Documentation ¶
Index ¶
- Constants
- Variables
- func RedirectOnAuthenticated(d interface{ ... }) httprouter.Handle
- func RedirectOnUnauthenticated(to string) httprouter.Handle
- func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
- func RespondWitherrorGenericOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
- type AuthenticationMethod
- type AuthenticationMethods
- type Device
- type DevicePersister
- type ErrAALNotSatisfied
- type ErrNoActiveSessionFound
- type Expandable
- type Expandables
- type Handler
- func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
- func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
- type HandlerProvider
- type ManagementProvider
- type Manager
- type ManagerHTTP
- func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string) (err error)
- func (s *ManagerHTTP) FetchFromRequest(ctx context.Context, r *http.Request) (_ *Session, err error)
- func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
- func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) (err error)
- func (s *ManagerHTTP) RefreshCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
- func (s *ManagerHTTP) SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, ams ...AuthenticationMethod) (err error)
- func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) (err error)
- type PersistenceProvider
- type Persister
- type Session
- func (s *Session) Activate(r *http.Request, i *identity.Identity, c lifespanProvider, ...) error
- func (s *Session) CanBeRefreshed(ctx context.Context, c refreshWindowProvider) bool
- func (s *Session) CompletedLoginFor(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel)
- func (s Session) Declassified() *Session
- func (s Session) DefaultPageToken() keysetpagination.PageToken
- func (s *Session) IsActive() bool
- func (s *Session) MarshalJSON() ([]byte, error)
- func (s Session) PageToken() keysetpagination.PageToken
- func (s *Session) Refresh(ctx context.Context, c lifespanProvider) *Session
- func (s *Session) SetAuthenticatorAssuranceLevel()
- func (s *Session) SetSessionDeviceInformation(r *http.Request)
- func (s Session) TableName(ctx context.Context) string
Constants ¶
const ( RouteCollection = "/sessions" RouteWhoami = RouteCollection + "/whoami" RouteSession = RouteCollection + "/:id" )
const ( AdminRouteIdentity = "/identities" AdminRouteIdentitiesSessions = AdminRouteIdentity + "/:id/sessions" AdminRouteSessionExtendId = RouteSession + "/extend" )
Variables ¶
var ErrIdentityDisabled = herodot.ErrUnauthorized.WithError("identity is disabled").WithReason("This account was disabled.")
var ErrNoSessionFound = herodot.ErrUnauthorized.WithReasonf("No valid session credentials found in the request.")
var ExpandDefault = Expandables{ ExpandSessionIdentity, }
ExpandDefault expands the default fields of a session - Associated Identity
var ExpandEverything = Expandables{ ExpandSessionDevices, ExpandSessionIdentity, }
ExpandEverything expands all the fields of a session.
Functions ¶
func RedirectOnAuthenticated ¶
func RedirectOnAuthenticated(d interface{ config.Provider }) httprouter.Handle
func RedirectOnUnauthenticated ¶
func RedirectOnUnauthenticated(to string) httprouter.Handle
func RespondWithJSONErrorOnAuthenticated ¶
func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
func RespondWitherrorGenericOnAuthenticated ¶ added in v0.11.0
func RespondWitherrorGenericOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
Types ¶
type AuthenticationMethod ¶
type AuthenticationMethod struct { // The method used in this authenticator. Method identity.CredentialsType `json:"method"` // The AAL this method introduced. AAL identity.AuthenticatorAssuranceLevel `json:"aal"` // When the authentication challenge was completed. CompletedAt time.Time `json:"completed_at"` }
AuthenticationMethod identifies an authentication method
A singular authenticator used during authentication / login.
swagger:model sessionAuthenticationMethod
func (*AuthenticationMethod) Scan ¶
func (n *AuthenticationMethod) Scan(value interface{}) error
Scan implements the Scanner interface.
type AuthenticationMethods ¶
type AuthenticationMethods []AuthenticationMethod
List of (Used) AuthenticationMethods
A list of authenticators which were used to authenticate the session.
swagger:model sessionAuthenticationMethods
func (*AuthenticationMethods) Scan ¶
func (n *AuthenticationMethods) Scan(value interface{}) error
Scan implements the Scanner interface.
type Device ¶
type Device struct { // Device record ID // // required: true ID uuid.UUID `json:"id" faker:"-" db:"id"` // SessionID is a helper struct field for gobuffalo.pop. SessionID uuid.UUID `json:"-" faker:"-" db:"session_id"` // IPAddress of the client IPAddress *string `json:"ip_address" faker:"ptr_ipv4" db:"ip_address"` // UserAgent of the client UserAgent *string `json:"user_agent" faker:"-" db:"user_agent"` // Geo Location corresponding to the IP Address Location *string `json:"location" faker:"ptr_geo_location" db:"location"` // Time of capture CreatedAt time.Time `json:"-" faker:"-" db:"created_at"` // Last updated at UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"` NID uuid.UUID `json:"-" faker:"-" db:"nid"` }
Device corresponding to a Session
swagger:model sessionDevice
type DevicePersister ¶ added in v0.13.0
type ErrAALNotSatisfied ¶
type ErrAALNotSatisfied struct { *herodot.DefaultError `json:"error"` RedirectTo string `json:"redirect_browser_to"` }
ErrAALNotSatisfied is returned when an active session was found but the requested AAL is not satisfied.
