storage

package module
v0.2.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 4, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

README

go-fosite-mongo

Documentation

Index

Constants

View Source 
const (
	// CollectionPrefix provides the prefix to use for all collections created
	CollectionPrefix = "oauth2_"
	// EntityOpenIDSessions provides the name of the entity to use in order to
	// create, read, update and delete OpenID Sessions.
	EntityOpenIDSessions = CollectionPrefix + "openid_connect_session"

	// EntityAccessTokens provides the name of the entity to use in order to
	// create, read, update and delete Access Token sessions.
	EntityAccessTokens = CollectionPrefix + "access_token"

	// EntityRefreshTokens provides the name of the entity to use in order to
	// create, read, update and delete Refresh Token sessions.
	EntityRefreshTokens = CollectionPrefix + "refresh_token"

	// EntityAuthorizationCodes provides the name of the entity to use in order
	// to create, read, update and delete Authorization Code sessions.
	EntityAuthorizationCodes = CollectionPrefix + "authorization_code"

	// EntityPKCESessions provides the name of the entity to use in order to
	// create, read, update and delete Proof Key for Code Exchange sessions.
	EntityPKCESessions = CollectionPrefix + "pkce_session"

	// EntityJtiDenylist provides the name of the entity to use in order to
	// track and deny.
	EntityJtiDenylist = CollectionPrefix + "jti_deny_list"

	// EntityClients provides the name of the entity to use in order to create,
	// read, update and delete Clients.
	EntityClients = CollectionPrefix + "client"

	// EntityUsers provides the name of the entity to use in order to create,
	// read, update and delete Users.
	EntityUsers = CollectionPrefix + "user"
)

Variables

View Source 
var (
	// ErrResourceExists provides an error for when, in most cases, a record's
	// unique identifier already exists in the system.
	ErrResourceExists = errors.New("resource conflict")
)

Functions

func SignatureFromJTI 

func SignatureFromJTI(jti string) string

SignatureFromJTI creates a JTI signature from the JWT Token ID.

Types

type AuthClientFunc 

type AuthClientFunc func(ctx context.Context) (Client, bool)

AuthClientFunc enables developers to supply their own authentication function, to check old hashes that need to be upgraded for clients.

For example, you may have passwords in MD5 and wanting them to be migrated to fosite's default hasher, bcrypt. Therefore, if you do a mass data migration, the function you supply would have to: 

  +- Shortcut logic if the hash string prefix matches what you expect from
		the new hash
  - Get the current client record (return nil, false if not found)
  - Authenticate the current DB secret against MD5
  - Return the Client record and if the client authenticated.
  - if true, the AuthenticateMigration function will upgrade the hash.

type AuthClientMigrator 

type AuthClientMigrator interface {
	// Migrate is provided solely for the case where you want to migrate clients
	// and push in their old hash. This should perform an upsert, either
	// creating or overwriting the record with the newly provided record.
	// If Client.ID is passed in empty, a new ID will be generated for you.
	// Use with caution, be secure, don't be dumb.
	Migrate(ctx context.Context, migratedClient Client) (Client, error)

	// AuthenticateMigration enables developers to supply your own
	// authentication function, which in turn, if true, will migrate the secret
	// to the hasher implemented within fosite.
	AuthenticateMigration(ctx context.Context, currentAuth AuthClientFunc, clientID string, secret string) (Client, error)
}

AuthClientMigrator provides an interface to enable storage backends to implement functionality to upgrade hashes currently stored in the datastore.

type AuthUserFunc 

type AuthUserFunc func(ctx context.Context) (User, bool)

AuthUserFunc enables developers to supply their own authentication function, to check old hashes that need to be upgraded for users.

