api

package
v2.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 24, 2024 License: MIT Imports: 42 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// HeaderKeyAppID is a header key to keep application ID.
	HeaderKeyAppID = "X-Identifo-Clientid"
	QueryKeyAppID  = "appId"
)
View Source 
const (
	// SignatureHeaderKey header stores HMAC signature digest.
	SignatureHeaderKey = "Digest"
	// SignatureHeaderValuePrefix is a signature prefix, indicating hash algorithm, hardcoded for now, could be dynamic in the future.
	SignatureHeaderValuePrefix = "SHA-256="
	// TimestampHeaderKey header stores timestamp.
	TimestampHeaderKey = "X-Identifo-Timestamp"
)
View Source 
const SessionName = "_federated_session"

SessionName is the key used to access the session store.

View Source 
const SessionNameOIDC = "_federated_oidc_session"
View Source 
const (
	// TokenHeaderKey is a header name for Bearer token.
	TokenHeaderKey = "Authorization"
)

Variables

View Source 
var (
	Store sessions.Store
)

Store can/should be set by applications using gothic. The default is a cookie store.

Functions

func Logout 

func Logout(res http.ResponseWriter, req *http.Request) error

Logout invalidates a user session.

Types

type AuditOperation added in v2.12.0 

type AuditOperation string
const (
	AuditOperationLoginWithPassword AuditOperation = "login_with_password"
	AuditOperationLoginWithPhone    AuditOperation = "login_with_phone"
	AuditOperationLoginWith2FA      AuditOperation = "login_with_2fa"
	AuditOperationRefreshToken      AuditOperation = "refresh_token"
	AuditOperationOIDCLogin         AuditOperation = "oidc_login"
	AuditOperationFederatedLogin    AuditOperation = "federated_login"
	AuditOperationRegistration      AuditOperation = "registration"
	AuditOperationLogout            AuditOperation = "logout"
	AuditOperationImpersonatedAs    AuditOperation = "impersonated_as"
)

type AuthResponse 

type AuthResponse struct {
	AccessToken  string       `json:"access_token,omitempty" bson:"access_token,omitempty"`
	RefreshToken string       `json:"refresh_token,omitempty" bson:"refresh_token,omitempty"`
	User         model.User   `json:"user,omitempty" bson:"user,omitempty"`
	Require2FA   bool         `json:"require_2fa" bson:"require_2fa"`
	Enabled2FA   bool         `json:"enabled_2fa" bson:"enabled_2fa"`
	CallbackUrl  string       `json:"callback_url,omitempty" bson:"callback_url,omitempty"`
	Scopes       []string     `json:"scopes,omitempty" bson:"scopes,omitempty"`
	ProviderData providerData `json:"provider_data,omitempty" bson:"provider_data,omitempty"`
}

AuthResponse is a response with successful auth data.

type InviteEmailData 

type InviteEmailData struct {
	Requester model.User
	Token     string
	URL       string
	Host      string
	Query     string
	App       string
	Scopes    string
	Callback  string
	Data      interface{}
}

type JWK added in v2.4.0 

type JWK struct {
	Alg string   `json:"alg,omitempty"` // The "alg" (algorithm) parameter identifies the algorithm intended for use with the key.
	Kty string   `json:"kty,omitempty"` //"EC" | "RSA".  The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC".
	Use string   `json:"use,omitempty"` //"sig". The "use" (public key use) parameter identifies the intended use of the public key.  The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data.
	X5c []string `json:"x5c,omitempty"` // The "x5c" (X.509 certificate chain) parameter contains a chain of one
	// or more PKIX certificates [RFC5280].  The certificate chain is
	// represented as a JSON array of certificate value strings.  Each
	// string in the array is a base64-encoded (Section 4 of [RFC4648] --
	// not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
	Kid string `json:"kid,omitempty"` // Identifo used X5t as kid
	X5t string `json:"x5t,omitempty"` // The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
	// base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
	// encoding of an X.509 certificate [RFC5280].  Note that certificate
	// thumbprints are also sometimes known as certificate fingerprints.
	N string `json:"n,omitempty"`
	E string `json:"e,omitempty"` // The RSA Key blinding operation [Kocher], which is a defense against
	//some timing attacks, requires all of the RSA key values "n", "e", and
	//"d".
	Crv string `json:"crv,omitempty"` // P-256
	X   string `json:"x,omitempty"`   // It is represented as the base64url encoding of
	// the octet string representation of the coordinate, as defined in
	// Section 2.3.5 of SEC1 [SEC1].
	Y string `json:"y,omitempty"` // An Elliptic Curve public key is represented by a pair of coordinates

