Documentation
¶
Index ¶
- Variables
- func LoadFile(filePath *string, pa koanf.Parser) (*koanf.Koanf, error)
- type Account
- type AuditLog
- type AuditLogConsole
- type AuditLogStorage
- type Config
- type Cookie
- type Cors
- type CustomThirdPartyProvider
- type CustomThirdPartyProviders
- type Database
- type Email
- type EmailDelivery
- type Emails
- type LoggerConfig
- type MFA
- type OutputStream
- type Passcode
- type Passkey
- type Password
- type RateLimiter
- type RateLimiterStoreType
- type RateLimits
- type RedisConfig
- type RelyingParty
- type SMTP
- type Secrets
- type SecurityKeys
- type Server
- type ServerSettings
- type ServerSide
- type Service
- type Session
- type TOTP
- type ThirdParty
- type ThirdPartyProvider
- type ThirdPartyProviders
- type Username
- type WebauthnSettings
- type WebauthnTimeouts
- type Webhook
- type WebhookSettings
- type Webhooks
Constants ¶
This section is empty.
Variables ¶
View Source
var (
DefaultConfigFilePath = "./config/config.yaml"
)
Functions ¶
Types ¶
type Account ¶ added in v0.6.0
type Account struct {
// `allow_deletion` determines whether users can delete their accounts.
AllowDeletion bool `yaml:"allow_deletion" json:"allow_deletion,omitempty" koanf:"allow_deletion" jsonschema:"default=false"`
// `allow_signup` determines whether users are able to create new accounts.
AllowSignup bool `yaml:"allow_signup" json:"allow_signup,omitempty" koanf:"allow_signup" jsonschema:"default=true"`
}
type AuditLog ¶
type AuditLog struct {
// `console_output` controls audit log console output.
ConsoleOutput AuditLogConsole `` /* 129-byte string literal not displayed */
// `mask` determines whether sensitive information (usernames, emails) should be masked in the audit log output.
//
// This configuration applies to logs written to the console as well as persisted logs.
Mask bool `yaml:"mask" json:"mask,omitempty" koanf:"mask" jsonschema:"default=true"`
// `storage` controls audit log retention.
Storage AuditLogStorage `yaml:"storage" json:"storage,omitempty" koanf:"storage"`
}
type AuditLogConsole ¶
type AuditLogConsole struct {
// `enabled` controls whether audit log output on the console is enabled or disabled.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
// `output` determines the output stream audit logs are sent to.
OutputStream OutputStream `yaml:"output" json:"output,omitempty" koanf:"output" split_words:"true" jsonschema:"default=stdout,enum=stdout,enum=stderr"`
}
type AuditLogStorage ¶
type AuditLogStorage struct {
// `enabled` controls whether audit log should be retained (i.e. persisted).
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
}
type Config ¶
type Config struct {
// `account` configures settings related to user accounts.
Account Account `yaml:"account" json:"account,omitempty" koanf:"account" jsonschema:"title=account"`
// `audit_log` configures output and storage modalities of audit logs.
AuditLog AuditLog `yaml:"audit_log" json:"audit_log,omitempty" koanf:"audit_log" split_words:"true" jsonschema:"title=audit_log"`
// `convert_legacy_config`, if set to `true`, automatically copies the set values of deprecated configuration
// options, to new ones. If set to `false`, these values have to be set manually if non-default values should be
// used.
ConvertLegacyConfig bool `` /* 143-byte string literal not displayed */
// `database` configures database connection settings.
Database Database `yaml:"database" json:"database,omitempty" koanf:"database" jsonschema:"title=database"`
// `debug`, if set to `true`, adds additional debugging information to flow API responses.
Debug bool `yaml:"debug" json:"debug,omitempty" koanf:"debug" jsonschema:"default=false"`
// `email` configures how email addresses of user accounts are acquired and used.
Email Email `yaml:"email" json:"email,omitempty" koanf:"email" jsonschema:"title=email"`
// `email_delivery` configures how outgoing mails are delivered.
EmailDelivery EmailDelivery `` /* 129-byte string literal not displayed */
// Deprecated. See child properties for suggested replacements.
Emails Emails `yaml:"emails" json:"emails,omitempty" koanf:"emails" jsonschema:"title=emails"`
// `log` configures application logging.
Log LoggerConfig `yaml:"log" json:"log,omitempty" koanf:"log" jsonschema:"title=log"`
// `mfa` configures how multi-factor-authentication behaves.
MFA MFA `yaml:"mfa" json:"mfa,omitempty" koanf:"mfa" jsonschema:"title=mfa"`
// Deprecated. See child properties for suggested replacements.
Passcode Passcode `yaml:"passcode" json:"passcode,omitempty" koanf:"passcode" jsonschema:"title=passcode"`
// `passkey` configures how passkeys are acquired and used.
Passkey Passkey `yaml:"passkey" json:"passkey,omitempty" koanf:"passkey" jsonschema:"title=passkey"`
// `password` configures how passwords are acquired and used.
Password Password `yaml:"password" json:"password,omitempty" koanf:"password" jsonschema:"title=password"`
// `rate_limiter` configures rate limits for rate limited API operations and storage modalities for rate limit data.
RateLimiter RateLimiter `yaml:"rate_limiter" json:"rate_limiter,omitempty" koanf:"rate_limiter" split_words:"true" jsonschema:"title=rate_limiter"`
// `saml` configures modalities of SAML (Security Assertion Markup Language) SSO authentication and SAML identity
// providers.
Saml config.Saml `yaml:"saml" json:"saml,omitempty" koanf:"saml" jsonschema:"title=saml"`
// `secrets` configures the keys used for cryptographically signing tokens issued by the API.