func NewErrAALNotSatisfied ¶
func NewErrAALNotSatisfied(redirectTo string) *ErrAALNotSatisfied
NewErrAALNotSatisfied creates a new ErrAALNotSatisfied.
func (*ErrAALNotSatisfied) EnhanceJSONError ¶
func (e *ErrAALNotSatisfied) EnhanceJSONError() interface{}
func (*ErrAALNotSatisfied) PassReturnToAndLoginChallengeParameters ¶ added in v0.11.0
func (e *ErrAALNotSatisfied) PassReturnToAndLoginChallengeParameters(requestURL string) error
type ErrNoActiveSessionFound ¶
type ErrNoActiveSessionFound struct { *herodot.DefaultError `json:"error"` // contains filtered or unexported fields }
ErrNoActiveSessionFound is returned when no active cookie session could be found in the request.
func NewErrNoActiveSessionFound ¶
func NewErrNoActiveSessionFound() *ErrNoActiveSessionFound
NewErrNoActiveSessionFound creates a new ErrNoActiveSessionFound
func NewErrNoCredentialsForSession ¶ added in v0.11.0
func NewErrNoCredentialsForSession() *ErrNoActiveSessionFound
NewErrNoCredentialsForSession creates a new NewErrNoCredentialsForSession
func (*ErrNoActiveSessionFound) EnhanceJSONError ¶
func (e *ErrNoActiveSessionFound) EnhanceJSONError() interface{}
type Expandable ¶ added in v0.11.0
type Expandable = sqlxx.Expandable
Expandable controls what fields to expand for sessions.
const ( // ExpandSessionDevices expands devices related to the session ExpandSessionDevices Expandable = "Devices" // ExpandSessionIdentity expands Identity related to the session ExpandSessionIdentity Expandable = "Identity" ExpandSessionIdentityRecoveryAddress Expandable = "Identity.RecoveryAddresses" ExpandSessionIdentityVerifiableAddress Expandable = "Identity.VerifiableAddresses" )
func ParseExpandable ¶ added in v0.11.0
func ParseExpandable(in string) (Expandable, bool)
type Expandables ¶ added in v0.11.0
type Expandables = sqlxx.Expandables
Expandables is a list of Expandable values.
var ExpandNothing Expandables
ExpandNothing expands nothing
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler( r handlerDependencies, ) *Handler
func (*Handler) IsAuthenticated ¶
func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
func (*Handler) IsNotAuthenticated ¶
func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
func (*Handler) RegisterAdminRoutes ¶
func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
func (*Handler) RegisterPublicRoutes ¶
func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
type HandlerProvider ¶
type HandlerProvider interface {
SessionHandler() *Handler
}
type ManagementProvider ¶
type ManagementProvider interface {
SessionManager() Manager
}
type Manager ¶
type Manager interface { // UpsertAndIssueCookie stores a session in the database and issues a cookie by calling IssueCookie. // // Also regenerates CSRF tokens due to assumed principal change. UpsertAndIssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // IssueCookie issues a cookie for the given session. // // Also regenerates CSRF tokens due to assumed principal change. IssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // RefreshCookie checks if the request uses an outdated cookie and refreshes the cookie if needed. RefreshCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // FetchFromRequest creates an HTTP session using cookies. FetchFromRequest(context.Context, *http.Request) (*Session, error) // PurgeFromRequest removes an HTTP session. PurgeFromRequest(context.Context, http.ResponseWriter, *http.Request) error // DoesSessionSatisfy answers if a session is satisfying the AAL. DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string) error // SessionAddAuthenticationMethods adds one or more authentication method to the session. SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, methods ...AuthenticationMethod) error }
Manager handles identity sessions.
