Documentation ¶
Index ¶
- Constants
- Variables
- func RedirectOnAuthenticated(d interface{ ... }) httprouter.Handle
- func RedirectOnUnauthenticated(to string) httprouter.Handle
- func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
- func TestPersister(ctx context.Context, conf *config.Config, p interface{ ... }) func(t *testing.T)
- type AuthenticationMethod
- type AuthenticationMethods
- type Device
- type ErrAALNotSatisfied
- type ErrNoActiveSessionFound
- type Handler
- func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
- func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
- type HandlerProvider
- type ManagementProvider
- type Manager
- type ManagerHTTP
- func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string) error
- func (s *ManagerHTTP) FetchFromRequest(ctx context.Context, r *http.Request) (*Session, error)
- func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) error
- func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error
- func (s *ManagerHTTP) SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, ams ...AuthenticationMethod) error
- func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) error
- type PersistenceProvider
- type Persister
- type Session
- func (s *Session) Activate(i *identity.Identity, c lifespanProvider, authenticatedAt time.Time) error
- func (s *Session) CompletedLoginFor(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel)
- func (s *Session) Declassify() *Session
- func (s *Session) IsActive() bool
- func (s *Session) SetAuthenticatorAssuranceLevel()
- func (s Session) TableName(ctx context.Context) string
Constants ¶
const ( RouteCollection = "/sessions" RouteWhoami = RouteCollection + "/whoami" RouteSession = RouteCollection + "/:id" RouteIdentity = "/identities" RouteIdentitiesSessions = RouteIdentity + "/:id/sessions" )
Variables ¶
var ErrIdentityDisabled = herodot.ErrUnauthorized.WithError("identity is disabled").WithReason("This account was disabled.")
Functions ¶
func RedirectOnAuthenticated ¶
func RedirectOnAuthenticated(d interface{ config.Provider }) httprouter.Handle
func RedirectOnUnauthenticated ¶
func RedirectOnUnauthenticated(to string) httprouter.Handle
func RespondWithJSONErrorOnAuthenticated ¶
func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
Types ¶
type AuthenticationMethod ¶
type AuthenticationMethod struct { // The method used in this authenticator. Method identity.CredentialsType `json:"method"` // The AAL this method introduced. AAL identity.AuthenticatorAssuranceLevel `json:"aal"` // When the authentication challenge was completed. CompletedAt time.Time `json:"completed_at"` }
AuthenticationMethod identifies an authentication method
A singular authenticator used during authentication / login.
swagger:model sessionAuthenticationMethod
func (*AuthenticationMethod) Scan ¶
func (n *AuthenticationMethod) Scan(value interface{}) error
Scan implements the Scanner interface.
type AuthenticationMethods ¶
type AuthenticationMethods []AuthenticationMethod
List of (Used) AuthenticationMethods
A list of authenticators which were used to authenticate the session.
swagger:model sessionAuthenticationMethods
func (*AuthenticationMethods) Scan ¶
func (n *AuthenticationMethods) Scan(value interface{}) error
Scan implements the Scanner interface.
type Device ¶
type Device struct { // UserAgent of this device UserAgent string `json:"user_agent"` }
swagger:model sessionDevice
type ErrAALNotSatisfied ¶
type ErrAALNotSatisfied struct { *herodot.DefaultError `json:"error"` RedirectTo string `json:"redirect_browser_to"` }
ErrAALNotSatisfied is returned when an active session was found but the requested AAL is not satisfied.
swagger:model errorAuthenticatorAssuranceLevelNotSatisfied
func NewErrAALNotSatisfied ¶
func NewErrAALNotSatisfied(redirectTo string) *ErrAALNotSatisfied
NewErrAALNotSatisfied creates a new ErrAALNotSatisfied.
func (*ErrAALNotSatisfied) EnhanceJSONError ¶
func (e *ErrAALNotSatisfied) EnhanceJSONError() interface{}
func (*ErrAALNotSatisfied) PassReturnToParameter ¶
func (e *ErrAALNotSatisfied) PassReturnToParameter(requestURL string) error
type ErrNoActiveSessionFound ¶
type ErrNoActiveSessionFound struct {
*herodot.DefaultError `json:"error"`
}
ErrNoActiveSessionFound is returned when no active cookie session could be found in the request.
func NewErrNoActiveSessionFound ¶
func NewErrNoActiveSessionFound() *ErrNoActiveSessionFound
NewErrNoActiveSessionFound creates a new ErrNoActiveSessionFound
func (*ErrNoActiveSessionFound) EnhanceJSONError ¶
func (e *ErrNoActiveSessionFound) EnhanceJSONError() interface{}
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler( r handlerDependencies, ) *Handler
func (*Handler) IsAuthenticated ¶
func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
func (*Handler) IsNotAuthenticated ¶
func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
func (*Handler) RegisterAdminRoutes ¶
func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
func (*Handler) RegisterPublicRoutes ¶
func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
type HandlerProvider ¶
type HandlerProvider interface {
SessionHandler() *Handler
}
type ManagementProvider ¶
type ManagementProvider interface {
SessionManager() Manager
}
type Manager ¶
type Manager interface { // UpsertAndIssueCookie stores a session in the database and issues a cookie by calling IssueCookie. // // Also regenerates CSRF tokens due to assumed principal change. UpsertAndIssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // IssueCookie issues a cookie for the given session. // // Also regenerates CSRF tokens due to assumed principal change. IssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // FetchFromRequest creates an HTTP session using cookies. FetchFromRequest(context.Context, *http.Request) (*Session, error) // PurgeFromRequest removes an HTTP session. PurgeFromRequest(context.Context, http.ResponseWriter, *http.Request) error // DoesSessionSatisfy answers if a session is satisfying the AAL. DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string) error // SessionAddAuthenticationMethods adds one or more authentication method to the session. SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, methods ...AuthenticationMethod) error }
Manager handles identity sessions.
