Documentation
¶
Index ¶
- Constants
- Variables
- func DefaultPasswordHasher(s string) ([]byte, error)
- func DefaultUserIDGenerator() (string, error)
- func EncodeNextPageToken(filter UserFilter, maxResults int, offset int) (string, error)
- func LoadPasswordInfos(repo PasswordInfoRepo, pws []PasswordInfo) error
- func ValidEmail(email string) bool
- func ValidPassword(plaintext string) bool
- type EmailVerification
- type Hasher
- type Invitation
- type Password
- type PasswordInfo
- type PasswordInfoRepo
- type PasswordReset
- type RemoteIdentity
- type TokenClaims
- type User
- type UserFilter
- type UserIDGenerator
- type UserRepo
- type UserWithRemoteIdentities
Constants ¶
View Source
const ( MaxEmailLength = 200 // ClaimPasswordResetPassword represents the hash of the password to be // reset; in other words, the old password ClaimPasswordResetPassword = "http://coreos.com/password/old-hash" // ClaimEmailVerificationEmail represents the email to be verified. Note // that we are intentionally not using the "email" claim for this purpose. ClaimEmailVerificationEmail = "http://coreos.com/email/verificationEmail" // ClaimPasswordResetCallback represents where a user should be sent after // resetting their password. ClaimPasswordResetCallback = "http://coreos.com/password/reset-callback" // Claim representing where a user should be sent after verifying their email address. ClaimEmailVerificationCallback = "http://coreos.com/email/verification-callback" // Claim representing where a user should be sent after responding to an invitation ClaimInvitationCallback = "http://coreos.com/invitation/callback" )
Variables ¶
View Source
var ( PasswordHasher = DefaultPasswordHasher ErrorInvalidPassword = errors.New("invalid Password") ErrorPasswordHashNoMatch = errors.New("password and hash don't match") ErrorPasswordExpired = errors.New("password has expired") )
View Source
var ( ErrorDuplicateID = errors.New("ID not available") ErrorDuplicateEmail = errors.New("email not available") ErrorDuplicateRemoteIdentity = errors.New("remote identity already in use for another user") ErrorInvalidEmail = errors.New("invalid Email") ErrorInvalidID = errors.New("invalid ID") ErrorNotFound = errors.New("user not found in repository") )
Functions ¶
func DefaultPasswordHasher ¶
func DefaultUserIDGenerator ¶
func EncodeNextPageToken ¶
func EncodeNextPageToken(filter UserFilter, maxResults int, offset int) (string, error)
func LoadPasswordInfos ¶
func LoadPasswordInfos(repo PasswordInfoRepo, pws []PasswordInfo) error
func ValidEmail ¶
func ValidPassword ¶
Types ¶
type EmailVerification ¶
func NewEmailVerification ¶
func NewEmailVerification(user User, clientID string, issuer url.URL, callback url.URL, expires time.Duration) EmailVerification
NewEmailVerification creates an object which can be sent to a user in serialized form to verify that they control an email address. The clientID is the ID of the registering user. The callback is where a user should land after verifying their email.
func ParseAndVerifyEmailVerificationToken ¶
func ParseAndVerifyEmailVerificationToken(token string, issuer url.URL, keys []key.PublicKey) (EmailVerification, error)
ParseAndVerifyEmailVerificationToken parses a string into a an EmailVerification, verifies the signature, and ensures that required claims are present. In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimEmailVerificationCallback and ClaimEmailVerificationEmail.
func (EmailVerification) Callback ¶
func (e EmailVerification) Callback() *url.URL
func (EmailVerification) Email ¶
func (e EmailVerification) Email() string
func (EmailVerification) UserID ¶
func (e EmailVerification) UserID() string
type Invitation ¶ added in v0.2.0
An Invitation is a token that can be used for verifying an email address and resetting a password in a single stroke. It will be sent as part of a link in an email automatically to newly created users if email is configured.
