authentication

package
v0.166.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 24, 2023 License: Apache-2.0 Imports: 30 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewCSRFMw 

func NewCSRFMw(config CSRFConfig) func(handler http.Handler) http.Handler

func NewLoadUserMw 

func NewLoadUserMw(config LoadUserConfig) func(handler http.Handler) http.Handler

func RedirectAlreadyAuthenticatedUsers 

func RedirectAlreadyAuthenticatedUsers(matchString, matchRegex []string) func(handler http.Handler) http.Handler

func RequiresAuthentication 

func RequiresAuthentication(handler http.Handler) http.Handler

func ValidateRedirectURIQueryParameter 

func ValidateRedirectURIQueryParameter(matchString, matchRegex []string) func(handler http.Handler) http.Handler

Types

type CSRFConfig 

type CSRFConfig struct {
	Path            string
	InsecureCookies bool
	Secret          []byte
}

type CSRFErrorHandler 

type CSRFErrorHandler struct {
	InsecureCookies bool
}

func (*CSRFErrorHandler) ServeHTTP 

func (u *CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type CSRFTokenHandler 

type CSRFTokenHandler struct{}

func (*CSRFTokenHandler) ServeHTTP 

func (*CSRFTokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type Claims 

type Claims struct {
	Issuer            string                 `json:"iss"`
	Subject           string                 `json:"sub"`
	Name              string                 `json:"name"`
	GivenName         string                 `json:"given_name"`
	FamilyName        string                 `json:"family_name"`
	MiddleName        string                 `json:"middle_name"`
	NickName          string                 `json:"nickname"`
	PreferredUsername string                 `json:"preferred_username"`
	Profile           string                 `json:"profile"`
	Picture           string                 `json:"picture"`
	Website           string                 `json:"website"`
	Email             string                 `json:"email"`
	EmailVerified     bool                   `json:"email_verified"`
	Gender            string                 `json:"gender"`
	BirthDate         string                 `json:"birthdate"`
	ZoneInfo          string                 `json:"zoneinfo"`
	Locale            string                 `json:"locale"`
	Location          string                 `json:"location"`
	Raw               map[string]interface{} `json:"-"`
}

Claims decodes JWT claims. See https://www.iana.org/assignments/jwt/jwt.xhtml.

func (*Claims) Custom added in v0.131.0 

func (c *Claims) Custom() map[string]interface{}

Custom returns a non-nil map with claims from c.Raw that we do not parse explicitly

func (*Claims) ToUser added in v0.131.0 

func (c *Claims) ToUser() *User

type ClaimsInfo 

type ClaimsInfo struct {
	ScopesSupported []string `json:"scopes_supported"`
	ClaimsSupported []string `json:"claims_supported"`
}

type GithubConfig 

type GithubConfig struct {
	ClientID           string
	ClientSecret       string
	ProviderID         string
	InsecureCookies    bool
	ForceRedirectHttps bool
	Cookie             *securecookie.SecureCookie
	AuthTimeout        time.Duration
}

type GithubCookieHandler 

type GithubCookieHandler struct {
	// contains filtered or unexported fields
}

func NewGithubCookieHandler 

func NewGithubCookieHandler(log *zap.Logger) *GithubCookieHandler

func (*GithubCookieHandler) Register 

func (g *GithubCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router, config GithubConfig, hooks Hooks)

type GithubUserEmail 

type GithubUserEmail struct {
	Email      string `json:"email"`
	Primary    bool   `json:"primary"`
	Verified   bool   `json:"verified"`
	Visibility string `json:"visibility"`
}

type GithubUserEmails 

type GithubUserEmails []GithubUserEmail

type GithubUserInfo 

type GithubUserInfo struct {
	AvatarURL string `json:"avatar_url"`
	ID        int64  `json:"id"`
	Location  string `json:"location"`
	Login     string `json:"login"`
	Name      string `json:"name"`
	NodeID    string `json:"node_id"`
}

type Hooks 

type Hooks interface {
	// PostAuthentication runs after authentication and doesn't mutate the user
	PostAuthentication(ctx context.Context, user *User) error
	// MutatingPostAuthentication runs after PostAuthentication and might mutate the user
	MutatingPostAuthentication(ctx context.Context, user *User) (*User, error)
	// PostLogout runs after logout and doesn't mutate the user
	PostLogout(ctx context.Context, user *User) error
	// RevalidateAuthentication is used when an API client request the
	// authenticated user to be revalidated. It might mutate the user
	RevalidateAuthentication(ctx context.Context, user *User) (*User, error)
}