See AuthClientFunc for example usage.

type AuthUserMigrator 

type AuthUserMigrator interface {
	// Migrate is provided solely for the case where you want to migrate users
	// and push in their old hash. This should perform an upsert, either
	// creating or overwriting the current record with the newly provided
	// record.
	// If User.ID is passed in empty, a new ID will be generated for you.
	// Use with caution, be secure, don't be dumb.
	Migrate(ctx context.Context, migratedUser User) (User, error)

	// AuthenticateMigration enables developers to supply your own
	// authentication function, which in turn, if true, will migrate the secret
	// to the hashes implemented within fosite.
	AuthenticateMigration(ctx context.Context, currentAuth AuthUserFunc, userID string, password string) (User, error)
}

AuthUserMigrator provides an interface to enable storage backends to implement functionality to upgrade hashes currently stored in the datastore.

type Client 

type Client struct {
	// // Client Meta
	// ID is the id for this client.
	ID string `bson:"id" json:"id" xml:"id"`

	// createTime is when the resource was created in seconds from the epoch.
	CreateTime int64 `bson:"created_at" json:"created_at" xml:"created_at"`

	// updateTime is the last time the resource was modified in seconds from
	// the epoch.
	UpdateTime int64 `bson:"updated_at" json:"updated_at" xml:"updated_at"`

	// AllowedAudiences contains a list of Audiences that the client has been
	// given rights to access.
	AllowedAudiences []string `bson:"allowed_audiences" json:"allowed_audiences,omitempty" xml:"allowed_audiences,omitempty"`

	// AllowedRegions contains a list of regions that the client has been
	// given permission to access. This enables filtering for clients based on
	// geographic region.
	AllowedRegions []string `bson:"allowed_regions" json:"allowed_regions,omitempty" xml:"allowed_regions,omitempty"`

	// AllowedTenantAccess contains a list of Tenants that the client has been
	// given rights to access.
	AllowedTenantAccess []string `bson:"allowed_tenant_access" json:"allowed_tenant_access,omitempty" xml:"allowed_tenant_access,omitempty"`

	// GrantTypes contains a list of grant types the client is allowed to use.
	//
	// Pattern: client_credentials|authorize_code|implicit|refresh_token
	GrantTypes []string `bson:"grant_types" json:"grant_types" xml:"grant_types"`

	// ResponseTypes contains a list of the OAuth 2.0 response type strings
	// that the client can use at the authorization endpoint.
	//
	// Pattern: id_token|code|token
	ResponseTypes []string `bson:"response_types" json:"response_types" xml:"response_types"`

	// Scopes contains a list of values the client is entitled to use when
	// requesting an access token (as described in Section 3.3 of OAuth 2.0
	// [RFC6749]).
	//
	// Pattern: ([a-zA-Z0-9\.]+\s)+
	Scopes []string `bson:"scopes" json:"scopes" xml:"scopes"`

	// Public is a boolean that identifies this client as public, meaning that
	// it does not have a secret. It will disable the client_credentials grant
	// type for this client if set.
	Public bool `bson:"public" json:"public" xml:"public"`

	// Disabled stops the client from being able to authenticate to the system.
	Disabled bool `bson:"disabled" json:"disabled" xml:"disabled"`

	// // Client Content
	// Name contains a human-readable string name of the client to be presented
	// to the end-user during authorization.
	Name string `bson:"name" json:"name" xml:"name"`

	// Secret is the client's secret. The secret will be included in the create
	// request as cleartext, and then never again. The secret is stored using
	// BCrypt so it is impossible to recover it.
	// Tell your users that they need to remember the client secret as it will
	// not be made available again.
	Secret string `bson:"secret,omitempty" json:"secret,omitempty" xml:"secret,omitempty"`

	// RedirectURIs contains a list of allowed redirect urls for the client, for
	// example: http://mydomain/oauth/callback.
	RedirectURIs []string `bson:"redirect_uris" json:"redirect_uris" xml:"redirect_uris"`

	// Owner identifies the owner of the OAuth 2.0 Client.
	Owner string `bson:"owner" json:"owner" xml:"owner"`

	// PolicyURI allows the application developer to provide a URI string that
	// points to a human-readable privacy policy document that describes how the
	// deployment organization collects, uses, retains, and discloses personal
	// data.
	PolicyURI string `bson:"policy_uri" json:"policy_uri" xml:"policy_uri"`