type ManagerHTTP ¶
type ManagerHTTP struct {
// contains filtered or unexported fields
}
func NewManagerHTTP ¶
func NewManagerHTTP(r managerHTTPDependencies) *ManagerHTTP
func (*ManagerHTTP) DoesSessionSatisfy ¶
func (*ManagerHTTP) FetchFromRequest ¶
func (*ManagerHTTP) IssueCookie ¶
func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
func (*ManagerHTTP) PurgeFromRequest ¶
func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) (err error)
func (*ManagerHTTP) RefreshCookie ¶ added in v0.11.0
func (s *ManagerHTTP) RefreshCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
func (*ManagerHTTP) SessionAddAuthenticationMethods ¶
func (s *ManagerHTTP) SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, ams ...AuthenticationMethod) (err error)
func (*ManagerHTTP) UpsertAndIssueCookie ¶
func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) (err error)
type PersistenceProvider ¶
type PersistenceProvider interface {
SessionPersister() Persister
}
type Persister ¶
type Persister interface { GetConnection(ctx context.Context) *pop.Connection // GetSession retrieves a session from the store. GetSession(ctx context.Context, sid uuid.UUID, expandables Expandables) (*Session, error) // ListSessions retrieves all sessions. ListSessions(ctx context.Context, active *bool, paginatorOpts []keysetpagination.Option, expandables Expandables) ([]Session, int64, *keysetpagination.Paginator, error) // ListSessionsByIdentity retrieves sessions for an identity from the store. ListSessionsByIdentity(ctx context.Context, iID uuid.UUID, active *bool, page, perPage int, except uuid.UUID, expandables Expandables) ([]Session, int64, error) // UpsertSession inserts or updates a session into / in the store. UpsertSession(ctx context.Context, s *Session) error // DeleteSession removes a session from the store. DeleteSession(ctx context.Context, id uuid.UUID) error // DeleteSessionsByIdentity removes all active session from the store for the given identity. DeleteSessionsByIdentity(ctx context.Context, identity uuid.UUID) error // GetSessionByToken gets the session associated with the given token. // // Functionality is similar to GetSession but accepts a session token // instead of a session ID. GetSessionByToken(ctx context.Context, token string, expandables Expandables, identityExpandables identity.Expandables) (*Session, error) // DeleteExpiredSessions deletes sessions that expired before the given time. DeleteExpiredSessions(context.Context, time.Time, int) error // DeleteSessionByToken deletes a session associated with the given token. // // Functionality is similar to DeleteSession but accepts a session token // instead of a session ID. DeleteSessionByToken(context.Context, string) error // RevokeSessionByToken marks a session inactive with the given token. RevokeSessionByToken(ctx context.Context, token string) error // RevokeSessionById marks a session inactive with the specified uuid RevokeSessionById(ctx context.Context, sID uuid.UUID) error // RevokeSession marks a given session inactive. RevokeSession(ctx context.Context, iID, sID uuid.UUID) error // RevokeSessionsIdentityExcept marks all except the given session of an identity inactive. It returns the number of sessions that were revoked. RevokeSessionsIdentityExcept(ctx context.Context, iID, sID uuid.UUID) (int, error) }
type Session ¶
type Session struct { // Session ID // // required: true ID uuid.UUID `json:"id" faker:"-" db:"id"` // Active state. If false the session is no longer active. Active bool `json:"active" db:"active"` // The Session Expiry // // When this session expires at. ExpiresAt time.Time `json:"expires_at" db:"expires_at" faker:"time_type"` // The Session Authentication Timestamp // // When this session was authenticated at. If multi-factor authentication was used this // is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed). AuthenticatedAt time.Time `json:"authenticated_at" db:"authenticated_at" faker:"time_type"` // AuthenticationMethod Assurance Level (AAL) // // The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder // for an attacker to compromise the account. // // Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. // password + TOTP) have been used. // // To learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials AuthenticatorAssuranceLevel identity.AuthenticatorAssuranceLevel `faker:"len=4" db:"aal" json:"authenticator_assurance_level"` // Authentication Method References (AMR) // // A list of authentication methods (e.g. password, oidc, ...) used to issue this session. AMR AuthenticationMethods `db:"authentication_methods" json:"authentication_methods"` // The Session Issuance Timestamp // // When this session was issued at. Usually equal or close to `authenticated_at`. IssuedAt time.Time `json:"issued_at" db:"issued_at" faker:"time_type"` // The Logout Token // // Use this token to log out a user. LogoutToken string `json:"-" db:"logout_token"` // required: true Identity *identity.Identity `json:"identity" faker:"identity" db:"-" belongs_to:"identities" fk_id:"IdentityID"` // Devices has history of all endpoints where the session was used Devices []Device `json:"devices" faker:"-" has_many:"session_devices" fk_id:"session_id"` // IdentityID is a helper struct field for gobuffalo.pop. IdentityID uuid.UUID `json:"-" faker:"-" db:"identity_id"` // CreatedAt is a helper struct field for gobuffalo.pop. CreatedAt time.Time `json:"-" faker:"-" db:"created_at"` // UpdatedAt is a helper struct field for gobuffalo.pop. UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"` // The Session Token // // The token of this session. Token string `json:"-" db:"token"` NID uuid.UUID `json:"-" faker:"-" db:"nid"` }
A Session
swagger:model session
func NewActiveSession ¶
func NewInactiveSession ¶
func NewInactiveSession() *Session
func (*Session) CanBeRefreshed ¶
func (*Session) CompletedLoginFor ¶
func (s *Session) CompletedLoginFor(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel)
func (Session) Declassified ¶ added in v0.13.0
func (Session) DefaultPageToken ¶ added in v0.11.1
func (s Session) DefaultPageToken() keysetpagination.PageToken
func (*Session) MarshalJSON ¶ added in v0.11.0
func (Session) PageToken ¶ added in v0.11.0
func (s Session) PageToken() keysetpagination.PageToken
func (*Session) SetAuthenticatorAssuranceLevel ¶
func (s *Session) SetAuthenticatorAssuranceLevel()