Documentation
¶
Index ¶
- Constants
- Variables
- type PhantomTokenExchange
- type PhantomTokenOption
- func WithAppRoot(appRoot string) PhantomTokenOption
- func WithClientCredentials(clientID, clientSecret string) PhantomTokenOption
- func WithCookieName(name string) PhantomTokenOption
- func WithInsecureSkipVerify() PhantomTokenOption
- func WithLogger(logger *slog.Logger) PhantomTokenOption
- func WithLoginLogoutEndpoints(loginEndpoint, logoutEndpoint string) PhantomTokenOption
- func WithRandomKey() PhantomTokenOption
- func WithSecretKey(key []byte) PhantomTokenOption
Constants ¶
const ( NONE tokenState = 0 REFRESHING tokenState = 1 ACTIVE tokenState = 2 )
Variables ¶
var ErrNoSuchSession error = errors.New("no such session")
var ErrNoToken error = errors.New("session has no token")
var ErrRefreshTokenExpired error = errors.New("refresh token expired")
Functions ¶
This section is empty.
Types ¶
type PhantomTokenExchange ¶
type PhantomTokenExchange interface {
Middleware(http.Handler) http.Handler
InstallHandlers(r *http.ServeMux)
Connect(ctx context.Context, issuerURL string) error
Shutdown()
}
PhantomTokenExchange is responsible for handling login and logout flows via a OAuth2/OIDC compatible token server, create an internal session, and manage automatic injection of the user's access token based on the session id that is stored in the user's browser. The goal with a phantom token approach is to keep the token in the backend and reduce the exposure of sensitive data to the frontend.
func NewPhantomTokenExchange ¶
func NewPhantomTokenExchange(opts ...PhantomTokenOption) (PhantomTokenExchange, error)
NewPhantomTokenExchange constructs and returns a new exchange with a configuration according to the supplied configuration options.
type PhantomTokenOption ¶
type PhantomTokenOption func(*phantomTokens)
func WithAppRoot ¶
func WithAppRoot(appRoot string) PhantomTokenOption
WithAppRoot sets the fully qualified domain name, port and base path where this service is exposed. If the protocol is http and domain is localhost, this function also turns off domain locking for the session cookie.
func WithClientCredentials ¶
func WithClientCredentials(clientID, clientSecret string) PhantomTokenOption
WithClientCredentials is used to configure the client name and secret to use when talking to the token server
func WithCookieName ¶
func WithCookieName(name string) PhantomTokenOption
WithCookieName allows the service backend to specify a custom name to be used for the session cookie that is created in the browser. The name will automatically be prepended with __Host- to create a "domain locked" cookie. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#__host-
func WithInsecureSkipVerify ¶
func WithInsecureSkipVerify() PhantomTokenOption
WithInsecureSkipVerify allows for easier testing in environments with self signed certificates by disabling the certificate verification when talking to the token server. Enabling this will cause a WARNING in the logs for each request to the token server. DO NOT put this into production.
func WithLogger ¶
func WithLogger(logger *slog.Logger) PhantomTokenOption
WithLogger allows the injection of a custom structured logger into the exchange
func WithLoginLogoutEndpoints ¶
func WithLoginLogoutEndpoints(loginEndpoint, logoutEndpoint string) PhantomTokenOption
WithLoginLogoutEndpoints allows for overriding the default /login and /logout endpoints
func WithRandomKey ¶
func WithRandomKey() PhantomTokenOption
WithRandomKey creates a random 32 byte long key to be used for AES256 encryption of the cookie contents.
func WithSecretKey ¶
func WithSecretKey(key []byte) PhantomTokenOption
WithSecretKey specifies the key to use for AES256 encryption of the cookie contents NOTE: This key must be exactly 32 bytes of length or else panic will ensue.
Source Files