	// TermsOfServiceURI allows the application developer to provide a URI
	// string that points to a human-readable terms of service document that
	// describes and outlines the contractual relationship between the end-user
	// and the client application that the end-user accepts when authorizing
	// their use of the client.
	TermsOfServiceURI string `bson:"terms_of_service_uri" json:"terms_of_service_uri" xml:"terms_of_service_uri"`

	// ClientURI allows the application developer to provide a URI string that
	// points to a human-readable web page that provides information about the
	// client application.
	// If present, the server SHOULD display this URL to the end-user in a
	// click-able fashion.
	ClientURI string `bson:"client_uri" json:"client_uri" xml:"client_uri"`

	// LogoURI is an URL string that references a logo for the client.
	LogoURI string `bson:"logo_uri" json:"logo_uri" xml:"logo_uri"`

	// Contacts contains a list ways to contact the developers responsible for
	// this OAuth 2.0 client, typically email addresses.
	Contacts []string `bson:"contacts" json:"contacts" xml:"contacts"`

	// Published provides a switch to hide specific clients if not quite ready
	// for the prime time, or if wanting to keep them hidden.
	Published bool `bson:"published" json:"published" xml:"published"`

	// Provider auth provider
	Provider string `bson:"provider" json:"provider" xml:"provider"`
}

Client provides the structure of an OAuth2.0 Client.

func (*Client) DisableScopeAccess 

func (c *Client) DisableScopeAccess(scopes ...string)

DisableScopeAccess disables client scope access.

func (*Client) DisableTenantAccess 

func (c *Client) DisableTenantAccess(tenantIDs ...string)

DisableTenantAccess removes a single or multiple tenantIDs from the given client.

func (*Client) EnableScopeAccess 

func (c *Client) EnableScopeAccess(scopes ...string)

EnableScopeAccess enables client scope access.

func (*Client) EnableTenantAccess 

func (c *Client) EnableTenantAccess(tenantIDs ...string)

EnableTenantAccess adds a single or multiple tenantIDs to the given client.

func (Client) Equal 

func (c Client) Equal(x Client) bool

Equal enables checking for client equality.

func (*Client) GetAudience 

func (c *Client) GetAudience() fosite.Arguments

GetAudience returns the allowed audience(s) for this client.

func (*Client) GetGrantTypes 

func (c *Client) GetGrantTypes() fosite.Arguments

GetGrantTypes returns an array of strings, wrapped as `fosite.Arguments` to provide functions that allow verifying the Client's Grant Types against incoming requests.

func (*Client) GetHashedSecret 

func (c *Client) GetHashedSecret() []byte

GetHashedSecret returns the Client's Hashed Secret for authenticating with the Identity Provider.

func (*Client) GetID 

func (c *Client) GetID() string

GetID returns the client's Client ID.

func (*Client) GetOwner 

func (c *Client) GetOwner() string

GetOwner returns a string which contains the OAuth Client owner's name. Generally speaking, this will be a developer or an organisation.

func (*Client) GetRedirectURIs 

func (c *Client) GetRedirectURIs() []string

GetRedirectURIs returns the OAuth2.0 authorized Client redirect URIs.

func (*Client) GetResponseTypes 

func (c *Client) GetResponseTypes() fosite.Arguments

GetResponseTypes returns an array of strings, wrapped as `fosite.Arguments` to provide functions that allow verifying the Client's Response Types against incoming requests.

func (*Client) GetScopes 

func (c *Client) GetScopes() fosite.Arguments

GetScopes returns an array of strings, wrapped as `fosite.Arguments` to provide functions that allow verifying the Client's scopes against incoming requests.

func (*Client) IsDisabled 

func (c *Client) IsDisabled() bool

IsDisabled returns a boolean as to whether the Client itself has had it's access disabled.

func (Client) IsEmpty 

func (c Client) IsEmpty() bool

IsEmpty returns whether the client resource is an empty record.

func (*Client) IsPublic 

func (c *Client) IsPublic() bool

IsPublic returns a boolean as to whether the Client itself is either private or public. If public, only trusted OAuth grant types should be used as client secrets shouldn't be exposed to a public client.