type ManagerHTTP ¶
type ManagerHTTP struct {
// contains filtered or unexported fields
}
func NewManagerHTTP ¶
func NewManagerHTTP(r managerHTTPDependencies) *ManagerHTTP
func (*ManagerHTTP) DoesSessionSatisfy ¶
func (*ManagerHTTP) FetchFromRequest ¶
func (*ManagerHTTP) IssueCookie ¶
func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) error
func (*ManagerHTTP) PurgeFromRequest ¶
func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error
func (*ManagerHTTP) SessionAddAuthenticationMethods ¶
func (s *ManagerHTTP) SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, ams ...AuthenticationMethod) error
func (*ManagerHTTP) UpsertAndIssueCookie ¶
func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) error
type PersistenceProvider ¶
type PersistenceProvider interface {
SessionPersister() Persister
}
type Persister ¶
type Persister interface { // GetSession retrieves a session from the store. GetSession(ctx context.Context, sid uuid.UUID) (*Session, error) // ListSessionsByIdentity retrieves sessions for an identity from the store. ListSessionsByIdentity(ctx context.Context, iID uuid.UUID, active *bool, page, perPage int, except uuid.UUID) ([]*Session, error) // UpsertSession inserts or updates a session into / in the store. UpsertSession(ctx context.Context, s *Session) error // DeleteSession removes a session from the store. DeleteSession(ctx context.Context, id uuid.UUID) error // DeleteSessionsByIdentity removes all active session from the store for the given identity. DeleteSessionsByIdentity(ctx context.Context, identity uuid.UUID) error // GetSessionByToken gets the session associated with the given token. // // Functionality is similar to GetSession but accepts a session token // instead of a session ID. GetSessionByToken(context.Context, string) (*Session, error) // DeleteSessionByToken deletes a session associated with the given token. // // Functionality is similar to DeleteSession but accepts a session token // instead of a session ID. DeleteSessionByToken(context.Context, string) error // RevokeSessionByToken marks a session inactive with the given token. RevokeSessionByToken(ctx context.Context, token string) error // RevokeSession marks a given session inactive. RevokeSession(ctx context.Context, iID, sID uuid.UUID) error // RevokeSessionsIdentityExcept marks all except the given session of an identity inactive. It returns the number of sessions that were revoked. RevokeSessionsIdentityExcept(ctx context.Context, iID, sID uuid.UUID) (int, error) }
type Session ¶
type Session struct { // Session ID // // required: true ID uuid.UUID `json:"id" faker:"-" db:"id"` // Active state. If false the session is no longer active. Active bool `json:"active" db:"active"` // The Session Expiry // // When this session expires at. ExpiresAt time.Time `json:"expires_at" db:"expires_at" faker:"time_type"` // The Session Authentication Timestamp // // When this session was authenticated at. If multi-factor authentication was used this // is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed). AuthenticatedAt time.Time `json:"authenticated_at" db:"authenticated_at" faker:"time_type"` // AuthenticationMethod Assurance Level (AAL) // // The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder // for an attacker to compromise the account. // // Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. // password + TOTP) have been used. // // To learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials AuthenticatorAssuranceLevel identity.AuthenticatorAssuranceLevel `faker:"len=4" db:"aal" json:"authenticator_assurance_level"` // Authentication Method References (AMR) // // A list of authentication methods (e.g. password, oidc, ...) used to issue this session. AMR AuthenticationMethods `db:"authentication_methods" json:"authentication_methods"` // The Session Issuance Timestamp // // When this session was issued at. Usually equal or close to `authenticated_at`. IssuedAt time.Time `json:"issued_at" db:"issued_at" faker:"time_type"` // The Logout Token // // Use this token to log out a user. LogoutToken string `json:"-" db:"logout_token"` // required: true Identity *identity.Identity `json:"identity" faker:"identity" db:"-" belongs_to:"identities" fk_id:"IdentityID"` // IdentityID is a helper struct field for gobuffalo.pop. IdentityID uuid.UUID `json:"-" faker:"-" db:"identity_id"` // CreatedAt is a helper struct field for gobuffalo.pop. CreatedAt time.Time `json:"-" faker:"-" db:"created_at"` // UpdatedAt is a helper struct field for gobuffalo.pop. UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"` // The Session Token // // The token of this session. Token string `json:"-" db:"token"` NID uuid.UUID `json:"-" faker:"-" db:"nid"` }
A Session
swagger:model session
func NewActiveSession ¶
func NewActiveSession(i *identity.Identity, c lifespanProvider, authenticatedAt time.Time, completedLoginFor identity.CredentialsType, completedLoginAAL identity.AuthenticatorAssuranceLevel) (*Session, error)
func NewInactiveSession ¶
func NewInactiveSession() *Session
func (*Session) CompletedLoginFor ¶
func (s *Session) CompletedLoginFor(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel)
func (*Session) Declassify ¶
func (*Session) SetAuthenticatorAssuranceLevel ¶
func (s *Session) SetAuthenticatorAssuranceLevel()