Secrets Secrets `yaml:"secrets" json:"secrets,omitempty" koanf:"secrets" jsonschema:"title=secrets"`
// `server` configures address and CORS settings of the public and admin API.
Server Server `yaml:"server" json:"server,omitempty" koanf:"server" jsonschema:"title=server"`
// `service` configures general service information.
Service Service `yaml:"service" json:"service,omitempty" koanf:"service" jsonschema:"title=service"`
// `session` configures settings for session JWTs and Cookies issued by the API.
Session Session `yaml:"session" json:"session,omitempty" koanf:"session" jsonschema:"title=session"`
// Deprecated. Use `email_delivery.smtp` instead.
Smtp SMTP `yaml:"smtp" json:"smtp,omitempty" koanf:"smtp" jsonschema:"title=smtp"`
// `third_party` configures the modalities of third party OAuth/OIDC based authentication and available identity
// providers.
ThirdParty ThirdParty `yaml:"third_party" json:"third_party,omitempty" koanf:"third_party" split_words:"true" jsonschema:"title=third_party"`
// `username` configures how usernames of user accounts are acquired and used.
Username Username `yaml:"username" json:"username,omitempty" koanf:"username" jsonschema:"title=username"`
// `webauthn` configures general settings for communication with the WebAuthentication API.
Webauthn WebauthnSettings `yaml:"webauthn" json:"webauthn,omitempty" koanf:"webauthn" jsonschema:"title=webauthn"`
// `webhooks` configures HTTP-based callbacks for specific events occurring in the system.
Webhooks WebhookSettings `yaml:"webhooks" json:"webhooks,omitempty" koanf:"webhooks" jsonschema:"title=webhooks"`
}
Config is the central configuration type
func DefaultConfig ¶
func DefaultConfig() *Config
func (*Config) PostProcess ¶ added in v0.5.0
type Cookie ¶
type Cookie struct {
// `domain` is the domain the cookie will be bound to. Works for subdomains, but not cross-domain.
// See the `session.enable_auth_token_header` configuration instead if the API and the client application run on
// different domains.
Domain string `yaml:"domain" json:"domain,omitempty" koanf:"domain" jsonschema:"default=hanko"`
// `http_only` determines whether cookies are HTTP only or accessible by Javascript.
HttpOnly bool `yaml:"http_only" json:"http_only,omitempty" koanf:"http_only" split_words:"true" jsonschema:"default=true"`
// `name` is the name of the cookie.
Name string `yaml:"name" json:"name,omitempty" koanf:"name" jsonschema:"default=hanko"`
// `retention` determines the retention behavior of authentication cookies.
Retention string `` /* 153-byte string literal not displayed */
// `same_site` controls whether a cookie is sent with cross-site requests.
// See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value) for
// more details.
SameSite string `` /* 139-byte string literal not displayed */
// `secure` indicates whether the cookie is sent to the server only when a request is made with the https: scheme
// (except on localhost).
//
// NOTE: `secure` must be set to `false` when working on `localhost` and with the Safari browser because it does
// not store secure cookies on `localhost`.
Secure bool `yaml:"secure" json:"secure,omitempty" koanf:"secure" jsonschema:"default=true"`
}
func (Cookie) JSONSchemaExtend ¶ added in v1.3.0
func (Cookie) JSONSchemaExtend(schema *jsonschema.Schema)
type Cors ¶
type Cors struct {
// `allow_origins` determines the value of the Access-Control-Allow-Origin
// response header. This header defines a list of [origins](https://developer.mozilla.org/en-US/docs/Glossary/Origin)
// that may access the resource.
//
// The wildcard characters `*` and `?` are supported and are converted to regex fragments `.*` and `.` accordingly.
AllowOrigins []string `` /* 155-byte string literal not displayed */
// `unsafe_wildcard_origin_allowed` allows a wildcard `*` origin to be used with AllowCredentials
// flag. In that case we consider any origin allowed and send it back to the client in an `Access-Control-Allow-Origin` header.
//
// This is INSECURE and potentially leads to [cross-origin](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
// attacks. See also https://github.com/labstack/echo/issues/2400 for discussion on the subject.
//
// Optional. Default value is `false`.
UnsafeWildcardOriginAllowed bool `` /* 207-byte string literal not displayed */
}
type CustomThirdPartyProvider ¶ added in v1.3.0
type CustomThirdPartyProvider struct {
// `allow_linking` indicates whether existing accounts can be automatically linked with this provider.
//
// Linking is based on matching one of the email addresses of an existing user account with the (primary)
// email address of the third party provider account.
AllowLinking bool `yaml:"allow_linking" json:"allow_linking,omitempty" koanf:"allow_linking" jsonschema:"default=false"`
// `attribute_mapping` defines a map that associates a set of known standard OIDC conformant end-user claims
// (the key of a map entry) at the Hanko backend to claims retrieved from a third party provider (the value of the
// map entry). This is primarily necessary if a non-OIDC provider is configured/used in which case it is probable
// that user data returned from the userinfo endpoint does not already conform to OIDC standard claims.
//
// Example: You configure an OAuth Provider (i.e. non-OIDC) and the provider's configured userinfo endpoint returns
// an end-user's user ID at the provider not under a `sub` key in its JSON response but rather under a `user_id`
// key. You would then configure an attribute mapping as follows:
//
// “`yaml
//attribute_mapping:
// sub: user_id
// “`
//
// See https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims for a list of known standard claims
// that provider claims can be mapped into. Any other claims received from a provider are not discarded but are
// retained internally in a `custom_claims` claim.
//
// Mappings are one-to-one mappings, complex mappings (e.g. mapping concatenations of two claims) are not possible.