type ClientManager 

type ClientManager interface {
	Configure
	ClientStore
	AuthClientMigrator
}

ClientManager provides a generic interface to clients in order to build a Datastore backend.

type ClientStore added in v0.0.4 

type ClientStore interface {
	// Storage fosite.Storage provides get client.
	fosite.Storage

	List(ctx context.Context, filter ListClientsRequest) ([]Client, error)
	Create(ctx context.Context, client Client) (Client, error)
	Get(ctx context.Context, clientID string) (Client, error)
	Update(ctx context.Context, clientID string, client Client) (Client, error)
	Delete(ctx context.Context, clientID string) error
	Authenticate(ctx context.Context, clientID string, secret string) (Client, error)
	GrantScopes(ctx context.Context, clientID string, scopes []string) (Client, error)
	RemoveScopes(ctx context.Context, clientID string, scopes []string) (Client, error)

	IsJWTUsed(ctx context.Context, jti string) (bool, error)
	MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) error
	ClientAssertionJWTValid(_ context.Context, jti string) error
	SetClientAssertionJWT(_ context.Context, jti string, exp time.Time) error
}

ClientStore conforms to fosite.Storage and provides methods

type Configure added in v0.0.4 

type Configure interface {
	// Configure configures the underlying database engine to match
	// requirements.
	// Configure will be called each time a service is started, so ensure this
	// function maintains idempotency.
	// The main use here is to apply creation of tables, collections, schemas
	// any needed migrations and configuration of indexes as required.
	Configure(ctx context.Context) error
}

Configure enables an implementer to configure required migrations, indexing and is called when the datastore connects.

type DeniedJTI 

type DeniedJTI struct {
	JTI       string `bson:"-" json:"-" xml:"-"`
	Signature string `bson:"signature" json:"signature" xml:"signature"`
	Expiry    int64  `bson:"exp" json:"exp" xml:"exp"`
}

DeniedJTI provides the structure for a Denied JSON Web Token (JWT) Token Identifier.

func NewDeniedJTI 

func NewDeniedJTI(jti string, exp time.Time) DeniedJTI

NewDeniedJTI returns a new jti to be denied.

type DeniedJTIManager 

type DeniedJTIManager interface {
	Configure
	DeniedJTIStore
}

DeniedJTIManager provides a generic interface to clients in order to build a Datastore backend.

type DeniedJTIStore added in v0.0.4 

type DeniedJTIStore interface {
	// Create Standard CRUD Storage API
	Create(ctx context.Context, deniedJti DeniedJTI) (DeniedJTI, error)
	Get(ctx context.Context, jti string) (DeniedJTI, error)
	Delete(ctx context.Context, jti string) error
	// DeleteBefore removes all denied JTIs before the given unix time.
	DeleteBefore(ctx context.Context, expBefore int64) error
}

DeniedJTIStore enables storing denied JWT Tokens, by ID.

type Expire added in v0.0.4 

type Expire interface {
	// ConfigureExpiryWithTTL enables a datastore provider to purge data
	// automatically once expired.
	ConfigureExpiryWithTTL(ctx context.Context, ttl int) error
}

