Documentation ¶
Index ¶
- Constants
- Variables
- func RedirectOnAuthenticated(d interface{ ... }) httprouter.Handle
- func RedirectOnUnauthenticated(to string) httprouter.Handle
- func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
- func RespondWitherrorGenericOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
- func UpsertAAL(opts *options)
- type AuthenticationMethod
- type AuthenticationMethods
- type CodeExchangeResponse
- type Device
- type DevicePersister
- type ErrAALNotSatisfied
- type ErrNoActiveSessionFound
- type Expandable
- type Expandables
- type Handler
- func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
- func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
- func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
- type HandlerProvider
- type ManagementProvider
- type Manager
- type ManagerHTTP
- func (s *ManagerHTTP) ActivateSession(r *http.Request, session *Session, i *identity.Identity, ...) (err error)
- func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string, opts ...ManagerOptions) (err error)
- func (s *ManagerHTTP) FetchFromRequest(ctx context.Context, r *http.Request) (_ *Session, err error)
- func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
- func (s *ManagerHTTP) MaybeRedirectAPICodeFlow(w http.ResponseWriter, r *http.Request, f flow.Flow, sessionID uuid.UUID, ...) (handled bool, err error)
- func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) (err error)
- func (s *ManagerHTTP) RefreshCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
- func (s *ManagerHTTP) SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, ams ...AuthenticationMethod) (err error)
- func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) (err error)
- type ManagerOptions
- type PersistenceProvider
- type Persister
- type Session
- func (s *Session) AuthenticatedVia(method identity.CredentialsType) bool
- func (s *Session) CanBeRefreshed(ctx context.Context, c refreshWindowProvider) bool
- func (s *Session) CompletedLoginFor(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel)
- func (s *Session) CompletedLoginForMethod(method AuthenticationMethod)
- func (s *Session) CompletedLoginForWithProvider(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel, ...)
- func (s Session) Declassified() *Session
- func (m Session) DefaultPageToken() keysetpagination.PageToken
- func (s *Session) IsActive() bool
- func (s *Session) MarshalJSON() ([]byte, error)
- func (s Session) PageToken() keysetpagination.PageToken
- func (s *Session) Refresh(ctx context.Context, c lifespanProvider) *Session
- func (s *Session) SetAuthenticatorAssuranceLevel()
- func (s *Session) SetSessionDeviceInformation(r *http.Request)
- func (s Session) TableName(ctx context.Context) string
- type SessionExpandable
- type Tokenizer
- type TokenizerProvider
Constants ¶
const ( RouteCollection = "/sessions" RouteExchangeCodeForSessionToken = RouteCollection + "/token-exchange" // #nosec G101 RouteWhoami = RouteCollection + "/whoami" RouteSession = RouteCollection + "/:id" )
const ( AdminRouteIdentity = "/identities" AdminRouteIdentitiesSessions = AdminRouteIdentity + "/:id/sessions" AdminRouteSessionExtendId = RouteSession + "/extend" )
Variables ¶
var ErrIdentityDisabled = herodot.ErrUnauthorized.WithError("identity is disabled").WithReason("This account was disabled.")
var ErrNoAALAvailable = herodot.ErrForbidden.WithReasonf("Unable to detect available authentication methods. Perform account recovery or contact support.")
var ErrNoSessionFound = herodot.ErrUnauthorized.WithReasonf("No valid session credentials found in the request.")
var ExpandDefault = Expandables{ ExpandSessionIdentity, }
ExpandDefault expands the default fields of a session - Associated Identity
var ExpandEverything = Expandables{ ExpandSessionDevices, ExpandSessionIdentity, }
ExpandEverything expands all the fields of a session.
