Documentation
¶
Index ¶
- Constants
- Variables
- func RedirectOnAuthenticated(d interface{ ... }) httprouter.Handle
- func RedirectOnUnauthenticated(to string) httprouter.Handle
- func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
- func TestPersister(ctx context.Context, conf *config.Config, p interface{ ... }) func(t *testing.T)
- type AuthenticationMethod
- type AuthenticationMethods
- type Device
- type ErrAALNotSatisfied
- type Handler
- func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
- func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
- type HandlerProvider
- type ManagementProvider
- type Manager
- type ManagerHTTP
- func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string) error
- func (s *ManagerHTTP) FetchFromRequest(ctx context.Context, r *http.Request) (*Session, error)
- func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) error
- func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error
- func (s *ManagerHTTP) SessionAddAuthenticationMethod(ctx context.Context, sid uuid.UUID, methods ...identity.CredentialsType) error
- func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) error
- type PersistenceProvider
- type Persister
- type Session
- func (s *Session) Activate(i *identity.Identity, c lifespanProvider, authenticatedAt time.Time) error
- func (s *Session) CompletedLoginFor(method identity.CredentialsType)
- func (s *Session) Declassify() *Session
- func (s *Session) IsActive() bool
- func (s *Session) SetAuthenticatorAssuranceLevel()
- func (s Session) TableName(ctx context.Context) string
Constants ¶
View Source
const ( RouteCollection = "/sessions" RouteWhoami = RouteCollection + "/whoami" RouteIdentity = "/identities" RouteDeleteSession = RouteIdentity + "/:id/sessions" )
Variables ¶
View Source
var ErrIdentityDisabled = herodot.ErrUnauthorized.WithError("identity is disabled").WithReason("This account was disabled.")
View Source
var ( // ErrNoActiveSessionFound is returned when no active cookie session could be found in the request. ErrNoActiveSessionFound = herodot.ErrUnauthorized.WithID(text.ErrNoActiveSession).WithError("request does not have a valid authentication session").WithReason("No active session was found in this request.") )
Functions ¶
func RedirectOnAuthenticated ¶
func RedirectOnAuthenticated(d interface{ config.Provider }) httprouter.Handle
func RedirectOnUnauthenticated ¶
func RedirectOnUnauthenticated(to string) httprouter.Handle
func RespondWithJSONErrorOnAuthenticated ¶
func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
Types ¶
type AuthenticationMethod ¶
type AuthenticationMethod struct {
// The method used in this authenticator.
Method identity.CredentialsType `json:"method"`
// When the authentication challenge was completed.
CompletedAt time.Time `json:"completed_at"`
}
AuthenticationMethod identifies an authentication method
A singular authenticator used during authentication / login.
swagger:model sessionAuthenticationMethod
func (*AuthenticationMethod) Scan ¶
func (n *AuthenticationMethod) Scan(value interface{}) error
Scan implements the Scanner interface.
type AuthenticationMethods ¶
type AuthenticationMethods []AuthenticationMethod
List of (Used) AuthenticationMethods
A list of authenticators which were used to authenticate the session.
swagger:model sessionAuthenticationMethods
func (*AuthenticationMethods) Scan ¶
func (n *AuthenticationMethods) Scan(value interface{}) error
Scan implements the Scanner interface.
type Device ¶
type Device struct {
// UserAgent of this device
UserAgent string `json:"user_agent"`
}
swagger:model sessionDevice
type ErrAALNotSatisfied ¶
type ErrAALNotSatisfied struct {
*herodot.DefaultError `json:"error"`
RedirectTo string `json:"redirect_browser_to"`
}
ErrAALNotSatisfied is returned when an active session was found but the requested AAL is not satisfied.
swagger:model errorAuthenticatorAssuranceLevelNotSatisfied
func NewErrAALNotSatisfied ¶
func NewErrAALNotSatisfied(redirectTo string) *ErrAALNotSatisfied
NewErrAALNotSatisfied creates a new ErrAALNotSatisfied.
func (*ErrAALNotSatisfied) EnhanceJSONError ¶
func (e *ErrAALNotSatisfied) EnhanceJSONError() interface{}
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler( r handlerDependencies, ) *Handler
func (*Handler) IsAuthenticated ¶
func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
func (*Handler) IsNotAuthenticated ¶
func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
func (*Handler) RegisterAdminRoutes ¶
func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
func (*Handler) RegisterPublicRoutes ¶
func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
type HandlerProvider ¶
type HandlerProvider interface {
SessionHandler() *Handler
}
type ManagementProvider ¶
type ManagementProvider interface {
SessionManager() Manager
}
type Manager ¶
type Manager interface {
// UpsertAndIssueCookie stores a session in the database and issues a cookie by calling IssueCookie.
//
// Also regenerates CSRF tokens due to assumed principal change.
UpsertAndIssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error
// IssueCookie issues a cookie for the given session.
//
// Also regenerates CSRF tokens due to assumed principal change.
IssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error
// FetchFromRequest creates an HTTP session using cookies.