type ListClientsRequest 

type ListClientsRequest struct {
	// AllowedTenantAccess filters clients based on an Allowed Tenant Access.
	AllowedTenantAccess string `json:"allowed_tenant_access" xml:"allowed_tenant_access"`
	// AllowedRegion filters clients based on an Allowed Region.
	AllowedRegion string `json:"allowed_region" xml:"allowed_region"`
	// RedirectURI filters clients based on redirectURI.
	RedirectURI string `json:"redirect_uri" xml:"redirect_uri"`
	// GrantType filters clients based on GrantType.
	GrantType string `json:"grant_type" xml:"grant_type"`
	// ResponseType filters clients based on ResponseType.
	ResponseType string `json:"response_type" xml:"response_type"`
	// ScopesIntersection filters clients that have at least the listed scopes.
	// ScopesIntersection performs an AND operation.
	// For example:
	// - given ["cats"] the client must have "cats" in their scopes.
	// - given ["cats, dogs"] the client must have "cats" AND "dogs in their
	//   scopes.
	//
	// If ScopesUnion is provided, a union operation will be performed as it
	// returns the wider selection.
	ScopesIntersection []string `json:"scopes_intersection" xml:"scopes_intersection"`
	// ScopesUnion filters users that have at least one of the listed scopes.
	// ScopesUnion performs an OR operation.
	// For example:
	// - given ["cats"] the client must have "cats" in their scopes.
	// - given ["cats, dogs"] the client must have "cats" OR "dogs in their
	//   scopes.
	ScopesUnion []string `json:"scopes_union" xml:"scopes_union"`
	// Contact filters clients based on Contact.
	Contact string `json:"contact" xml:"contact"`
	// Public filters clients based on Public status.
	Public bool `json:"public" xml:"public"`
	// Disabled filters clients based on denied access.
	Disabled bool `json:"disabled" xml:"disabled"`
	// Published filters clients based on published status.
	Published bool `json:"published" xml:"published"`
}

ListClientsRequest enables listing and filtering client records.

type ListRequestsRequest 

type ListRequestsRequest struct {
	// ClientID enables filtering requests based on Client ID
	ClientID string `json:"client_id" xml:"client_id"`
	// UserID enables filtering requests based on User ID
	UserID string `json:"user_id" xml:"user_id"`
	// ScopesIntersection filters clients that have all of the listed scopes.
	// ScopesIntersection performs an AND operation.
	// If ScopesUnion is provided, a union operation will be performed as it
	// returns the wider selection.
	ScopesIntersection []string `json:"scopes_intersection" xml:"scopes_intersection"`
	// ScopesUnion filters users that have at least one of of the listed scopes.
	// ScopesUnion performs an OR operation.
	ScopesUnion []string `json:"scopes_union" xml:"scopes_union"`
	// GrantedScopesIntersection enables filtering requests based on GrantedScopes
	// GrantedScopesIntersection performs an AND operation.
	// If GrantedScopesIntersection is provided, a union operation will be
	// performed as it returns the wider selection.
	GrantedScopesIntersection []string `json:"granted_scopes_intersection" xml:"granted_scopes_intersection"`
	// GrantedScopesUnion enables filtering requests based on GrantedScopes
	// GrantedScopesUnion performs an OR operation.
	GrantedScopesUnion []string `json:"granted_scopes_union" xml:"granted_scopes_union"`
}

ListRequestsRequest enables filtering stored Request entities.

type ListUsersRequest 

type ListUsersRequest struct {
	// AllowedTenantAccess filters users based on an Allowed Tenant Access.
	AllowedTenantAccess string `json:"allowed_tenant_access" xml:"allowed_tenant_access"`
	// AllowedPersonAccess filters users based on Allowed Person Access.
	AllowedPersonAccess string `json:"allowed_person_access" xml:"allowed_person_access"`
	// AllowedPersonAccess filters users based on Person Access.
	PersonID string `json:"person_id" xml:"person_id"`
	// Username filters users based on username.
	Username string `json:"username" xml:"username"`
	// ScopesUnion filters users that have at least one of the listed scopes.
	// ScopesUnion performs an OR operation.
	// If ScopesUnion is provided, a union operation will be performed as it
	// returns the wider selection.
	ScopesUnion []string `json:"scopes_union" xml:"scopes_union"`
	// ScopesIntersection filters users that have all the listed scopes.
	// ScopesIntersection performs an AND operation.
	ScopesIntersection []string `json:"scopes_intersection" xml:"scopes_intersection"`
	// FirstName filters users based on their First Name.
	FirstName string `json:"first_name" xml:"first_name"`
	// LastName filters users based on their Last Name.
	LastName string `json:"last_name" xml:"last_name"`
	// Disabled filters users to those with disabled accounts.
	Disabled bool `json:"disabled" xml:"disabled"`
}

ListUsersRequest enables filtering stored User entities.

