Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Account ¶
type Account struct { // A user's username. Username string `json:"username"` // The user's hashed password, in Modular Crypt Format (with `$` prefix) // or base64-encoded. Password string `json:"password"` // contains filtered or unexported fields }
Account contains a username and password.
type Authentication ¶
type Authentication struct { // A set of authentication providers. If none are specified, // all requests will always be unauthenticated. ProvidersRaw kengine.ModuleMap `json:"providers,omitempty" kengine:"namespace=http.authentication.providers"` Providers map[string]Authenticator `json:"-"` // contains filtered or unexported fields }
Authentication is a middleware which provides user authentication. Rejects requests with HTTP 401 if the request is not authenticated.
After a successful authentication, the placeholder `{http.auth.user.id}` will be set to the username, and also `{http.auth.user.*}` placeholders may be set for any authentication modules that provide user metadata.
Its API is still experimental and may be subject to change.
func (Authentication) KengineModule ¶
func (Authentication) KengineModule() kengine.ModuleInfo
KengineModule returns the Kengine module information.
func (*Authentication) Provision ¶
func (a *Authentication) Provision(ctx kengine.Context) error
Provision sets up a.
func (Authentication) ServeHTTP ¶
func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next kenginehttp.Handler) error
type Authenticator ¶
type Authenticator interface {
Authenticate(http.ResponseWriter, *http.Request) (User, bool, error)
}
Authenticator is a type which can authenticate a request. If a request was not authenticated, it returns false. An error is only returned if authenticating the request fails for a technical reason (not for bad/missing credentials).
type BcryptHash ¶
type BcryptHash struct{}
BcryptHash implements the bcrypt hash.
func (BcryptHash) Compare ¶
func (BcryptHash) Compare(hashed, plaintext []byte) (bool, error)
Compare compares passwords.
func (BcryptHash) Hash ¶
func (BcryptHash) Hash(plaintext []byte) ([]byte, error)
Hash hashes plaintext using a random salt.
func (BcryptHash) KengineModule ¶
func (BcryptHash) KengineModule() kengine.ModuleInfo
KengineModule returns the Kengine module information.
type Cache ¶
type Cache struct {
// contains filtered or unexported fields
}
Cache enables caching of basic auth results. This is especially helpful for secure password hashes which can be expensive to compute on every HTTP request.
type Comparer ¶
type Comparer interface { // Compare returns true if the result of hashing // plaintextPassword is hashedPassword, false // otherwise. An error is returned only if // there is a technical/configuration error. Compare(hashedPassword, plaintextPassword []byte) (bool, error) }
Comparer is a type that can securely compare a plaintext password with a hashed password in constant-time. Comparers should hash the plaintext password and then use constant-time comparison.
type HTTPBasicAuth ¶
type HTTPBasicAuth struct { // The algorithm with which the passwords are hashed. Default: bcrypt HashRaw json.RawMessage `json:"hash,omitempty" kengine:"namespace=http.authentication.hashes inline_key=algorithm"` // The list of accounts to authenticate. AccountList []Account `json:"accounts,omitempty"` // The name of the realm. Default: restricted Realm string `json:"realm,omitempty"` // If non-nil, a mapping of plaintext passwords to their // hashes will be cached in memory (with random eviction). // This can greatly improve the performance of traffic-heavy // servers that use secure password hashing algorithms, with // the downside that plaintext passwords will be stored in // memory for a longer time (this should not be a problem // as long as your machine is not compromised, at which point // all bets are off, since basicauth necessitates plaintext // passwords being received over the wire anyway). Note that // a cache hit does not mean it is a valid password. HashCache *Cache `json:"hash_cache,omitempty"` Accounts map[string]Account `json:"-"` Hash Comparer `json:"-"` // contains filtered or unexported fields }
HTTPBasicAuth facilitates HTTP basic authentication.
func (HTTPBasicAuth) Authenticate ¶
func (hba HTTPBasicAuth) Authenticate(w http.ResponseWriter, req *http.Request) (User, bool, error)
Authenticate validates the user credentials in req and returns the user, if valid.
func (HTTPBasicAuth) KengineModule ¶
func (HTTPBasicAuth) KengineModule() kengine.ModuleInfo
KengineModule returns the Kengine module information.
type Hasher ¶
Hasher is a type that can generate a secure hash given a plaintext. Hashing modules which implement this interface can be used with the hash-password subcommand as well as benefitting from anti-timing features. A hasher also returns a fake hash which can be used for timing side-channel mitigation.
type User ¶
type User struct { // The ID of the authenticated user. ID string // Any other relevant data about this // user. Keys should be adhere to Kengine // conventions (snake_casing), as all // keys will be made available as // placeholders. Metadata map[string]string }
User represents an authenticated user.