}

func CreateJWK added in v2.4.0 

func CreateJWK(alg, key string, pk any) *JWK

type LocalizedError added in v2.4.0 

type LocalizedError struct {
	// contains filtered or unexported fields
}

func NewLocalizedError added in v2.4.0 

func NewLocalizedError(status int, locale string, errID l.LocalizedString, details ...any) *LocalizedError

func (*LocalizedError) Error added in v2.4.0 

func (e *LocalizedError) Error() string

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer                 string   `json:"issuer"`
	JwksURI                string   `json:"jwks_uri"`
	ScopesSupported        []string `json:"scopes_supported"`
	SupportedIDSigningAlgs []string `json:"id_token_signing_alg_values_supported"`
}

OIDCConfiguration describes OIDC configuration. Additional info: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. Identifo is not an OIDC provider, that's why we only provide the information for token validation.

type PhoneLogin 

type PhoneLogin struct {
	PhoneNumber string   `json:"phone_number"`
	Code        string   `json:"code"`
	Scopes      []string `json:"scopes"`
}

PhoneLogin is used to parse input data from the client during phone login.

type ResetEmailData 

type ResetEmailData struct {
	User  model.User
	Token string
	URL   string
	Host  string
	Data  interface{}
}

type Router 

type Router struct {
	Authorizer         *authorization.Authorizer
	Host               *url.URL
	SupportedLoginWays model.LoginWith
	// contains filtered or unexported fields
}

Router is a router that handles all API requests.

func NewRouter 

func NewRouter(settings RouterSettings) (*Router, error)

NewRouter creates and inits new router.

func (*Router) AppID 

func (ar *Router) AppID() negroni.HandlerFunc

AppID extracts application ID from the header and writes corresponding app to the context.

func (*Router) CompleteUserAuth added in v2.3.14 

func (ar *Router) CompleteUserAuth(res http.ResponseWriter, req *http.Request) (goth.User, error)

CompleteUserAuth does what it says on the tin. It completes the authentication process and fetches all of the basic information about the user from the provider. It expects to be able to get the name of the provider from the query parameters as either "provider" or ":provider". See https://github.com/markbates/goth/examples/main.go to see this in action.

func (*Router) ConfigCheck added in v2.3.3 

func (ar *Router) ConfigCheck() negroni.HandlerFunc

Config middleware return error, if server config is invalid

func (*Router) EnableTFA 

func (ar *Router) EnableTFA() http.HandlerFunc

EnableTFA enables two-factor authentication for the user.

func (*Router) Error 

func (ar *Router) Error(w http.ResponseWriter, locale string, status int, errID l.LocalizedString, details ...any)

Error writes an API error message to the response and logger.

func (*Router) ErrorResponse added in v2.4.0 

func (ar *Router) ErrorResponse(w http.ResponseWriter, err error)

func (*Router) FederatedLogin 

func (ar *Router) FederatedLogin() http.HandlerFunc

func (*Router) FederatedLoginComplete 

func (ar *Router) FederatedLoginComplete() http.HandlerFunc

func (*Router) FinalizeTFA 

func (ar *Router) FinalizeTFA() http.HandlerFunc

FinalizeTFA finalizes two-factor authentication.

func (*Router) GetAppSettings 

func (ar *Router) GetAppSettings() http.HandlerFunc

GetAppSettings return app settings

func (*Router) GetAuthURL added in v2.3.14 

func (ar *Router) GetAuthURL(res http.ResponseWriter, req *http.Request) (string, error)

GetAuthURL starts the authentication process with the requested provided. It will return a URL that should be used to send users to. It expects to be able to get the name of the provider from the query parameters as either "provider"

func (*Router) GetImpersonateToken added in v2.7.1 

func (ar *Router) GetImpersonateToken() http.HandlerFunc

GetImpersonateToken returns a token that allows to impersonate a user.

func (*Router) GetUser 

func (ar *Router) GetUser() http.HandlerFunc

GetUser return current user info with sanitized tfa

func (*Router) HandleHello 

func (ar *Router) HandleHello() http.HandlerFunc

HandleHello returns hello message.

func (*Router) HandlePing 

func (ar *Router) HandlePing(w http.ResponseWriter, r *http.Request)

HandlePing returns pong message.

func (*Router) ImpersonateAs added in v2.9.0 

func (ar *Router) ImpersonateAs() http.HandlerFunc

func (*Router) IsLoggedIn 

func (ar *Router) IsLoggedIn() http.HandlerFunc

IsLoggedIn is for checking whether user is logged in or not. In fact, all needed work is done in Token middleware. If we reached this code, user is logged in (presented valid and not blacklisted access token).

func (*Router) LoginWithPassword 

func (ar *Router) LoginWithPassword() http.HandlerFunc

LoginWithPassword logs user in with email and password.

func (*Router) Logout 

func (ar *Router) Logout() http.HandlerFunc

Logout logs user out and deactivates their tokens.

func (*Router) MustParseJSON 

func (ar *Router) MustParseJSON(w http.ResponseWriter, r *http.Request, out interface{}) error