type Request 

type Request struct {
	// ID contains the unique request identifier.
	ID string `bson:"id" json:"id" xml:"id"`
	// CreateTime is when the resource was created in seconds from the epoch.
	CreateTime int64 `bson:"created_at" json:"createTime" xml:"createTime"`
	// UpdateTime is the last time the resource was modified in seconds from
	// the epoch.
	UpdateTime int64 `bson:"updated_at" json:"updateTime" xml:"updateTime"`
	// RequestedAt is the time the request was made.
	RequestedAt time.Time `bson:"requested_at" json:"requestedAt" xml:"requestedAt"`
	// Signature contains a unique session signature.
	Signature string `bson:"signature" json:"signature" xml:"signature"`
	// ClientID contains a link to the Client that was used to authenticate
	// this session.
	ClientID string `bson:"client_id" json:"clientId" xml:"clientId"`
	// UserID contains the subject's unique ID which links back to a stored
	// user account.
	UserID string `bson:"user_id" json:"userId" xml:"userId"`
	// Scopes contains the scopes that the user requested.
	RequestedScope fosite.Arguments `bson:"scopes" json:"scopes" xml:"scopes"`
	// GrantedScope contains the list of scopes that the user was actually
	// granted.
	GrantedScope fosite.Arguments `bson:"granted_scopes" json:"grantedScopes" xml:"grantedScopes"`
	// RequestedAudience contains the audience the user requested.
	RequestedAudience fosite.Arguments `bson:"requested_audience" json:"requestedAudience" xml:"requestedAudience"`
	// GrantedAudience contains the list of audiences the user was actually
	// granted.
	GrantedAudience fosite.Arguments `bson:"granted_audience" json:"grantedAudience" xml:"grantedAudience"`
	// Form contains the url values that were passed in to authenticate the
	// user's client session.
	Form url.Values `bson:"form_data" json:"formData" xml:"formData"`
	// Active is specifically used for Authorize Code flow revocation.
	Active bool `bson:"active" json:"active" xml:"active"`
	// Session contains the session data. The underlying structure differs
	// based on OAuth strategy, so we need to store it as binary-encoded JSON.
	// Otherwise, it can be stored but not unmarshalled back into a
	// fosite.Session.
	Session []byte `bson:"session_data" json:"sessionData" xml:"sessionData"`
}

Request is a concrete implementation of a fosite.Requester, extended to support the required data for OAuth2 and OpenID.

func NewRequest 

func NewRequest() Request

NewRequest returns a new Mongo Store request object.

func (*Request) ToRequest 

func (r *Request) ToRequest(ctx context.Context, session fosite.Session, cm ClientStore) (*fosite.Request, error)

ToRequest transforms a mongo request to a fosite.Request

type RequestManager 

type RequestManager interface {
	Configure
	RequestStore
}

RequestManager provides an interface in order to build a compliant Fosite storage backend.

type RequestStore added in v0.0.4 

type RequestStore interface {
	// CoreStorage OAuth2 storage interfaces.
	oauth2.CoreStorage

	// OpenIDConnectRequestStorage OpenID storage interfaces.
	openid.OpenIDConnectRequestStorage

	// PKCERequestStorage Proof Key for Code Exchange storage interfaces.
	pkce.PKCERequestStorage

	GetPublicKey(ctx context.Context, issuer string, subject string, keyId string) (*jose.JSONWebKey, error)
	GetPublicKeys(ctx context.Context, issuer string, subject string) (*jose.JSONWebKeySet, error)
	GetPublicKeyScopes(ctx context.Context, issuer string, subject string, keyId string) ([]string, error)

	// RevokeRefreshToken Implements the rest of oauth2.TokenRevocationStorage
	RevokeRefreshToken(ctx context.Context, requestID string) error
	RevokeAccessToken(ctx context.Context, requestID string) error
	RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error

	// Authenticate Implements the rest of oauth2.ResourceOwnerPasswordCredentialsGrantStorage
	Authenticate(ctx context.Context, username string, secret string) error