func NewInvitation ¶ added in v0.2.0
func ParseAndVerifyInvitationToken ¶ added in v0.2.0
func (Invitation) Callback ¶ added in v0.2.0
func (iv Invitation) Callback() *url.URL
func (Invitation) ClientID ¶ added in v0.2.0
func (iv Invitation) ClientID() string
func (Invitation) Email ¶ added in v0.2.0
func (iv Invitation) Email() string
func (Invitation) Password ¶ added in v0.2.0
func (iv Invitation) Password() Password
func (Invitation) PasswordReset ¶ added in v0.2.0
func (iv Invitation) PasswordReset(issuer url.URL, expires time.Duration) PasswordReset
func (Invitation) UserID ¶ added in v0.2.0
func (iv Invitation) UserID() string
type PasswordInfo ¶
func (PasswordInfo) Authenticate ¶
func (p PasswordInfo) Authenticate(plaintext string) (*oidc.Identity, error)
func (PasswordInfo) Identity ¶
func (p PasswordInfo) Identity() oidc.Identity
func (*PasswordInfo) UnmarshalJSON ¶
func (u *PasswordInfo) UnmarshalJSON(data []byte) error
type PasswordInfoRepo ¶
type PasswordInfoRepo interface {
Get(tx repo.Transaction, id string) (PasswordInfo, error)
Update(repo.Transaction, PasswordInfo) error
Create(repo.Transaction, PasswordInfo) error
}
func NewPasswordInfoRepo ¶
func NewPasswordInfoRepo() PasswordInfoRepo
func NewPasswordInfoRepoFromFile ¶
func NewPasswordInfoRepoFromFile(loc string) (PasswordInfoRepo, error)
func NewPasswordInfoRepoFromPasswordInfos ¶
func NewPasswordInfoRepoFromPasswordInfos(pws []PasswordInfo) PasswordInfoRepo
type PasswordReset ¶
func NewPasswordReset ¶
func ParseAndVerifyPasswordResetToken ¶
func ParseAndVerifyPasswordResetToken(token string, issuer url.URL, keys []key.PublicKey) (PasswordReset, error)
ParseAndVerifyPasswordResetToken parses a string into a an PasswordReset, verifies the signature, and ensures that required claims are present. In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimPasswordResetCallback and ClaimPasswordResetPassword.
func (PasswordReset) Callback ¶
func (e PasswordReset) Callback() *url.URL
func (PasswordReset) Password ¶
func (e PasswordReset) Password() Password
func (PasswordReset) UserID ¶
func (e PasswordReset) UserID() string
type RemoteIdentity ¶
type RemoteIdentity struct {
// IDPCID is the identifier of the IDP which hosts this identity.
ConnectorID string
// ID is the identifier of this User at the IDP.
ID string
}
RemoteIdentity represents a User's identity at an IDP.
func (*RemoteIdentity) UnmarshalJSON ¶
func (u *RemoteIdentity) UnmarshalJSON(data []byte) error
type TokenClaims ¶ added in v0.2.0
type User ¶
type User struct {
// ID is the machine-generated, stable, unique identifier for this User.
ID string
// DisplayName is human readable name meant for display purposes.
// DisplayName is not neccesarily unique with a UserRepo.
DisplayName string
Email string
EmailVerified bool
Admin bool
Disabled bool
CreatedAt time.Time
}
func (*User) AddToClaims ¶
AddToClaims adds basic information about the user to the given Claims. http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
func (*User) UnmarshalJSON ¶
type UserFilter ¶
type UserFilter struct {
}
func DecodeNextPageToken ¶
func DecodeNextPageToken(tok string) (UserFilter, int, int, error)
type UserIDGenerator ¶
type UserRepo ¶
type UserRepo interface {
Get(tx repo.Transaction, id string) (User, error)
// List returns a list of users meeting the given conditions.
// A nextPageToken is returned when there are further results to be had,
// with the expectation that it will be passed into a subsequent List
// call. When nextPageToken is non-empty filter and maxResults are ignored.
List(tx repo.Transaction, filter UserFilter, maxResults int, nextPageToken string) ([]User, string, error)
Create(repo.Transaction, User) error
GetByEmail(tx repo.Transaction, email string) (User, error)
Disable(tx repo.Transaction, id string, disabled bool) error
Update(repo.Transaction, User) error
GetByRemoteIdentity(repo.Transaction, RemoteIdentity) (User, error)
AddRemoteIdentity(tx repo.Transaction, userID string, remoteID RemoteIdentity) error
RemoveRemoteIdentity(tx repo.Transaction, userID string, remoteID RemoteIdentity) error
GetRemoteIdentities(tx repo.Transaction, userID string) ([]RemoteIdentity, error)
GetAdminCount(repo.Transaction) (int, error)
}
UserRepo implementations maintain a persistent set of users. The following invariants must be maintained:
- Users must have a unique Email and ID
- No other Users may have the same RemoteIdentity as one of the users. (This constraint may be relaxed in the future)
func NewUserRepo ¶
func NewUserRepo() UserRepo
NewUserRepo returns an in-memory UserRepo useful for development.
func NewUserRepoFromFile ¶
NewUserRepoFromFile returns an in-memory UserRepo useful for development given a JSON serialized file of Users.
func NewUserRepoFromUsers ¶
func NewUserRepoFromUsers(us []UserWithRemoteIdentities) UserRepo
type UserWithRemoteIdentities ¶
type UserWithRemoteIdentities struct {
User User `json:"user"`
RemoteIdentities []RemoteIdentity `json:"remoteIdentities"`
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.