AttributeMapping map[string]string `yaml:"attribute_mapping" json:"attribute_mapping,omitempty" koanf:"attribute_mapping"`
// URL of the provider's authorization endpoint where the end-user is redirected to authenticate and grant consent for
// an application to access their resources.
//
// Required if `use_discovery` is false or omitted.
AuthorizationEndpoint string `yaml:"authorization_endpoint" json:"authorization_endpoint,omitempty" koanf:"authorization_endpoint"`
// `name` is a unique identifier for the provider, derived from the key in the `custom_providers` map, by
// concatenating the prefix "custom_". This allows distinguishing between built-in and custom providers at runtime.
Name string `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
// `issuer` is the provider's issuer identifier. It should be a URL that uses the "https"
// scheme and has no query or fragment components.
//
// Required if `use_discovery` is true.
Issuer string `yaml:"issuer" json:"issuer,omitempty" koanf:"issuer"`
// `client_id` is the ID of the OAuth/OIDC client. Must be obtained from the provider.
//
// Required if the provider is `enabled`.
ClientID string `yaml:"client_id" json:"client_id,omitempty" koanf:"client_id" split_words:"true"`
// `display_name` is the name of the provider that is intended to be shown to an end-user.
//
// Required if the provider is `enabled`.
DisplayName string `yaml:"display_name" json:"display_name,omitempty" koanf:"display_name"`
// `enabled` indicates if the provider is enabled or disabled.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
// `scopes` is a list of scopes requested from the provider that specify the level of access an application has to
// a user's resources on a server, defining what actions the app can perform on behalf of the user.
//
// Required if the provider is `enabled`.
Scopes []string `yaml:"scopes" json:"scopes,omitempty" koanf:"scopes,omitempty"`
// `secret` is the client secret for the OAuth/OIDC client. Must be obtained from the provider.
//
// Required if the provider is `enabled`.
Secret string `yaml:"secret" json:"secret,omitempty" koanf:"secret"`
// URL of the provider's token endpoint URL where an application exchanges an authorization code for an access
// token, which is used to authenticate API requests on behalf of the end-user.
//
// Required if `use_discovery` is false or omitted.
TokenEndpoint string `yaml:"token_endpoint" json:"token_endpoint,omitempty" koanf:"token_endpoint"`
// `use_discovery` determines if configuration information about an OpenID Connect (OIDC) provider, such as
// endpoint URLs and supported features,should be automatically retrieved, from a well-known
// URL (typically /.well-known/openid-configuration).
UseDiscovery bool `yaml:"use_discovery" json:"use_discovery,omitempty" koanf:"use_discovery" jsonschema:"default=true"`
// URL of the provider's endpoint that returns claims about an authenticated end-user.
//
// Required if `use_discovery` is false or omitted.
UserinfoEndpoint string `yaml:"userinfo_endpoint" json:"userinfo_endpoint,omitempty" koanf:"userinfo_endpoint"`
}
func (CustomThirdPartyProvider) JSONSchemaExtend ¶ added in v1.3.0
func (CustomThirdPartyProvider) JSONSchemaExtend(schema *jsonschema.Schema)
func (*CustomThirdPartyProvider) Validate ¶ added in v1.3.0
func (p *CustomThirdPartyProvider) Validate() error
type CustomThirdPartyProviders ¶ added in v1.3.0
type CustomThirdPartyProviders map[string]CustomThirdPartyProvider
func (*CustomThirdPartyProviders) GetEnabled ¶ added in v1.3.0
func (p *CustomThirdPartyProviders) GetEnabled() []CustomThirdPartyProvider
func (*CustomThirdPartyProviders) HasEnabled ¶ added in v1.3.0
func (p *CustomThirdPartyProviders) HasEnabled() bool
func (*CustomThirdPartyProviders) Validate ¶ added in v1.3.0
func (p *CustomThirdPartyProviders) Validate() error
type Database ¶
type Database struct {
// `database` determines the name of the database schema to use.
Database string `yaml:"database" json:"database,omitempty" koanf:"database" jsonschema:"default=hanko"`
// `dialect` is the name of the database system to use.
Dialect string `` /* 138-byte string literal not displayed */
// `host` is the host the database system is running on.
Host string `yaml:"host" json:"host,omitempty" koanf:"host" jsonschema:"default=localhost"`
// `password` is the password for the database user to use for connecting to the database.
Password string `yaml:"password" json:"password,omitempty" koanf:"password" jsonschema:"default=hanko"`
// `port` is the port the database system is running on.
Port string `yaml:"port" json:"port,omitempty" koanf:"port" jsonschema:"default=5432"`
// `url` is a datasource connection string. It can be used instead of the rest of the database configuration
// options. If this `url` is set then it is prioritized, i.e. the rest of the options, if set, have no effect.
//
// Schema: `dialect://username:password@host:port/database`
Url string `yaml:"url" json:"url,omitempty" koanf:"url" jsonschema:"example=postgres://hanko:hanko@localhost:5432/hanko"`
// `user` is the database user to use for connecting to the database.
User string `yaml:"user" json:"user,omitempty" koanf:"user" jsonschema:"default=hanko"`
}
type Email ¶
type Email struct {
// `acquire_on_login` determines whether users, provided that they do not already have registered an email,
// are prompted to provide an email on login.
AcquireOnLogin bool `` /* 128-byte string literal not displayed */
// `acquire_on_registration` determines whether users are prompted to provide an email on registration.
AcquireOnRegistration bool `` /* 148-byte string literal not displayed */
// `enabled` determines whether emails are enabled.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
// 'limit' determines the maximum number of emails a user can register.
Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=5"`
// `max_length` specifies the maximum allowed length of an email address.