FetchFromRequest(context.Context, *http.Request) (*Session, error)
// PurgeFromRequest removes an HTTP session.
PurgeFromRequest(context.Context, http.ResponseWriter, *http.Request) error
// DoesSessionSatisfy answers if a session is satisfying the AAL.
DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string) error
// SessionAddAuthenticationMethod adds one or more authentication method to the session.
SessionAddAuthenticationMethod(ctx context.Context, sid uuid.UUID, method ...identity.CredentialsType) error
}
Manager handles identity sessions.
type ManagerHTTP ¶
type ManagerHTTP struct {
// contains filtered or unexported fields
}
func NewManagerHTTP ¶
func NewManagerHTTP(r managerHTTPDependencies) *ManagerHTTP
func (*ManagerHTTP) DoesSessionSatisfy ¶
func (*ManagerHTTP) FetchFromRequest ¶
func (*ManagerHTTP) IssueCookie ¶
func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) error
func (*ManagerHTTP) PurgeFromRequest ¶
func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error
func (*ManagerHTTP) SessionAddAuthenticationMethod ¶
func (s *ManagerHTTP) SessionAddAuthenticationMethod(ctx context.Context, sid uuid.UUID, methods ...identity.CredentialsType) error
func (*ManagerHTTP) UpsertAndIssueCookie ¶
func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) error
type PersistenceProvider ¶
type PersistenceProvider interface {
SessionPersister() Persister
}
type Persister ¶
type Persister interface {
// GetSession retrieves a session from the store.
GetSession(ctx context.Context, sid uuid.UUID) (*Session, error)
// UpsertSession inserts or updates a session into / in the store.
UpsertSession(ctx context.Context, s *Session) error
// DeleteSession removes a session from the store.
DeleteSession(ctx context.Context, id uuid.UUID) error
// DeleteSessionsByIdentity removes all active session from the store for the given identity.
DeleteSessionsByIdentity(ctx context.Context, identity uuid.UUID) error
// GetSessionByToken gets the session associated with the given token.
//
// Functionality is similar to GetSession but accepts a session token
// instead of a session ID.
GetSessionByToken(context.Context, string) (*Session, error)
// DeleteSessionByToken deletes a session associated with the given token.
//
// Functionality is similar to DeleteSession but accepts a session token
// instead of a session ID.
DeleteSessionByToken(context.Context, string) error
// RevokeSessionByToken marks a session inactive with the given token.
RevokeSessionByToken(ctx context.Context, token string) error
}
type Session ¶
type Session struct {
// Session ID
//
// required: true
ID uuid.UUID `json:"id" faker:"-" db:"id"`
// Active state. If false the session is no longer active.
Active bool `json:"active" db:"active"`
// The Session Expiry
//
// When this session expires at.
ExpiresAt time.Time `json:"expires_at" db:"expires_at" faker:"time_type"`
// The Session Authentication Timestamp
//
// When this session was authenticated at. If multi-factor authentication was used this
// is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).
AuthenticatedAt time.Time `json:"authenticated_at" db:"authenticated_at" faker:"time_type"`
// AuthenticationMethod Assurance Level (AAL)
//
// The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder
// for an attacker to compromise the account.
//
// Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g.
// password + TOTP) have been used.
//
// To learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials
AuthenticatorAssuranceLevel identity.AuthenticatorAssuranceLevel `faker:"len=4" db:"aal" json:"authenticator_assurance_level"`
// Authentication Method References (AMR)
//
// A list of authentication methods (e.g. password, oidc, ...) used to issue this session.
AMR AuthenticationMethods `db:"authentication_methods" json:"authentication_methods"`
// The Session Issuance Timestamp
//
// When this session was issued at. Usually equal or close to `authenticated_at`.
IssuedAt time.Time `json:"issued_at" db:"issued_at" faker:"time_type"`
// The Logout Token
//
// Use this token to log out a user.
LogoutToken string `json:"-" db:"logout_token"`
// required: true
Identity *identity.Identity `json:"identity" faker:"identity" db:"-" belongs_to:"identities" fk_id:"IdentityID"`
// IdentityID is a helper struct field for gobuffalo.pop.
IdentityID uuid.UUID `json:"-" faker:"-" db:"identity_id"`
// CreatedAt is a helper struct field for gobuffalo.pop.
CreatedAt time.Time `json:"-" faker:"-" db:"created_at"`
// UpdatedAt is a helper struct field for gobuffalo.pop.
UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"`
// The Session Token
//
// The token of this session.
Token string `json:"-" db:"token"`
NID uuid.UUID `json:"-" faker:"-" db:"nid"`
}
A Session
swagger:model session
func NewActiveSession ¶
func NewInactiveSession ¶
func NewInactiveSession() *Session
func (*Session) CompletedLoginFor ¶
func (s *Session) CompletedLoginFor(method identity.CredentialsType)
func (*Session) Declassify ¶
func (*Session) SetAuthenticatorAssuranceLevel ¶
func (s *Session) SetAuthenticatorAssuranceLevel()
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.