MustParseJSON parses request body json data to the `out` struct. If error happens, writes it to ResponseWriter.

func (*Router) OIDCConfiguration 

func (ar *Router) OIDCConfiguration() http.HandlerFunc

OIDCConfiguration provides an OpenID Connect Discovery information (https://openid.net/specs/openid-connect-discovery-1_0.html). It should return RFC5785-compatible documentation (https://tools.ietf.org/html/rfc5785). This endpoint allows using Identifo as Federated identity provider. For example, AWS AppSync (https://docs.aws.amazon.com/appsync/latest/devguide/security.html#openid-connect-authorization).

func (*Router) OIDCJwks 

func (ar *Router) OIDCJwks() http.HandlerFunc

OIDCJwks returns JSON Web Keys object. Identifo supports two algorithms for signing JSON Web Tokens (JWTs): RS256 and ES256. RS256 and ES256 generate an asymmetric signature, which means a private key must be used to sign the JWT, and a different public key must be used to verify the signature.

At the most basic level, the JWKS is a set of keys containing the public keys that should be used to verify any JWT issued by the authorization server. This endpoint exposes a JWKS endpoint for each tenant, which can be found at https://YOUR_IDENTIFO_DOMAIN/.well-known/jwks.json. Currently Identifo only supports a single JWK for signing, however it is important to assume this endpoint technically could contain multiple JWKs.

func (*Router) OIDCLogin added in v2.4.0 

func (ar *Router) OIDCLogin(stateManagedByClient bool) http.HandlerFunc

func (*Router) OIDCLoginComplete added in v2.4.0 

func (ar *Router) OIDCLoginComplete(useSession bool) http.HandlerFunc

func (*Router) PhoneLogin 

func (ar *Router) PhoneLogin() http.HandlerFunc

PhoneLogin authenticates user with phone number and verification code. If user exists - create new session and return token. If user does not exist - register and then login (create session and return token). If code is invalid - return error.

func (*Router) RefreshTokens 

func (ar *Router) RefreshTokens() http.HandlerFunc

RefreshTokens issues new access and, if requested, refresh token for provided refresh token. After new tokens are issued, the old refresh token gets invalidated (via blacklisting).

func (*Router) RegisterWithPassword 

func (ar *Router) RegisterWithPassword() http.HandlerFunc

RegisterWithPassword registers new user with password.

func (*Router) RequestDisabledTFA 

func (ar *Router) RequestDisabledTFA() http.HandlerFunc

RequestDisabledTFA requests link for disabling TFA. 

func (ar *Router) RequestInviteLink() http.HandlerFunc

RequestInviteLink requests invite link. Invite link will be returned in response even if email or access_role is not specified.

func (*Router) RequestResetPassword 

func (ar *Router) RequestResetPassword() http.HandlerFunc

RequestResetPassword requests password reset

func (*Router) RequestTFAReset 

func (ar *Router) RequestTFAReset() http.HandlerFunc

RequestTFAReset requests link for resetting TFA: deleting old shared secret and establishing the new one.

func (*Router) RequestVerificationCode 

func (ar *Router) RequestVerificationCode() http.HandlerFunc

RequestVerificationCode requests SMS with verification code. To authenticate, user must have a valid phone number.

func (*Router) ResendTFA 

func (ar *Router) ResendTFA() http.HandlerFunc

func (*Router) ResetPassword 

func (ar *Router) ResetPassword() http.HandlerFunc

ResetPassword handles password reset form submission (POST request).

func (*Router) ServeHTTP 

func (ar *Router) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP implements identifo.Router interface.

func (*Router) ServeJSON 

func (ar *Router) ServeJSON(w http.ResponseWriter, locale string, status int, v interface{})

ServeJSON sends status code, headers and data and send it back to the user

func (*Router) SignatureHandler 

func (ar *Router) SignatureHandler() negroni.HandlerFunc

SignatureHandler returns middleware that handles request signature. More info: https://identifo.madappgang.com/#ca6498ab-b3dc-4c1e-a5b0-2dd633831e2d.

func (*Router) Token 

func (ar *Router) Token(tokenType string, scopes []string) mux.MiddlewareFunc

Token middleware extracts token and validates it.

func (*Router) UpdateUser 

func (ar *Router) UpdateUser() http.HandlerFunc

UpdateUser allows to change user login and password.

type RouterSettings 

type RouterSettings struct {
	Server           model.Server
	LoggerSettings   model.LoggerSettings
	Authorizer       *authorization.Authorizer
	Host             *url.URL
	TFAType          model.TFAType
	TFAResendTimeout int
	LoginWith        model.LoginWith
	Cors             *cors.Cors
	Locale           string
}

type SendTFAEmailData 

type SendTFAEmailData struct {
	User model.User
	OTP  string
	Data interface{}
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.