Functions ¶
func RedirectOnAuthenticated ¶
func RedirectOnAuthenticated(d interface{ config.Provider }) httprouter.Handle
func RedirectOnUnauthenticated ¶
func RedirectOnUnauthenticated(to string) httprouter.Handle
func RespondWithJSONErrorOnAuthenticated ¶
func RespondWithJSONErrorOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
func RespondWitherrorGenericOnAuthenticated ¶ added in v0.11.0
func RespondWitherrorGenericOnAuthenticated(h herodot.Writer, err error) httprouter.Handle
Types ¶
type AuthenticationMethod ¶
type AuthenticationMethod struct { // The method used in this authenticator. Method identity.CredentialsType `json:"method"` // The AAL this method introduced. AAL identity.AuthenticatorAssuranceLevel `json:"aal"` // When the authentication challenge was completed. CompletedAt time.Time `json:"completed_at"` // OIDC or SAML provider id used for authentication Provider string `json:"provider,omitempty"` // The Organization id used for authentication Organization string `json:"organization,omitempty"` }
AuthenticationMethod identifies an authentication method
A singular authenticator used during authentication / login.
swagger:model sessionAuthenticationMethod
func (*AuthenticationMethod) Scan ¶
func (n *AuthenticationMethod) Scan(value interface{}) error
Scan implements the Scanner interface.
type AuthenticationMethods ¶
type AuthenticationMethods []AuthenticationMethod
List of (Used) AuthenticationMethods
A list of authenticators which were used to authenticate the session.
swagger:model sessionAuthenticationMethods
func (*AuthenticationMethods) Scan ¶
func (n *AuthenticationMethods) Scan(value interface{}) error
Scan implements the Scanner interface.
type CodeExchangeResponse ¶ added in v1.0.0
type CodeExchangeResponse struct { // The Session Token // // A session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization // Header: // // Authorization: bearer ${session-token} // // The session token is only issued for API flows, not for Browser flows! Token string `json:"session_token,omitempty"` // The Session // // The session contains information about the user, the session device, and so on. // This is only available for API flows, not for Browser flows! // // required: true Session *Session `json:"session"` }
The Response for Registration Flows via API
swagger:model successfulCodeExchangeResponse
type Device ¶
type Device struct { // Device record ID // // required: true ID uuid.UUID `json:"id" faker:"-" db:"id"` // SessionID is a helper struct field for gobuffalo.pop. SessionID uuid.UUID `json:"-" faker:"-" db:"session_id"` // IPAddress of the client IPAddress *string `json:"ip_address" faker:"ptr_ipv4" db:"ip_address"` // UserAgent of the client UserAgent *string `json:"user_agent" faker:"-" db:"user_agent"` // Geo Location corresponding to the IP Address Location *string `json:"location" faker:"ptr_geo_location" db:"location"` // Time of capture CreatedAt time.Time `json:"-" faker:"-" db:"created_at"` // Last updated at UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"` NID uuid.UUID `json:"-" faker:"-" db:"nid"` }
Device corresponding to a Session
swagger:model sessionDevice
type DevicePersister ¶ added in v0.13.0
type ErrAALNotSatisfied ¶
type ErrAALNotSatisfied struct { *herodot.DefaultError `json:"error"` RedirectTo string `json:"redirect_browser_to"` }
ErrAALNotSatisfied is returned when an active session was found but the requested AAL is not satisfied.
func NewErrAALNotSatisfied ¶
func NewErrAALNotSatisfied(redirectTo string) *ErrAALNotSatisfied
NewErrAALNotSatisfied creates a new ErrAALNotSatisfied.
func (*ErrAALNotSatisfied) EnhanceJSONError ¶
func (e *ErrAALNotSatisfied) EnhanceJSONError() interface{}
func (*ErrAALNotSatisfied) PassReturnToAndLoginChallengeParameters ¶ added in v0.11.0
func (e *ErrAALNotSatisfied) PassReturnToAndLoginChallengeParameters(requestURL string) error
type ErrNoActiveSessionFound ¶
type ErrNoActiveSessionFound struct { *herodot.DefaultError `json:"error"` // contains filtered or unexported fields }
ErrNoActiveSessionFound is returned when no active cookie session could be found in the request.
func NewErrNoActiveSessionFound ¶
func NewErrNoActiveSessionFound() *ErrNoActiveSessionFound
NewErrNoActiveSessionFound creates a new ErrNoActiveSessionFound
func NewErrNoCredentialsForSession ¶ added in v0.11.0
func NewErrNoCredentialsForSession() *ErrNoActiveSessionFound
NewErrNoCredentialsForSession creates a new NewErrNoCredentialsForSession
func (*ErrNoActiveSessionFound) EnhanceJSONError ¶
func (e *ErrNoActiveSessionFound) EnhanceJSONError() interface{}
type Expandable ¶ added in v0.11.0
type Expandable = sqlxx.Expandable
Expandable controls what fields to expand for sessions.