MaxLength int `yaml:"max_length" json:"max_length,omitempty" koanf:"max_length" jsonschema:"default=100"`
// `optional` determines whether users must provide an email when prompted.
// There must always be at least one email address associated with an account. The primary email address cannot be
// deleted if emails are required (`optional`: false`).
Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=false"`
// `passcode_ttl` specifies, in seconds, how long a passcode is valid for.
PasscodeTtl int `yaml:"passcode_ttl" json:"passcode_ttl,omitempty" koanf:"passcode_ttl" jsonschema:"default=300"`
// `require_verification` determines whether newly created emails must be verified by providing a passcode sent
// to respective address.
RequireVerification bool `` /* 139-byte string literal not displayed */
// `use_as_login_identifier` determines whether emails can be used as an identifier on login.
UseAsLoginIdentifier bool `` /* 129-byte string literal not displayed */
// `user_for_authentication` determines whether users can log in by providing an email address and subsequently
// providing a passcode sent to the given email address.
UseForAuthentication bool `` /* 126-byte string literal not displayed */
}
type EmailDelivery ¶ added in v0.11.0
type EmailDelivery struct {
// `enabled` determines whether the API delivers emails.
// Disable if you want to send the emails yourself. To do so you must subscribe to the `email.create` webhook event.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
// `from_address` configures the sender address of emails sent to users.
FromAddress string `` /* 127-byte string literal not displayed */
// `from_name` configures the sender name of emails sent to users.
FromName string `yaml:"from_name" json:"from_name,omitempty" koanf:"from_name" split_words:"true" jsonschema:"default=Hanko"`
// `SMTP` contains the SMTP server settings for sending mails.
SMTP SMTP `yaml:"smtp" json:"smtp,omitempty" koanf:"smtp" jsonschema:"title=smtp"`
}
type LoggerConfig ¶ added in v0.5.0
type LoggerConfig struct {
// `log_health_and_metrics` determines whether requests of the `/health` and `/metrics` endpoints are logged.
LogHealthAndMetrics bool `` /* 126-byte string literal not displayed */
}
type MFA ¶ added in v1.2.0
type MFA struct {
// `acquire_on_login` configures if users are prompted creating an MFA credential on login.
AcquireOnLogin bool `yaml:"acquire_on_login" json:"acquire_on_login" koanf:"acquire_on_login" jsonschema:"default=false"`
// `acquire_on_registration` configures if users are prompted creating an MFA credential on registration.
AcquireOnRegistration bool `yaml:"acquire_on_registration" json:"acquire_on_registration" koanf:"acquire_on_registration" jsonschema:"default=true"`
// `device_trust_cookie_name` is the name of the cookie used to store the token of a trusted device.
DeviceTrustCookieName string `` /* 146-byte string literal not displayed */
// `device_trust_duration` configures the duration a device remains trusted after authentication; once expired, the
// user must reauthenticate with MFA.
DeviceTrustDuration time.Duration `yaml:"device_trust_duration" json:"device_trust_duration" koanf:"device_trust_duration" jsonschema:"default=720h,type=string"`
// `device_trust_policy` determines the conditions under which a device or browser is considered trusted, allowing
// MFA to be skipped for subsequent logins.
DeviceTrustPolicy string `` /* 173-byte string literal not displayed */
// `enabled` determines whether multi-factor-authentication is enabled.
Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
// `optional` determines whether users must create an MFA credential when prompted. The MFA credential cannot be
// deleted if multi-factor-authentication is required (`optional: false`).
Optional bool `yaml:"optional" json:"optional" koanf:"optional" jsonschema:"default=true"`
// `security_keys` configures security key settings for multi-factor-authentication
SecurityKeys SecurityKeys `yaml:"security_keys" json:"security_keys,omitempty" koanf:"security_keys" jsonschema:"title=security_keys"`
// `totp` configures the TOTP (Time-Based One-Time-Password) method for multi-factor-authentication.
TOTP TOTP `yaml:"totp" json:"totp,omitempty" koanf:"totp" jsonschema:"title=totp"`
}
func (MFA) JSONSchemaExtend ¶ added in v1.3.0
func (MFA) JSONSchemaExtend(schema *jsonschema.Schema)
type OutputStream ¶
type OutputStream string
var ( OutputStreamStdOut OutputStream = "stdout" OutputStreamStdErr OutputStream = "stderr" )
type Passcode ¶
type Passcode struct {
// Deprecated. Use `email.passcode_ttl` instead.
TTL int `yaml:"ttl" json:"ttl,omitempty" koanf:"ttl" jsonschema:"default=300"`
}
type Passkey ¶ added in v1.0.0
type Passkey struct {
// `acquire_on_registration` configures how users are prompted creating a passkey on registration.
AcquireOnRegistration string `` /* 190-byte string literal not displayed */
// `acquire_on_login` configures how users are prompted creating a passkey on login.
AcquireOnLogin string `` /* 169-byte string literal not displayed */
// `attestation_preference` is used to specify the preference regarding attestation conveyance during
// credential generation.
AttestationPreference string `` /* 183-byte string literal not displayed */
// `enabled` determines whether users can create or authenticate with passkeys.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
// `limit` defines the maximum number of passkeys a user can have.
Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=10"`
// `optional` determines whether users must create a passkey when prompted. The last remaining passkey cannot be
// deleted if passkeys are required (`optional: false`).
//
// It also takes part in determining the order of password and passkey acquisition
// on login and registration (see also `acquire_on_login` and `acquire_on_registration`): if one credential type is
// required (`optional: false`) then that one takes precedence, i.e. is acquired first.
Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=true"`
// `user_verification` specifies the requirements regarding local authorization with an authenticator through
// various authorization gesture modalities; for example, through a touch plus pin code,
// password entry, or biometric recognition.
//
// The setting applies to both WebAuthn registration and authentication ceremonies.
UserVerification string `` /* 181-byte string literal not displayed */
}
func (Passkey) JSONSchemaExtend ¶ added in v1.0.0
func (Passkey) JSONSchemaExtend(schema *jsonschema.Schema)
type Password ¶
type Password struct {
// `acquire_on_registration` configures how users are prompted creating a password on registration.
AcquireOnRegistration string `` /* 190-byte string literal not displayed */
// `acquire_on_login` configures how users are prompted creating a password on login.
AcquireOnLogin string `` /* 168-byte string literal not displayed */
// `enabled` determines whether passwords are enabled or disabled.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
// `min_length` determines the minimum password length.
MinLength int `yaml:"min_length" json:"min_length,omitempty" koanf:"min_length" split_words:"true" jsonschema:"default=8"`
// Deprecated. Use `min_length` instead.
MinPasswordLength int `` /* 133-byte string literal not displayed */
// `optional` determines whether users must set a password when prompted. The password cannot be deleted if
// passwords are required (`optional: false`).
//
// It also takes part in determining the order of password and passkey acquisition
// on login and registration (see also `acquire_on_login` and `acquire_on_registration`): if one credential type is
// required (`optional: false`) then that one takes precedence, i.e. is acquired first.
Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=false"`
// `recovery` determines whether users can start a recovery process, e.g. in case of a forgotten password.
Recovery bool `yaml:"recovery" json:"recovery,omitempty" koanf:"recovery" jsonschema:"default=true"`
}
func (Password) JSONSchemaExtend ¶ added in v1.0.0
func (Password) JSONSchemaExtend(schema *jsonschema.Schema)
type RateLimiter ¶
type RateLimiter struct {
// `enabled` controls whether rate limiting is enabled or disabled.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
// `store` sets the store for the rate limiter. When you have multiple instances of Hanko running, it is recommended to use
// the `redis` store because otherwise your instances each have their own states.
Store RateLimiterStoreType `yaml:"store" json:"store,omitempty" koanf:"store" jsonschema:"default=in_memory,enum=in_memory,enum=redis"`
// `redis_config` configures connection to a redis instance.
// Required if `store` is set to `redis`
Redis *RedisConfig `yaml:"redis_config" json:"redis_config,omitempty" koanf:"redis_config"`
// `passcode_limits` controls rate limits for passcode operations.
PasscodeLimits RateLimits `yaml:"passcode_limits" json:"passcode_limits,omitempty" koanf:"passcode_limits" split_words:"true"`
// `otp_limits` controls rate limits for OTP login attempts.
OTPLimits RateLimits `yaml:"otp_limits" json:"otp_limits,omitempty" koanf:"otp_limits" split_words:"true"`
// `password_limits` controls rate limits for password login operations.
PasswordLimits RateLimits `yaml:"password_limits" json:"password_limits,omitempty" koanf:"password_limits" split_words:"true"`
// `token_limits` controls rate limits for token exchange operations.
TokenLimits RateLimits `` /* 130-byte string literal not displayed */
}
func (*RateLimiter) Validate ¶
func (r *RateLimiter) Validate() error
type RateLimiterStoreType ¶
type RateLimiterStoreType string
const ( RATE_LIMITER_STORE_IN_MEMORY RateLimiterStoreType = "in_memory" RATE_LIMITER_STORE_REDIS = "redis" )
type RateLimits ¶
type RateLimits struct {
// `tokens` determines how many operations/requests can occur in the given `interval`.
Tokens uint64 `yaml:"tokens" json:"tokens" koanf:"tokens" jsonschema:"default=3"`
// `interval` determines when to reset the token interval.
// It must be a (possibly signed) sequence of decimal
// numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Interval time.Duration `yaml:"interval" json:"interval" koanf:"interval" jsonschema:"default=1m,type=string"`
}
type RedisConfig ¶
type RedisConfig struct {
// `address` is the address of the redis instance in the form of `host[:port][/database]`.
Address string `yaml:"address" json:"address" koanf:"address"`
// `password` is the password for the redis instance.
Password string `yaml:"password" json:"password,omitempty" koanf:"password"`
}
type RelyingParty ¶
type RelyingParty struct {
// `display_name` is the service's name that some WebAuthn Authenticators will display to the user during registration
// and authentication ceremonies.
DisplayName string `` /* 139-byte string literal not displayed */
Icon string `yaml:"icon" json:"icon,omitempty" koanf:"icon" jsonschema:"-"`
// `id` is the [effective domain](https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain)
// the passkey/WebAuthn credentials will be bound to.
Id string `yaml:"id" json:"id,omitempty" koanf:"id" jsonschema:"default=localhost,examples=localhost,example.com,subdomain.example.com"`
// `origins` is a list of origins for which passkeys/WebAuthn credentials will be accepted by the server. Must
// include the protocol and can only be the effective domain, or a registrable domain suffix of the effective
// domain, as specified in the [`id`](#id). Except for `localhost`, the protocol **must** always be `https` for
// passkeys/WebAuthn to work. IP Addresses will not work.
//
// For an Android application the origin must be the base64 url encoded SHA256 fingerprint of the signing
// certificate.
Origins []string `` /* 209-byte string literal not displayed */
}
RelyingParty webauthn settings for your application using hanko.
type SMTP ¶
type SMTP struct {
Host string `yaml:"host" json:"host,omitempty" koanf:"host" jsonschema:"default=localhost"`
Port string `yaml:"port" json:"port,omitempty" koanf:"port" jsonschema:"default=465"`
User string `yaml:"user" json:"user,omitempty" koanf:"user"`
Password string `yaml:"password" json:"password,omitempty" koanf:"password"`
}
SMTP Server Settings for sending passcodes
type Secrets ¶
type Secrets struct {
// `keys` are used to en- and decrypt the JWKs which get used to sign the JWTs issued by the API.