	// List Standard CRUD Storage API
	List(ctx context.Context, entityName string, filter ListRequestsRequest) ([]Request, error)
	Create(ctx context.Context, entityName string, request Request) (Request, error)
	Get(ctx context.Context, entityName string, requestID string) (Request, error)
	Update(ctx context.Context, entityName string, requestID string, request Request) (Request, error)
	Delete(ctx context.Context, entityName string, requestID string) error
	DeleteBySignature(ctx context.Context, entityName string, signature string) error
}

RequestStore implements all fosite interfaces required to be a storage driver.

type Store 

type Store struct {
	ClientManager
	DeniedJTIManager
	RequestManager
	UserManager
}

Store brings all the interfaces together as a way to be composable into storage backend implementations

func (*Store) Authenticate 

func (s *Store) Authenticate(ctx context.Context, username string, secret string) error

Authenticate provides a top level pointer to UserManager to implement fosite.ResourceOwnerPasswordCredentialsGrantStorage at the top level.

You can still access either the RequestManager API, or UserManager API by calling the methods on store direct depending on if you want the User resource returned as well via: - `store.RequestManager.Authenticate(ctx, username, secret) error` - `store.UserManager.Authenticate(ctx, username, secret) (User, error)`

type User 

type User struct {
	// User Meta
	// ID is the uniquely assigned uuid that references the user
	ID string `bson:"id" json:"id" xml:"id"`

	// createTime is when the resource was created in seconds from the epoch.
	CreateTime int64 `bson:"created_at" json:"createTime" xml:"createTime"`

	// updateTime is the last time the resource was modified in seconds from
	// the epoch.
	UpdateTime int64 `bson:"updated_at" json:"updateTime" xml:"updateTime"`

	// AllowedTenantAccess contains the Tenant IDs that the user has been given
	// rights to access.
	// This helps in multi-tenanted situations where a user can be given
	// explicit cross-tenant access.
	AllowedTenantAccess []string `bson:"allowed_tenant_access" json:"allowedTenantAccess,omitempty" xml:"allowedTenantAccess,omitempty"`

	// AllowedPersonAccess contains a list of Person IDs that the user is
	// allowed access to.
	// This helps in multi-tenanted situations where a user can be given
	// explicit access to other people accounts, for example, parents to
	// children records.
	AllowedPersonAccess []string `bson:"allowed_person_access" json:"allowedPersonAccess,omitempty" xml:"allowedPersonAccess,omitempty"`

	// Scopes contains the permissions that the user is entitled to request.
	Scopes []string `bson:"scopes" json:"scopes" xml:"scopes"`

	// Roles contains roles that a user has been granted.
	Roles []string `bson:"roles" json:"roles" xml:"roles"`

	// PersonID is a uniquely assigned id that references a person within the
	// system.
	// This enables applications where an external person data store is present.
	// This helps in multi-tenanted situations where the person is unique, but
	// the underlying user accounts can exist per tenant.
	PersonID string `bson:"person_id" json:"personId" xml:"personId"`

	// Disabled specifies whether the user has been disallowed from signing in
	Disabled bool `bson:"disabled" json:"disabled" xml:"disabled"`

	// User Content
	// Username is used to authenticate a user
	Username string `bson:"username" json:"username" xml:"username"`

	// Password of the user - will be a hash based on your fosite selected
	// hasher.
	// If using this model directly in an API, be sure to clear the password
	// out when marshaling to json/xml.
	Password string `bson:"password,omitempty" json:"password,omitempty" xml:"password,omitempty"`

	// FirstName stores the user's Last Name
	FirstName string `bson:"first_name" json:"firstName" xml:"firstName"`

	// LastName stores the user's Last Name
	LastName string `bson:"last_name" json:"lastName" xml:"lastName"`

	// ProfileURI is a pointer to where their profile picture lives
	ProfileURI string `bson:"profile_uri" json:"profileUri,omitempty" xml:"profileUri,omitempty"`
}

User provides the specific types for storing, editing, deleting and retrieving a User record in mongo.

func (User) Authenticate 

func (u User) Authenticate(cleartext string, hasher fosite.Hasher) error

Authenticate compares a cleartext string against the user's

func (*User) DisablePeopleAccess 

func (u *User) DisablePeopleAccess(personIDs ...string)

