kengineauth

package
v1.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 29, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Account

type Account struct {
	// A user's username.
	Username string `json:"username"`

	// The user's hashed password, in Modular Crypt Format (with `$` prefix)
	// or base64-encoded.
	Password string `json:"password"`
	// contains filtered or unexported fields
}

Account contains a username and password.

type Authentication

type Authentication struct {
	// A set of authentication providers. If none are specified,
	// all requests will always be unauthenticated.
	ProvidersRaw kengine.ModuleMap `json:"providers,omitempty" kengine:"namespace=http.authentication.providers"`

	Providers map[string]Authenticator `json:"-"`
	// contains filtered or unexported fields
}

Authentication is a middleware which provides user authentication. Rejects requests with HTTP 401 if the request is not authenticated.

After a successful authentication, the placeholder `{http.auth.user.id}` will be set to the username, and also `{http.auth.user.*}` placeholders may be set for any authentication modules that provide user metadata.

Its API is still experimental and may be subject to change.

func (Authentication) KengineModule

func (Authentication) KengineModule() kengine.ModuleInfo

KengineModule returns the Kengine module information.

func (*Authentication) Provision

func (a *Authentication) Provision(ctx kengine.Context) error

Provision sets up a.

func (Authentication) ServeHTTP

type Authenticator

type Authenticator interface {
	Authenticate(http.ResponseWriter, *http.Request) (User, bool, error)
}

Authenticator is a type which can authenticate a request. If a request was not authenticated, it returns false. An error is only returned if authenticating the request fails for a technical reason (not for bad/missing credentials).

type BcryptHash

type BcryptHash struct{}

BcryptHash implements the bcrypt hash.

func (BcryptHash) Compare

func (BcryptHash) Compare(hashed, plaintext []byte) (bool, error)

Compare compares passwords.

func (BcryptHash) FakeHash

func (BcryptHash) FakeHash() []byte

FakeHash returns a fake hash.

func (BcryptHash) Hash

func (BcryptHash) Hash(plaintext []byte) ([]byte, error)

Hash hashes plaintext using a random salt.

func (BcryptHash) KengineModule

func (BcryptHash) KengineModule() kengine.ModuleInfo

KengineModule returns the Kengine module information.

type Cache

type Cache struct {
	// contains filtered or unexported fields
}

Cache enables caching of basic auth results. This is especially helpful for secure password hashes which can be expensive to compute on every HTTP request.

type Comparer

type Comparer interface {
	// Compare returns true if the result of hashing
	// plaintextPassword is hashedPassword, false
	// otherwise. An error is returned only if
	// there is a technical/configuration error.
	Compare(hashedPassword, plaintextPassword []byte) (bool, error)
}

Comparer is a type that can securely compare a plaintext password with a hashed password in constant-time. Comparers should hash the plaintext password and then use constant-time comparison.

type HTTPBasicAuth

type HTTPBasicAuth struct {
	// The algorithm with which the passwords are hashed. Default: bcrypt
	HashRaw json.RawMessage `json:"hash,omitempty" kengine:"namespace=http.authentication.hashes inline_key=algorithm"`

	// The list of accounts to authenticate.
	AccountList []Account `json:"accounts,omitempty"`

	// The name of the realm. Default: restricted
	Realm string `json:"realm,omitempty"`

	// If non-nil, a mapping of plaintext passwords to their
	// hashes will be cached in memory (with random eviction).
	// This can greatly improve the performance of traffic-heavy
	// servers that use secure password hashing algorithms, with
	// the downside that plaintext passwords will be stored in
	// memory for a longer time (this should not be a problem
	// as long as your machine is not compromised, at which point
	// all bets are off, since basicauth necessitates plaintext
	// passwords being received over the wire anyway). Note that
	// a cache hit does not mean it is a valid password.
	HashCache *Cache `json:"hash_cache,omitempty"`

	Accounts map[string]Account `json:"-"`
	Hash     Comparer           `json:"-"`
	// contains filtered or unexported fields
}

HTTPBasicAuth facilitates HTTP basic authentication.

func (HTTPBasicAuth) Authenticate

func (hba HTTPBasicAuth) Authenticate(w http.ResponseWriter, req *http.Request) (User, bool, error)

Authenticate validates the user credentials in req and returns the user, if valid.

func (HTTPBasicAuth) KengineModule

func (HTTPBasicAuth) KengineModule() kengine.ModuleInfo

KengineModule returns the Kengine module information.

func (*HTTPBasicAuth) Provision

func (hba *HTTPBasicAuth) Provision(ctx kengine.Context) error

Provision provisions the HTTP basic auth provider.

type Hasher

type Hasher interface {
	Hash(plaintext []byte) ([]byte, error)
	FakeHash() []byte
}

Hasher is a type that can generate a secure hash given a plaintext. Hashing modules which implement this interface can be used with the hash-password subcommand as well as benefitting from anti-timing features. A hasher also returns a fake hash which can be used for timing side-channel mitigation.

type User

type User struct {
	// The ID of the authenticated user.
	ID string

	// Any other relevant data about this
	// user. Keys should be adhere to Kengine
	// conventions (snake_casing), as all
	// keys will be made available as
	// placeholders.
	Metadata map[string]string
}

User represents an authenticated user.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL