tokenauth

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AudRokwire represents the ROKWIRE audience
	AudRokwire string = "rokwire"
)

Variables

This section is empty.

Functions

func GenerateSignedToken 

func GenerateSignedToken(claims *Claims, key *keys.PrivKey) (string, error)

GenerateSignedToken generates and signs a new JWT with the given claims using key

func GetAccessToken 

func GetAccessToken(r *http.Request) (string, error)

GetAccessToken retrieves an access token from the request headers

Access tokens must be provided as a Bearer token in the "Authorization" header

Types

type AuthenticatedHandler 

type AuthenticatedHandler struct {
	// contains filtered or unexported fields
}

AuthenticatedHandler entity This enforces that the token was the result of direct user authentication. This should be used to protect sensitive account settings

func NewAuthenticatedHandler 

func NewAuthenticatedHandler(userAuth *UserHandler) *AuthenticatedHandler

NewAuthenticatedHandler creates a new AuthenticatedHandler

func (*AuthenticatedHandler) Check 

func (h *AuthenticatedHandler) Check(req *http.Request) (int, *Claims, error)

Check checks the token in the provided request

func (*AuthenticatedHandler) GetTokenAuth 

func (h *AuthenticatedHandler) GetTokenAuth() *TokenAuth

GetTokenAuth exposes the TokenAuth for the handler

type Claims 

type Claims struct {
	// Required JWT Claims: sub, aud, exp, iat
	jwt.RegisteredClaims
	OrgID         string `json:"org_id" validate:"required"`    // Organization ID
	AppID         string `json:"app_id"`                        // Application ID
	SessionID     string `json:"session_id"`                    // Session ID
	Purpose       string `json:"purpose" validate:"required"`   // Token purpose (eg. access...)
	AuthType      string `json:"auth_type" validate:"required"` // Authentication method (eg. email, phone...)
	Permissions   string `json:"permissions"`                   // Granted permissions
	Scope         string `json:"scope"`                         // Granted scope
	Anonymous     bool   `json:"anonymous"`                     // Is the user anonymous?
	Authenticated bool   `json:"authenticated"`                 // Did the user authenticate? (false on refresh)
	Service       bool   `json:"service"`                       // Is this token for a service account?
	FirstParty    bool   `json:"first_party"`                   // Is this token used by a first party service (eg. ROKWIRE building block)?
	Admin         bool   `json:"admin"`                         // Is this token for an admin?
	System        bool   `json:"system"`                        // Is this token for a system admin?

	// User Data: DO NOT USE AS IDENTIFIER OR SHARE WITH THIRD-PARTY SERVICES
	Name        string            `json:"name,omitempty"`         // User full name
	Email       string            `json:"email,omitempty"`        // User email address
	Phone       string            `json:"phone,omitempty"`        // User phone number
	Username    string            `json:"username,omitempty"`     // Username
	ExternalIDs map[string]string `json:"external_ids,omitempty"` // External user identifiers for use in external integrations

	//TODO: Once the new user ID scheme has been adopted across all services these claims should be removed
	UID string `json:"uid,omitempty"` // Unique user identifier for specified "auth_type"
}

Claims represents the standard claims included in access tokens

func (Claims) AppOrg 

func (c Claims) AppOrg() auth.AppOrgPair

AppOrg returns the AppOrgPair for the claims

func (Claims) CanAccess 

func (c Claims) CanAccess(appID string, orgID string, system bool) error

CanAccess returns an error if the claims do not grant access to a resource with the given appID, orgId, and system status

func (Claims) Scopes 

func (c Claims) Scopes() []authorization.Scope

Scopes returns the scopes from the claims as a slice

type Handler 

type Handler interface {
	Check(req *http.Request) (int, *Claims, error)
	GetTokenAuth() *TokenAuth
}

Handler is an interface for token auth handlers

type Handlers 

type Handlers struct {
	Standard      Handler
	Permissions   *PermissionsHandler
	User          *UserHandler
	Authenticated *AuthenticatedHandler
}

Handlers represents the standard token auth handlers

func NewHandlers 

func NewHandlers(auth Handler) Handlers

NewHandlers creates new token auth handlers

type PermissionsHandler 

type PermissionsHandler struct {
	// contains filtered or unexported fields
}

PermissionsHandler entity This enforces that the token has permissions matching the policy

func NewPermissionsHandler 

func NewPermissionsHandler(auth Handler) *PermissionsHandler

NewPermissionsHandler creates a new PermissionsHandler

func (*PermissionsHandler) Check 

func (h *PermissionsHandler) Check(req *http.Request) (int, *Claims, error)