// For every key a JWK is generated, encrypted with the key and persisted in the database.
//
// You can use this list for key rotation: add a new key to the beginning of the list and the corresponding
// JWK will then be used for signing JWTs. All tokens signed with the previous JWK(s) will still
// be valid until they expire. Removing a key from the list does not remove the corresponding
// database record. If you remove a key, you also have to remove the database record, otherwise
// application startup will fail.
Keys []string `yaml:"keys" json:"keys,omitempty" koanf:"keys" jsonschema:"minItems=1"`
}
func (Secrets) JSONSchemaExtend ¶ added in v1.0.0
func (Secrets) JSONSchemaExtend(schema *jsonschema.Schema)
type SecurityKeys ¶ added in v1.2.0
type SecurityKeys struct {
// `attestation_preference` is used to specify the preference regarding attestation conveyance during
// credential generation.
AttestationPreference string `` /* 183-byte string literal not displayed */
// `authenticator_attachment` is used to specify the preference regarding authenticator attachment during credential registration.
AuthenticatorAttachment string `` /* 214-byte string literal not displayed */
// `enabled` determines whether security keys are eligible for multi-factor-authentication.
Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
// 'limit' determines the maximum number of security keys a user can register.
Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=10"`
// `user_verification` specifies the requirements regarding local authorization with an authenticator through
// various authorization gesture modalities; for example, through a touch plus pin code,
// password entry, or biometric recognition.
//
// The setting applies to both WebAuthn registration and authentication ceremonies.
UserVerification string `` /* 183-byte string literal not displayed */
}
type Server ¶
type Server struct {
// `public` contains the server configuration for the public API.
Public ServerSettings `yaml:"public" json:"public,omitempty" koanf:"public" jsonschema:"title=public"`
// `admin` contains the server configuration for the admin API.
Admin ServerSettings `yaml:"admin" json:"admin,omitempty" koanf:"admin" jsonschema:"title=admin"`
}
type ServerSettings ¶
type ServerSettings struct {
// `address` is the address of the server to listen on in the form of host:port.
//
// See [net.Dial](https://pkg.go.dev/net#Dial) for details of the address format.
Address string `yaml:"address" json:"address,omitempty" koanf:"address"`
// `cors` contains configuration options regarding Cross-Origin-Resource-Sharing.
Cors Cors `yaml:"cors" json:"cors,omitempty" koanf:"cors" jsonschema:"title=cors"`
}
func (*ServerSettings) Validate ¶
func (s *ServerSettings) Validate() error
type ServerSide ¶ added in v1.1.0
type ServerSide struct {
// `enabled` determines whether server-side sessions are enabled.
//
// NOTE: When enabled the session endpoint must be used in order to check if a session is still valid.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
// `limit` determines the maximum number of server-side sessions a user can have. When the limit is exceeded,
// older sessions are invalidated.
Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=100"`
}
type Service ¶
type Service struct {
// `name` determines the name of the service.
// This value is used, e.g. in the subject header of outgoing emails.
Name string `yaml:"name" json:"name,omitempty" koanf:"name"`
}
type Session ¶
type Session struct {
// `audience` is a list of strings that identifies the recipients that the JWT is intended for.
// The audiences are placed in the `aud` claim of the JWT.
// If not set, it defaults to the value of the`webauthn.relying_party.id` configuration parameter.
Audience []string `yaml:"audience" json:"audience,omitempty" koanf:"audience"`
// `cookie` contains configuration for the session cookie issued on successful registration or login.
Cookie Cookie `yaml:"cookie" json:"cookie,omitempty" koanf:"cookie"`
// `enable_auth_token_header` determines whether a session token (JWT) is returned in an `X-Auth-Token`
// header after a successful authentication. This option should be set to `true` if API and client applications
// run on different domains.
EnableAuthTokenHeader bool `` /* 152-byte string literal not displayed */
// `issuer` is a string that identifies the principal (human user, an organization, or a service)
// that issued the JWT. Its value is set in the `iss` claim of a JWT.
Issuer string `yaml:"issuer" json:"issuer,omitempty" koanf:"issuer"`
// `lifespan` determines the maximum duration for which a session token (JWT) is valid. It must be a (possibly signed) sequence of decimal
// numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Lifespan string `yaml:"lifespan" json:"lifespan,omitempty" koanf:"lifespan" jsonschema:"default=12h"`
// `server_side` contains configuration for server-side sessions.
ServerSide ServerSide `yaml:"server_side" json:"server_side" koanf:"server_side"`
}
type TOTP ¶ added in v1.2.0
type TOTP struct {
// `enabled` determines whether TOTP is eligible for multi-factor-authentication.
Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
}
type ThirdParty ¶ added in v0.5.0
type ThirdParty struct {
// `providers` contains the configurations for the available OAuth/OIDC identity providers.
Providers ThirdPartyProviders `yaml:"providers" json:"providers,omitempty" koanf:"providers" jsonschema:"title=providers,uniqueItems=true"`
// `custom_providers contains the configurations for custom OAuth/OIDC identity providers.
CustomProviders CustomThirdPartyProviders `yaml:"custom_providers" json:"custom_providers,omitempty" koanf:"custom_providers" jsonschema:"title=custom_providers"`
// `redirect_url` is the URL the third party provider redirects to with an authorization code. Must consist of the base URL
// of your running Hanko backend instance and the `callback` endpoint of the API,
// i.e. `{YOUR_BACKEND_INSTANCE}/thirdparty/callback.`
//
// Required if any of the [`providers`](#providers) are `enabled`.