const ( // ExpandSessionDevices expands devices related to the session ExpandSessionDevices Expandable = "Devices" // ExpandSessionIdentity expands Identity related to the session ExpandSessionIdentity Expandable = "Identity" ExpandSessionIdentityRecoveryAddress Expandable = "Identity.RecoveryAddresses" ExpandSessionIdentityVerifiableAddress Expandable = "Identity.VerifiableAddresses" )
func ParseExpandable ¶ added in v0.11.0
func ParseExpandable(in string) (Expandable, bool)
type Expandables ¶ added in v0.11.0
type Expandables = sqlxx.Expandables
Expandables is a list of Expandable values.
var ExpandNothing Expandables
ExpandNothing expands nothing
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
func NewHandler ¶
func NewHandler( r handlerDependencies, ) *Handler
func (*Handler) IsAuthenticated ¶
func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle
func (*Handler) IsNotAuthenticated ¶
func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated httprouter.Handle) httprouter.Handle
func (*Handler) RegisterAdminRoutes ¶
func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin)
func (*Handler) RegisterPublicRoutes ¶
func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic)
type HandlerProvider ¶
type HandlerProvider interface {
SessionHandler() *Handler
}
type ManagementProvider ¶
type ManagementProvider interface {
SessionManager() Manager
}
type Manager ¶
type Manager interface { // UpsertAndIssueCookie stores a session in the database and issues a cookie by calling IssueCookie. // // Also regenerates CSRF tokens due to assumed principal change. UpsertAndIssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // IssueCookie issues a cookie for the given session. // // Also regenerates CSRF tokens due to assumed principal change. IssueCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // RefreshCookie checks if the request uses an outdated cookie and refreshes the cookie if needed. RefreshCookie(context.Context, http.ResponseWriter, *http.Request, *Session) error // FetchFromRequest creates an HTTP session using cookies. FetchFromRequest(context.Context, *http.Request) (*Session, error) // PurgeFromRequest removes an HTTP session. PurgeFromRequest(context.Context, http.ResponseWriter, *http.Request) error // DoesSessionSatisfy answers if a session is satisfying the AAL of a user. // // The matcher value can be one of: // // - `highest_available`: If set requires the user to upgrade their session to the highest available AAL for that user. // - `aal1`: Requires the user to have authenticated with at least one authentication factor. // // This method is implemented in such a way, that if a second factor is found for the user, it is always assumed // that the user is able to authenticate with it. This means that if a user has a second factor, the user is always // asked to authenticate with it if `highest_available` is set and the session's AAL is `aal1`. DoesSessionSatisfy(r *http.Request, sess *Session, matcher string, opts ...ManagerOptions) error // SessionAddAuthenticationMethods adds one or more authentication method to the session. SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, methods ...AuthenticationMethod) error // MaybeRedirectAPICodeFlow for API+Code flows redirects the user to the return_to URL and adds the code query parameter. // `handled` is true if the request a redirect was written, false otherwise. MaybeRedirectAPICodeFlow(w http.ResponseWriter, r *http.Request, f flow.Flow, sessionID uuid.UUID, uiNode node.UiNodeGroup) (handled bool, err error) // ActivateSession activates a session. // // This method is used to activate a session after a user authenticated with a first or second factor. It sets // all computed values (e.g. authenticator assurance level) and updates the session object but does not store // the session in the database or on the client device. ActivateSession(r *http.Request, session *Session, i *identity.Identity, authenticatedAt time.Time) error }
Manager handles identity sessions.