DisablePeopleAccess disables user access to the provided people.

func (*User) DisableRoles 

func (u *User) DisableRoles(roles ...string)

DisableRoles removes one or many roles from a user.

func (*User) DisableScopeAccess 

func (u *User) DisableScopeAccess(scopes ...string)

DisableScopeAccess disables user access to one or many scopes.

func (*User) DisableTenantAccess 

func (u *User) DisableTenantAccess(tenantIDs ...string)

DisableTenantAccess disables user access to one or many tenants.

func (*User) EnablePeopleAccess 

func (u *User) EnablePeopleAccess(personIDs ...string)

EnablePeopleAccess enables user access to the provided people

func (*User) EnableRoles 

func (u *User) EnableRoles(roles ...string)

EnableRoles adds one or many roles to a user.

func (*User) EnableScopeAccess 

func (u *User) EnableScopeAccess(scopes ...string)

EnableScopeAccess enables user access to one or many scopes.

func (*User) EnableTenantAccess 

func (u *User) EnableTenantAccess(tenantIDs ...string)

EnableTenantAccess enables user access to one or many tenants.

func (User) Equal 

func (u User) Equal(x User) bool

Equal enables checking equality as having a byte array in a struct stops allowing direct equality checks.

func (User) FullName 

func (u User) FullName() string

FullName concatenates the User's First Name and Last Name for templating purposes

func (*User) GetHashedSecret 

func (u *User) GetHashedSecret() []byte

GetHashedSecret returns the Users's Hashed Secret as a byte array

func (User) IsEmpty 

func (u User) IsEmpty() bool

IsEmpty returns true if the current user holds no data.

func (*User) SetPassword 

func (u *User) SetPassword(cleartext string, hasher fosite.Hasher) (err error)

SetPassword takes a cleartext secret, hashes it with a hasher and sets it as the user's password

type UserManager 

type UserManager interface {
	Configure
	UserStorer
	AuthUserMigrator
}

UserManager provides a generic interface to users in order to build a DataStore

type UserStorer 

type UserStorer interface {
	List(ctx context.Context, filter ListUsersRequest) ([]User, error)
	Create(ctx context.Context, user User) (User, error)
	Get(ctx context.Context, userID string) (User, error)
	GetByUsername(ctx context.Context, username string) (User, error)
	Update(ctx context.Context, userID string, user User) (User, error)
	Delete(ctx context.Context, userID string) error
	Authenticate(ctx context.Context, username string, password string) (User, error)
	AuthenticateByID(ctx context.Context, userID string, password string) (User, error)
	AuthenticateByUsername(ctx context.Context, username string, password string) (User, error)
	GrantScopes(ctx context.Context, userID string, scopes []string) (User, error)
	RemoveScopes(ctx context.Context, userID string, scopes []string) (User, error)
}

UserStorer provides a definition of specific methods that are required to store a User in a data store.

type UsersByFirstName 

type UsersByFirstName []User

UsersByFirstName enables sorting user accounts by First Name A-Z

func (UsersByFirstName) Len 

func (u UsersByFirstName) Len() int

func (UsersByFirstName) Less 

func (u UsersByFirstName) Less(i, j int) bool

func (UsersByFirstName) Swap 

func (u UsersByFirstName) Swap(i, j int)

type UsersByLastName 

type UsersByLastName []User

UsersByLastName enables sorting user accounts by Last Name A-Z

func (UsersByLastName) Len 

func (u UsersByLastName) Len() int

func (UsersByLastName) Less 

func (u UsersByLastName) Less(i, j int) bool

func (UsersByLastName) Swap 

func (u UsersByLastName) Swap(i, j int)

type UsersByUsername 

type UsersByUsername []User

UsersByUsername enables sorting user accounts by Username A-Z

func (UsersByUsername) Len 

func (u UsersByUsername) Len() int

func (UsersByUsername) Less 

func (u UsersByUsername) Less(i, j int) bool

func (UsersByUsername) Swap 

func (u UsersByUsername) Swap(i, j int)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.