RedirectURL string `` /* 155-byte string literal not displayed */
// `error_redirect_url` is the URL the backend redirects to if an error occurs during third party sign-in.
// Errors are provided as 'error' and 'error_description' query params in the redirect location URL.
//
// When using the Hanko web components it should be the URL of the page that embeds the web component such that
// errors can be processed properly by the web component.
//
// You do not have to add this URL to the 'allowed_redirect_urls', it is automatically included when validating
// redirect URLs.
//
// Required if any of the [`providers`](#providers) are `enabled`. Must not have trailing slash.
ErrorRedirectURL string `yaml:"error_redirect_url" json:"error_redirect_url,omitempty" koanf:"error_redirect_url" split_words:"true"`
// `default_redirect_url` is the URL the backend redirects to after it successfully verified
// the response from any third party provider.
//
// Must not have trailing slash.
DefaultRedirectURL string `yaml:"default_redirect_url" json:"default_redirect_url,omitempty" koanf:"default_redirect_url" split_words:"true"`
// `allowed_redirect_urls` is a list of URLs the backend is allowed to redirect to after third party sign-in was
// successful.
//
// Supports wildcard matching through globbing. e.g. `https://*.example.com` will allow `https://foo.example.com`
// and `https://bar.example.com` to be accepted.
//
// Globbing is also supported for paths, e.g. `https://foo.example.com/*` will match `https://foo.example.com/page1`
// and `https://foo.example.com/page2`.
//
// A double asterisk (`**`) acts as a "super"-wildcard/match-all.
//
// See [here](https://pkg.go.dev/github.com/gobwas/glob#Compile) for more on globbing.
//
// Must not be empty if any of the [`providers`](#providers) are `enabled`. URLs in the list must not have a trailing slash.
AllowedRedirectURLS []string `` /* 140-byte string literal not displayed */
AllowedRedirectURLMap map[string]glob.Glob `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
}
func (ThirdParty) JSONSchemaExtend ¶ added in v1.3.0
func (t ThirdParty) JSONSchemaExtend(schema *jsonschema.Schema)
func (ThirdParty) JSONSchemaNoBuiltInProviderEnabled ¶ added in v1.3.0
func (t ThirdParty) JSONSchemaNoBuiltInProviderEnabled() *jsonschema.Schema
func (ThirdParty) JSONSchemaNoCustomProviderEnabled ¶ added in v1.3.0
func (t ThirdParty) JSONSchemaNoCustomProviderEnabled() *jsonschema.Schema
func (*ThirdParty) PostProcess ¶ added in v0.5.0
func (t *ThirdParty) PostProcess() error
func (*ThirdParty) Validate ¶ added in v0.5.0
func (t *ThirdParty) Validate() error
type ThirdPartyProvider ¶ added in v0.5.0
type ThirdPartyProvider struct {
// `allow_linking` indicates whether existing accounts can be automatically linked with this provider.
//
// Linking is based on matching one of the email addresses of an existing user account with the (primary)
// email address of the third party provider account.
AllowLinking bool `yaml:"allow_linking" json:"allow_linking,omitempty" koanf:"allow_linking" split_words:"true"`
// `client_id` is the ID of the OAuth/OIDC client. Must be obtained from the provider.
//
// Required if the provider is `enabled`.
ClientID string `yaml:"client_id" json:"client_id,omitempty" koanf:"client_id" split_words:"true"`
DisplayName string `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
// `enabled` determines whether this provider is enabled.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
// `secret` is the client secret for the OAuth/OIDC client. Must be obtained from the provider.
//
// Required if the provider is `enabled`.
Secret string `yaml:"secret" json:"secret,omitempty" koanf:"secret"`
// `name` is a unique name/slug/identifier for the provider. It is the lowercased key of the corresponding field
// in ThirdPartyProviders. See also: CustomThirdPartyProvider.Name.
Name string `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
}
func (ThirdPartyProvider) JSONSchemaExtend ¶ added in v1.0.0
func (ThirdPartyProvider) JSONSchemaExtend(schema *jsonschema.Schema)
func (*ThirdPartyProvider) Validate ¶ added in v0.5.0
func (p *ThirdPartyProvider) Validate() error
type ThirdPartyProviders ¶ added in v0.5.0
type ThirdPartyProviders struct {
// `apple` contains the provider configuration for Apple.
Apple ThirdPartyProvider `yaml:"apple" json:"apple,omitempty" koanf:"apple"`
// `discord` contains the provider configuration for Discord.
Discord ThirdPartyProvider `yaml:"discord" json:"discord,omitempty" koanf:"discord"`
// `github` contains the provider configuration for GitHub.
GitHub ThirdPartyProvider `yaml:"github" json:"github,omitempty" koanf:"github"`
// `google` contains the provider configuration for Google.
Google ThirdPartyProvider `yaml:"google" json:"google,omitempty" koanf:"google"`
// `linkedin` contains the provider configuration for LinkedIn.
LinkedIn ThirdPartyProvider `yaml:"linkedin" json:"linkedin,omitempty" koanf:"linkedin"`
// `microsoft` contains the provider configuration for Microsoft.