type ManagerHTTP ¶
type ManagerHTTP struct {
// contains filtered or unexported fields
}
func NewManagerHTTP ¶
func NewManagerHTTP(r managerHTTPDependencies) *ManagerHTTP
func (*ManagerHTTP) ActivateSession ¶ added in v1.3.0
func (*ManagerHTTP) DoesSessionSatisfy ¶
func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, requestedAAL string, opts ...ManagerOptions) (err error)
func (*ManagerHTTP) FetchFromRequest ¶
func (*ManagerHTTP) IssueCookie ¶
func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
func (*ManagerHTTP) MaybeRedirectAPICodeFlow ¶ added in v1.0.0
func (s *ManagerHTTP) MaybeRedirectAPICodeFlow(w http.ResponseWriter, r *http.Request, f flow.Flow, sessionID uuid.UUID, uiNode node.UiNodeGroup) (handled bool, err error)
func (*ManagerHTTP) PurgeFromRequest ¶
func (s *ManagerHTTP) PurgeFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) (err error)
func (*ManagerHTTP) RefreshCookie ¶ added in v0.11.0
func (s *ManagerHTTP) RefreshCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) (err error)
func (*ManagerHTTP) SessionAddAuthenticationMethods ¶
func (s *ManagerHTTP) SessionAddAuthenticationMethods(ctx context.Context, sid uuid.UUID, ams ...AuthenticationMethod) (err error)
func (*ManagerHTTP) UpsertAndIssueCookie ¶
func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, ss *Session) (err error)
type ManagerOptions ¶ added in v1.0.0
type ManagerOptions func(*options)
func WithRequestURL ¶ added in v1.0.0
func WithRequestURL(requestURL string) ManagerOptions
WithRequestURL passes along query parameters from the requestURL to the new URL (if any exist)
type PersistenceProvider ¶
type PersistenceProvider interface {
SessionPersister() Persister
}
type Persister ¶
type Persister interface { GetConnection(ctx context.Context) *pop.Connection // GetSession retrieves a session from the store. GetSession(ctx context.Context, sid uuid.UUID, expandables Expandables) (*Session, error) // ListSessions retrieves all sessions. ListSessions(ctx context.Context, active *bool, paginatorOpts []keysetpagination.Option, expandables Expandables) ([]Session, int64, *keysetpagination.Paginator, error) // ListSessionsByIdentity retrieves sessions for an identity from the store. ListSessionsByIdentity(ctx context.Context, iID uuid.UUID, active *bool, page, perPage int, except uuid.UUID, expandables Expandables) ([]Session, int64, error) // UpsertSession inserts or updates a session into / in the store. UpsertSession(ctx context.Context, s *Session) error // ExtendSession updates the expiry of a session. ExtendSession(ctx context.Context, sessionID uuid.UUID) error // DeleteSession removes a session from the store. DeleteSession(ctx context.Context, id uuid.UUID) error // DeleteSessionsByIdentity removes all active session from the store for the given identity. DeleteSessionsByIdentity(ctx context.Context, identity uuid.UUID) error // GetSessionByToken gets the session associated with the given token. // // Functionality is similar to GetSession but accepts a session token // instead of a session ID. GetSessionByToken(ctx context.Context, token string, expandables Expandables, identityExpandables identity.Expandables) (*Session, error) // DeleteExpiredSessions deletes sessions that expired before the given time. DeleteExpiredSessions(context.Context, time.Time, int) error // DeleteSessionByToken deletes a session associated with the given token. // // Functionality is similar to DeleteSession but accepts a session token // instead of a session ID. DeleteSessionByToken(context.Context, string) error // RevokeSessionByToken marks a session inactive with the given token. RevokeSessionByToken(ctx context.Context, token string) error // RevokeSessionById marks a session inactive with the specified uuid RevokeSessionById(ctx context.Context, sID uuid.UUID) error // RevokeSession marks a given session inactive. RevokeSession(ctx context.Context, iID, sID uuid.UUID) error // RevokeSessionsIdentityExcept marks all except the given session of an identity inactive. It returns the number of sessions that were revoked. RevokeSessionsIdentityExcept(ctx context.Context, iID, sID uuid.UUID) (int, error) }
type Session ¶