Hooks represents the interface for the available authentication hooks

type LoadUserConfig 

type LoadUserConfig struct {
	Log           *zap.Logger
	Cookie        *securecookie.SecureCookie
	CSRFSecret    []byte
	JwksProviders []*wgpb.JwksAuthProvider
	Hooks         Hooks
}

type OpenIDConnectConfig 

type OpenIDConnectConfig struct {
	Issuer             string
	ClientID           string
	ClientSecret       string
	QueryParameters    []QueryParameter
	ProviderID         string
	InsecureCookies    bool
	ForceRedirectHttps bool
	Cookie             *securecookie.SecureCookie
	AuthTimeout        time.Duration
}

type OpenIDConnectCookieHandler 

type OpenIDConnectCookieHandler struct {
	// contains filtered or unexported fields
}

func NewOpenIDConnectCookieHandler 

func NewOpenIDConnectCookieHandler(log *zap.Logger) *OpenIDConnectCookieHandler

func (*OpenIDConnectCookieHandler) Register 

func (h *OpenIDConnectCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router, config OpenIDConnectConfig, hooks Hooks)

type OpenIDConnectFlavor added in v0.126.0 

type OpenIDConnectFlavor int
const (
	OpenIDConnectFlavorDefault OpenIDConnectFlavor = iota
	OpenIDConnectFlavorAuth0
)

type OpenIDConnectProvider added in v0.126.0 

type OpenIDConnectProvider struct {
	// contains filtered or unexported fields
}

func NewOpenIDConnectProvider added in v0.126.0 

func NewOpenIDConnectProvider(issuer string, clientID string, clientSecret string, opts *OpenIDConnectProviderOptions) (*OpenIDConnectProvider, error)

func (*OpenIDConnectProvider) Disconnect added in v0.126.0 

func (p *OpenIDConnectProvider) Disconnect(ctx context.Context, user *User) (*OpenIDDisconnectResult, error)

type OpenIDConnectProviderOptions added in v0.126.0 

type OpenIDConnectProviderOptions struct {
	Flavor     OpenIDConnectFlavor
	HTTPClient *http.Client
	Logger     *zap.Logger
}

type OpenIDConnectProviderSet added in v0.126.0 

type OpenIDConnectProviderSet struct {
	// contains filtered or unexported fields
}

func (*OpenIDConnectProviderSet) Add added in v0.126.0 

func (s *OpenIDConnectProviderSet) Add(id string, p *OpenIDConnectProvider) error

func (*OpenIDConnectProviderSet) ByID added in v0.126.0 

func (s *OpenIDConnectProviderSet) ByID(id string) (*OpenIDConnectProvider, error)

type OpenIDDisconnectResult added in v0.126.0 

type OpenIDDisconnectResult struct {
	// Redirect indicates an URL that must be visited by the client to complete the logout
	Redirect string `json:"redirect,omitempty"`
}

func (*OpenIDDisconnectResult) RequiresClientCooperation added in v0.126.0 

func (r *OpenIDDisconnectResult) RequiresClientCooperation() bool

type QueryParameter added in v0.108.0 

type QueryParameter struct {
	Name  string
	Value string
}

type RBACEnforcer 

type RBACEnforcer struct {
	// contains filtered or unexported fields
}

func NewRBACEnforcer 

func NewRBACEnforcer(operation *wgpb.Operation) *RBACEnforcer

func (*RBACEnforcer) Enforce 

func (e *RBACEnforcer) Enforce(r *http.Request) (proceed bool)

type RedirectURIValidator 

type RedirectURIValidator struct {
	// contains filtered or unexported fields
}

func NewRedirectValidator 

func NewRedirectValidator(matchString, matchRegex []string) *RedirectURIValidator

