's authentication password, and can flag whether the user needs to change their password on the next login.

func (AShirtAuthBridge) ValidateLinkingInfo 

func (ah AShirtAuthBridge) ValidateLinkingInfo(username string, allowUserID int64) error

ValidateLinkingInfo checks if the user is linking with an unused username (for the auth scheme). This is only intended for services that register locally and do not need to access another service.

Note: this will leak info back to the user, to help indicate how to correct their registration data. This should be less of an issue generally, as the user should have an idea of who else is using ashirt

func (AShirtAuthBridge) ValidateRegistrationInfo 

func (ah AShirtAuthBridge) ValidateRegistrationInfo(email, username string) error

ValidateRegistrationInfo checks if the user is registering with an unused email and an unused username (for the auth scheme). This is only intended for services that register locally and do not need to access another service

Note: this will leak info back to the user, to help indicate how to correct their registration data. TODO: should we actually specify why they can't register?

type AuthScheme 

type AuthScheme interface {
	BindRoutes(chi.Router, AShirtAuthBridge)
	Name() string
	FriendlyName() string
	Flags() []string

	// Type provides a way to identify how a scheme works apart from its name. Currently this has two
	// "categories". First is "oidc", which is used for any generic OIDC provider. Second is the name
	// of the method (e.g. "local"), which is used when there's no real alternative to speak of.
	Type() string
}

AuthScheme provides a small interface into interacting with the AShirt backend authentication. The interface consists of two methods:

Name() string: This method shall return a string that identifies the authentication scheme being used. It shall be distinct from any other authentication system being used within this project.

FriendlyName() string: This method shall return a friendly version of the authentication that endusers will understand. It should, but is not strictly required, that the value be different from any other scheme. Likewise, it should be a "friendlier" version of Name(), though it need not be.

BindRoutes(router, authBridge): BindRoutes exposes a _namespaced_ router that the authentication system can use to register custom endpoints. Each router is prefixed with /auth/{name} (as determined by the Name() method)

type UserAuthData 

type UserAuthData struct {
	UserID             int64   `db:"user_id"`
	AuthnID            []byte  `db:"authn_id"`
	Username           string  `db:"username"`
	EncryptedPassword  []byte  `db:"encrypted_password"`
	NeedsPasswordReset bool    `db:"must_reset_password"`
	TOTPSecret         *string `db:"totp_secret"`
	JSONData           *string `db:"json_data"`
}

UserAuthData is a small structure capturing data relevant to a user for authentication purposes

type UserProfile 

type UserProfile struct {
	FirstName string
	LastName  string
	Slug      string
	Email     string
}

UserProfile containes the necessary information to create a new user

func (UserProfile) ToCreateUserInput 

func (up UserProfile) ToCreateUserInput() services.CreateUserInput

ToCreateUserInput converts the given UserProfile into a more useful services.CreateUserInput

Source Files

View all Source files

Directories

Path Synopsis
constants
constants
helpers
constants

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.