type Session struct { // Session ID // // required: true ID uuid.UUID `json:"id" faker:"-" db:"id"` // Active state. If false the session is no longer active. Active bool `json:"active" db:"active"` // The Session Expiry // // When this session expires at. ExpiresAt time.Time `json:"expires_at" db:"expires_at" faker:"time_type"` // The Session Authentication Timestamp // // When this session was authenticated at. If multi-factor authentication was used this // is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed). AuthenticatedAt time.Time `json:"authenticated_at" db:"authenticated_at" faker:"time_type"` // AuthenticationMethod Assurance Level (AAL) // // The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder // for an attacker to compromise the account. // // Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. // password + TOTP) have been used. // // To learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials AuthenticatorAssuranceLevel identity.AuthenticatorAssuranceLevel `faker:"len=4" db:"aal" json:"authenticator_assurance_level"` // Authentication Method References (AMR) // // A list of authentication methods (e.g. password, oidc, ...) used to issue this session. AMR AuthenticationMethods `db:"authentication_methods" json:"authentication_methods"` // The Session Issuance Timestamp // // When this session was issued at. Usually equal or close to `authenticated_at`. IssuedAt time.Time `json:"issued_at" db:"issued_at" faker:"time_type"` // The Logout Token // // Use this token to log out a user. LogoutToken string `json:"-" db:"logout_token"` // The Session Identity // // The identity that authenticated this session. // // If 2FA is required for the user, and the authentication process only solved the first factor, this field will be // null until the session has been fully authenticated with the second factor. Identity *identity.Identity `json:"identity" faker:"identity" db:"-" belongs_to:"identities" fk_id:"IdentityID"` // Devices has history of all endpoints where the session was used Devices []Device `json:"devices" faker:"-" has_many:"session_devices" fk_id:"session_id"` // IdentityID is a helper struct field for gobuffalo.pop. IdentityID uuid.UUID `json:"-" faker:"-" db:"identity_id"` // CreatedAt is a helper struct field for gobuffalo.pop. CreatedAt time.Time `json:"-" faker:"-" db:"created_at"` // UpdatedAt is a helper struct field for gobuffalo.pop. UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"` // Tokenized is the tokenized (e.g. JWT) version of the session. // // It is only set when the `tokenize` query parameter was set to a valid tokenize template during calls to `/session/whoami`. Tokenized string `json:"tokenized,omitempty" faker:"-" db:"-"` // The Session Token // // The token of this session. Token string `json:"-" db:"token"` NID uuid.UUID `json:"-" faker:"-" db:"nid"` }
A Session
swagger:model session
func NewInactiveSession ¶
func NewInactiveSession() *Session
func (*Session) AuthenticatedVia ¶ added in v1.0.0
func (s *Session) AuthenticatedVia(method identity.CredentialsType) bool
func (*Session) CanBeRefreshed ¶
func (*Session) CompletedLoginFor ¶
func (s *Session) CompletedLoginFor(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel)
func (*Session) CompletedLoginForMethod ¶ added in v1.1.0
func (s *Session) CompletedLoginForMethod(method AuthenticationMethod)
func (*Session) CompletedLoginForWithProvider ¶ added in v1.0.0
func (s *Session) CompletedLoginForWithProvider(method identity.CredentialsType, aal identity.AuthenticatorAssuranceLevel, providerID string, organizationID string)
func (Session) Declassified ¶ added in v0.13.0
func (Session) DefaultPageToken ¶ added in v0.11.1
func (m Session) DefaultPageToken() keysetpagination.PageToken
func (*Session) MarshalJSON ¶ added in v0.11.0
func (Session) PageToken ¶ added in v0.11.0
func (s Session) PageToken() keysetpagination.PageToken
func (*Session) SetAuthenticatorAssuranceLevel ¶
func (s *Session) SetAuthenticatorAssuranceLevel()
func (*Session) SetSessionDeviceInformation ¶ added in v0.13.0
type SessionExpandable ¶ added in v1.2.0
type SessionExpandable string
Expandable properties of a session swagger:enum SessionExpandable
const ( SessionExpandableIdentity SessionExpandable = "identity" SessionExpandableDevices SessionExpandable = "devices" )
type Tokenizer ¶ added in v1.1.0
type Tokenizer struct {
// contains filtered or unexported fields
}
func NewTokenizer ¶ added in v1.1.0
func NewTokenizer(r tokenizerDependencies) *Tokenizer
func (*Tokenizer) SetNowFunc ¶ added in v1.1.0
type TokenizerProvider ¶ added in v1.1.0
type TokenizerProvider interface {
SessionTokenizer() *Tokenizer
}