Check checks the token in the provided request

func (*PermissionsHandler) GetTokenAuth 

func (h *PermissionsHandler) GetTokenAuth() *TokenAuth

GetTokenAuth exposes the TokenAuth for the handler

type StandardHandler 

type StandardHandler struct {
	// contains filtered or unexported fields
}

StandardHandler entity This enforces that the token is valid

func NewScopeHandler 

func NewScopeHandler(tokenAuth *TokenAuth, claimsCheck func(*Claims, *http.Request) (int, error)) *StandardHandler

NewScopeHandler creates a new StandardHandler that checks scopes

func NewStandardHandler 

func NewStandardHandler(tokenAuth *TokenAuth, claimsCheck func(*Claims, *http.Request) (int, error)) *StandardHandler

NewStandardHandler creates a new StandardHandler

func (*StandardHandler) Check 

func (h *StandardHandler) Check(req *http.Request) (int, *Claims, error)

Check checks the token in the provided request

func (*StandardHandler) GetTokenAuth 

func (h *StandardHandler) GetTokenAuth() *TokenAuth

GetTokenAuth exposes the TokenAuth for the handler

type TokenAuth 

type TokenAuth struct {
	// contains filtered or unexported fields
}

TokenAuth contains configurations and helper functions required to validate tokens

func NewTokenAuth 

func NewTokenAuth(acceptRokwireTokens bool, serviceRegManager *auth.ServiceRegManager, permissionAuth authorization.Authorization, scopeAuth authorization.Authorization) (*TokenAuth, error)

NewTokenAuth creates and configures a new TokenAuth instance authorization maybe nil if performing manual authorization

func (*TokenAuth) AuthorizeRequestPermissions 

func (t *TokenAuth) AuthorizeRequestPermissions(claims *Claims, request *http.Request) error

AuthorizeRequestPermissions will authorize the request if the permissions claim passes the permissionsAuth 

Returns nil on success and error on failure.

func (*TokenAuth) AuthorizeRequestScope 

func (t *TokenAuth) AuthorizeRequestScope(claims *Claims, request *http.Request) error

AuthorizeRequestScope will authorize the request if the scope claim passes the scopeAuth 

Returns nil on success and error on failure.

func (*TokenAuth) CheckRequestToken 

func (t *TokenAuth) CheckRequestToken(r *http.Request) (*Claims, error)

CheckRequestToken is a convenience function which retrieves and checks the access token included in a request and returns the claims Access tokens must be provided as a Bearer token in the "Authorization" header

func (*TokenAuth) CheckToken 

func (t *TokenAuth) CheckToken(token string, purpose string) (*Claims, error)

CheckToken validates the provided token and returns the token claims

func (*TokenAuth) SetBlacklistSize 

func (t *TokenAuth) SetBlacklistSize(size int)

SetBlacklistSize sets the maximum size of the token blacklist queue 

The default value is 1024

func (*TokenAuth) ValidatePermissionsClaim 

func (t *TokenAuth) ValidatePermissionsClaim(claims *Claims, requiredPermissions []string) error

ValidatePermissionsClaim will validate that the provided token claims contain one or more of the required permissions 

Returns nil on success and error on failure.

func (*TokenAuth) ValidateScopeClaim 

func (t *TokenAuth) ValidateScopeClaim(claims *Claims, requiredScope string) error

ValidateScopeClaim will validate that the provided token claims contain the required scope 

If an empty required scope is provided, the claims must contain a valid global scope such as 'all:all:all' or '{service}:all:all'
Returns nil on success and error on failure.

type UserHandler 

type UserHandler struct {
	// contains filtered or unexported fields
}

UserHandler entity This enforces that the token is not anonymous

func NewUserHandler 

func NewUserHandler(auth Handler) *UserHandler

NewUserHandler creates a new UserHandler

func (*UserHandler) Check 

func (h *UserHandler) Check(req *http.Request) (int, *Claims, error)

Check checks the token in the provided request

func (*UserHandler) GetTokenAuth 

func (h *UserHandler) GetTokenAuth() *TokenAuth

GetTokenAuth exposes the TokenAuth for the handler

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.