Documentation ¶
Overview ¶
Middleware that translate tokens transparently. Can be used as session.
Usage scenario: After user authentication, some user identity data is generated and encoded as a token (so called "real token") such as JWT or just plain JSON.
Then set this to a header and response.
When the middlware receives such header, it creates a reference (opaque) token mapping to the real one, storing them in a kv store, response the ref token in a header (or cookie) instead of the real one to the client.
In the reverse direction, when the middlware receives such reference token, it translate back to the real one transparently. Thus later handler can use this header as user identity directly.
Some extra benefits:
- Handlers can use the same way to identify a user no matter whether the request is sent from a web page using cookie or from API request.
- Logout is trivial since tokens are stored server-side.
The idea is from https://www.slideshare.net/opencredo/authentication-in-microservice-systems-david-borsos2
Index ¶
- Constants
- func RegistKVStoreCreator(name string, creator func(*url.URL) (KVStore, error))
- type KVStore
- type Option
- func DefaultRules() Option
- func FallbackHandler(fallbackHandler jimu.FallbackHandler) Option
- func LoggerGetter(loggerGetter jimu.LoggerGetter) Option
- func LogoutHeaderName(headerName string) Option
- func Real2RefRule(realTokenHeaderName string, refTokenSetter RefTokenSetter) Option
- func Ref2RealRule(refTokenGetter RefTokenGetter, realTokenHeaderName string) Option
- func Store(storeURL string) Option
- func TTL(ttl int) Option
- func TTLHeaderName(headerName string) Option
- func TokenLength(l int) Option
- type RefTokenGetter
- type RefTokenManager
- type RefTokenSetter
Constants ¶
const ( DefaultTokenLength = 32 DefaultTTL = 3600 * 3 // These are some default internal header names. DefaultTTLHeaderName = "Reftoken-TTL" DefaultLogoutHeaderName = "Reftoken-Logout" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type KVStore ¶
type KVStore interface { // Set multiple key/value pairs with ttl. Empty values should be ignored. Set(kvs map[string]string, ttl int) error // Get values of keys, NOTE: the return slice must // have the same size of ks. If a key is not found, // "" should be returned. Get(ks []string) ([]string, error) // Delete keys. Del(ks []string) error }
KVStore stores key/value pairs.
func NewKVStore ¶
NewKVStore creates a new kv store from url.
type Option ¶
type Option func(*RefTokenManager) error
Option is the option of RefTokenManager.
func DefaultRules ¶
func DefaultRules() Option
DefaultRules add some default rules for convenient:
(external) "Reftoken-Ref-Token" -> (internal) "Reftoken-Real-Token" (external) cookie "reftoken" -> (internal) "Reftoken-Real-Token" (internal) "Reftoken-Set" -> (external) "Reftoken-Ref-Token" (internal) "Reftoken-Set-Cookie" -> (external) cookie "reftoken"
Thus no matter whether the reftoken is come from web page request (in cookie) or api request (in header), handlers can use "Reftoken-Real-Token" to get authentication information.
func FallbackHandler ¶
func FallbackHandler(fallbackHandler jimu.FallbackHandler) Option
FallbackHandler set the FallbackHandler for RefTokenManager.
func LoggerGetter ¶
func LoggerGetter(loggerGetter jimu.LoggerGetter) Option
LoggerGetter set the logger getter for RefTokenManager (required).
func LogoutHeaderName ¶
LogoutHeaderName set the response header name to remove kv.
func Real2RefRule ¶
func Real2RefRule(realTokenHeaderName string, refTokenSetter RefTokenSetter) Option
Real2RefRule add a rule specifying how to map a (internal) real token to a (external) ref token. (required at least one)
func Ref2RealRule ¶
func Ref2RealRule(refTokenGetter RefTokenGetter, realTokenHeaderName string) Option
Ref2RealRule add a rule specifying how to map a (external) ref token (external) to a (internal) real token. (required at least one)
func TTLHeaderName ¶
TTLHeaderName set the response header name to specify ttl for kv.
func TokenLength ¶
TokenLength set the ref token's length (before base64 encode).
type RefTokenGetter ¶
RefTokenGetter gets refToken from request.
func MustCookieGetter ¶
func MustCookieGetter(cookieName string) RefTokenGetter
MustCookieGetter is the must version of NewCookieGetter.
func MustGenericGetter ¶
func MustGenericGetter(headerName string) RefTokenGetter
MustGenericGetter is the must version of NewGenericGetter.
func NewCookieGetter ¶
func NewCookieGetter(cookieName string) (RefTokenGetter, error)
NewCookieGetter creates a RefTokenGetter retriving ref token from cookie.
func NewGenericGetter ¶
func NewGenericGetter(headerName string) (RefTokenGetter, error)
NewGenericGetter creates a RefTokenGetter retriving ref token from header.
type RefTokenManager ¶
type RefTokenManager struct {
// contains filtered or unexported fields
}
RefTokenManager stores information to translate between external ref tokens and internal real tokens. See: https://www.slideshare.net/opencredo/authentication-in-microservice-systems-david-borsos
func (*RefTokenManager) Configure ¶
func (m *RefTokenManager) Configure() error
Configure the manager. Options are not allowed to add after configure.
func (*RefTokenManager) Options ¶
func (m *RefTokenManager) Options(options ...Option)
Options add options to the manager.
type RefTokenSetter ¶
RefTokenSetter sets a refToken into response's header. refToken is guarantee to be safe to set to header.
func MustCookieSetter ¶
func MustCookieSetter(baseCookie *http.Cookie) RefTokenSetter
MustCookieSetter is the must version of NewCookieSetter.
func MustGenericSetter ¶
func MustGenericSetter(headerName string) RefTokenSetter
MustGenericSetter is the must version of NewGenericSetter.
func NewCookieSetter ¶
func NewCookieSetter(baseCookie *http.Cookie) (RefTokenSetter, error)
NewCookieSetter creates a RefTokenSetter storing ref token in cookie.
func NewGenericSetter ¶
func NewGenericSetter(headerName string) (RefTokenSetter, error)
NewGenericSetter creates a RefTokenSetter storing ref token in header directly.