Microsoft ThirdPartyProvider `yaml:"microsoft" json:"microsoft,omitempty" koanf:"microsoft"`
}
func (*ThirdPartyProviders) Get ¶ added in v0.5.0
func (p *ThirdPartyProviders) Get(provider string) *ThirdPartyProvider
func (*ThirdPartyProviders) GetEnabled ¶ added in v1.0.0
func (p *ThirdPartyProviders) GetEnabled() []ThirdPartyProvider
func (*ThirdPartyProviders) HasEnabled ¶ added in v0.5.0
func (p *ThirdPartyProviders) HasEnabled() bool
func (*ThirdPartyProviders) Validate ¶ added in v0.5.0
func (p *ThirdPartyProviders) Validate() error
type Username ¶ added in v1.0.0
type Username struct {
// `acquire_on_login` determines whether users, provided that they do not already have set a username,
// are prompted to provide a username on login.
AcquireOnLogin bool `` /* 127-byte string literal not displayed */
// `acquire_on_registration` determines whether users are prompted to provide a username on registration.
AcquireOnRegistration bool `` /* 148-byte string literal not displayed */
// `enabled` determines whether users can set a unique username.
//
// Usernames can contain letters (a-z,A-Z), numbers (0-9), and underscores.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
// `max_length` specifies the maximum allowed length of a username.
MaxLength int `yaml:"max_length" json:"max_length,omitempty" koanf:"max_length" jsonschema:"default=32"`
// `min_length` specifies the minimum length of a username.
MinLength int `yaml:"min_length" json:"min_length,omitempty" koanf:"min_length" split_words:"true" jsonschema:"default=3"`
// `optional` determines whether users must provide a username when prompted. The username can only be changed but
// not deleted if usernames are required (`optional: false`).
Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=true"`
// `use_as_login_identifier` determines whether usernames, if enabled, can be used for logging in.
UseAsLoginIdentifier bool `` /* 129-byte string literal not displayed */
}
type WebauthnSettings ¶
type WebauthnSettings struct {
RelyingParty RelyingParty `yaml:"relying_party" json:"relying_party,omitempty" koanf:"relying_party" split_words:"true" jsonschema:"title=relying_party"`
// Deprecated, use `timeouts` instead.
Timeout int `yaml:"timeout" json:"timeout,omitempty" koanf:"timeout" jsonschema:"default=60000"`
// `timeouts` specifies the timeouts for passkey/WebAuthn registration and login.
Timeouts WebauthnTimeouts `yaml:"timeouts" json:"timeouts,omitempty" koanf:"timeouts" split_words:"true" jsonschema:"title=timeouts"`
// Deprecated, use `passkey.user_verification` instead
UserVerification string `` /* 181-byte string literal not displayed */
Handler *webauthnLib.WebAuthn `jsonschema:"-"`
}
WebauthnSettings defines the settings for the webauthn authentication mechanism
func (*WebauthnSettings) PostProcess ¶ added in v1.0.0
func (r *WebauthnSettings) PostProcess() error
func (*WebauthnSettings) Validate ¶
func (r *WebauthnSettings) Validate() error
Validate does not need to validate the config, because the library does this already
type WebauthnTimeouts ¶ added in v1.0.0
type WebauthnTimeouts struct {
// `registration` determines the time, in milliseconds, that the client is willing to wait for the credential
// creation request to the WebAuthn API to complete.
Registration int `yaml:"registration" json:"registration,omitempty" koanf:"registration" jsonschema:"default=600000"`
// `login` determines the time, in milliseconds, that the client is willing to wait for the credential
// request to the WebAuthn API to complete.
Login int `yaml:"login" json:"login,omitempty" koanf:"login" jsonschema:"default=600000"`
}
type Webhook ¶ added in v0.10.0
type Webhook struct {
// `callback` specifies the URL to which the change data will be sent.
Callback string `yaml:"callback" json:"callback,omitempty" koanf:"callback"`
// `events` is a list of events this hook listens for.
Events events.Events `yaml:"events" json:"events,omitempty" koanf:"events" jsonschema:"title=events"`
}
func (Webhook) JSONSchemaExtend ¶ added in v1.0.0
func (Webhook) JSONSchemaExtend(schema *jsonschema.Schema)
type WebhookSettings ¶ added in v0.10.0
type WebhookSettings struct {
// `allow_time_expiration` determines whether webhooks are disabled when unused for 30 days
// (only for database webhooks).
AllowTimeExpiration bool `yaml:"allow_time_expiration" json:"allow_time_expiration,omitempty" koanf:"allow_time_expiration" jsonschema:"default=false"`
// `enabled` enables the webhook feature.
Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
// `hooks` is a list of Webhook configurations.
//
// When using environment variables the value for the `WEBHOOKS_HOOKS` key must be specified in the following
// format:
// `{"callback":"http://app.com/usercb","events":["user"]};{"callback":"http://app.com/emailcb","events":["email.send"]}`
Hooks Webhooks `yaml:"hooks" json:"hooks,omitempty" koanf:"hooks" jsonschema:"title=hooks"`
}
func (*WebhookSettings) Validate ¶ added in v0.10.0
func (ws *WebhookSettings) Validate() error
type Webhooks ¶ added in v0.10.0
type Webhooks []Webhook
func (*Webhooks) Decode ¶ added in v1.0.0
Decode is an implementation of the envconfig.Decoder interface. Assumes that environment variables (for the WEBHOOKS_HOOKS key) have the following format: {"callback":"http://app.com/usercb","events":["user"]};{"callback":"http://app.com/emailcb","events":["email.send"]}
Source Files
¶
- config.go
- config_account.go
- config_audit_log.go
- config_database.go
- config_default.go
- config_email.go
- config_email_delivery.go
- config_emails.go
- config_logger.go
- config_mfa.go
- config_passcode.go
- config_passkey.go
- config_password.go
- config_rate_limiter.go
- config_secrets.go
- config_server.go
- config_service.go
- config_session.go
- config_third_party.go
- config_username.go
- config_webauthn.go
- config_webhook.go
Click to show internal directories.
Click to hide internal directories.