func (*RedirectURIValidator) GetValidatedRedirectURI 

func (v *RedirectURIValidator) GetValidatedRedirectURI(r *http.Request) (redirectURI string, authorized bool)

type User 

type User struct {
	ProviderName      string `json:"provider,omitempty"`
	ProviderID        string `json:"providerId,omitempty"`
	UserID            string `json:"userId,omitempty"`
	Name              string `json:"name,omitempty"`
	FirstName         string `json:"firstName,omitempty"`
	LastName          string `json:"lastName,omitempty"`
	MiddleName        string `json:"middleName,omitempty"`
	NickName          string `json:"nickName,omitempty"`
	PreferredUsername string `json:"preferredUsername,omitempty"`
	Profile           string `json:"profile,omitempty"`
	Picture           string `json:"picture,omitempty"`
	Website           string `json:"website,omitempty"`
	Email             string `json:"email,omitempty"`
	EmailVerified     bool   `json:"emailVerified,omitempty"`
	Gender            string `json:"gender,omitempty"`
	BirthDate         string `json:"birthDate,omitempty"`
	ZoneInfo          string `json:"zoneInfo,omitempty"`
	Locale            string `json:"locale,omitempty"`
	Location          string `json:"location,omitempty"`
	// Expires indicate the unix timestamp in milliseconds when this User is
	// considered as expired. This can only be set from the authentication
	// hooks.
	Expires *int64 `json:"expires,omitempty"`

	CustomClaims     map[string]interface{} `json:"customClaims,omitempty"`
	CustomAttributes []string               `json:"customAttributes,omitempty"`
	Roles            []string               `json:"roles"`
	/* Internal fields */
	ExpiresAt      time.Time       `json:"-"`
	ETag           string          `json:"etag,omitempty"`
	FromCookie     bool            `json:"fromCookie,omitempty"`
	AccessToken    json.RawMessage `json:"accessToken,omitempty"`
	RawAccessToken string          `json:"rawAccessToken,omitempty"`
	IdToken        json.RawMessage `json:"idToken,omitempty"`
	RawIDToken     string          `json:"rawIdToken,omitempty"`
}

User holds user data for non public APIs (backend and hooks). Before exposing a User publicly, always call User.ToPublic().

XXX: Keep in sync with the TS side (wellKnownClaimField, type User, type WunderGraphUser)

func UserFromContext 

func UserFromContext(ctx context.Context) *User

func (*User) HasExpired added in v0.159.0 

func (u *User) HasExpired() bool

HasExpired returns true iff the user has expired, as configured by the authentication hooks (via User.Expired)

func (*User) Load 

func (u *User) Load(loader *UserLoader, r *http.Request) error

func (*User) Save 

func (u *User) Save(s *securecookie.SecureCookie, w http.ResponseWriter, r *http.Request, domain string, insecureCookies bool) error

func (*User) ToPublic added in v0.132.0 

func (u *User) ToPublic(publicClaims []string) *User

ToPublic returns a copy of the User with fields non intended for public consumption erased. If publicClaims is non-empty, only fields listed in it are included. Each public claim must be either a well known claim (as in the WG_CLAIM enum) or a JSON path to a custom claim.

type UserHandler added in v0.126.0 

type UserHandler struct {
	Log             *zap.Logger
	Host            string
	InsecureCookies bool
	Hooks           Hooks
	Cookie          *securecookie.SecureCookie
	PublicClaims    []string
}

func (*UserHandler) ServeHTTP added in v0.126.0 

func (u *UserHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type UserLoadConfig 

type UserLoadConfig struct {
	// contains filtered or unexported fields
}

func (*UserLoadConfig) Keyfunc added in v0.128.0 

func (cfg *UserLoadConfig) Keyfunc() jwt.Keyfunc

Keyfunc returns a function for retrieving a token key from the UserLoadConfig's key set if there are any keys. Otherwise, it returns nil.

type UserLoader 

type UserLoader struct {
	// contains filtered or unexported fields
}

type UserLogoutHandler 

type UserLogoutHandler struct {
	InsecureCookies bool
	OpenIDProviders *OpenIDConnectProviderSet
	Hooks           Hooks
	Log             *zap.Logger
}

func (*UserLogoutHandler) ServeHTTP 

func (u *UserLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.