Documentation
¶
Index ¶
- Constants
- func NewCSRFMw(config CSRFConfig) func(handler http.Handler) http.Handler
- func NewLoadUserMw(config LoadUserConfig) func(handler http.Handler) http.Handler
- func RedirectAlreadyAuthenticatedUsers(matchString, matchRegex []string) func(handler http.Handler) http.Handler
- func RequiresAuthentication(handler http.Handler) http.Handler
- func ValidateRedirectURIQueryParameter(matchString, matchRegex []string) func(handler http.Handler) http.Handler
- type AuthError
- type CSRFConfig
- type CSRFErrorHandler
- type CSRFTokenHandler
- type Claims
- type ClaimsInfo
- type GithubConfig
- type GithubCookieHandler
- type GithubUserEmail
- type GithubUserEmails
- type GithubUserInfo
- type Hooks
- type LoadUserConfig
- type OAuth2AuthenticationConfig
- type OAuth2AuthenticationHandler
- type OAuth2UserRetriever
- type OpenIDConnectConfig
- type OpenIDConnectCookieHandler
- type OpenIDConnectFlavor
- type OpenIDConnectProvider
- type OpenIDConnectProviderOptions
- type OpenIDConnectProviderSet
- type OpenIDDisconnectResult
- type QueryParameter
- type RBACEnforcer
- type RedirectURIValidator
- type User
- type UserHandler
- type UserLoadConfig
- type UserLoader
- type UserLogoutHandler
Constants ¶
View Source
const ( // AuthorizePath indicates the name for the path component used for authorization handlers AuthorizePath = "authorize" // CallbackPath indicates the name for the path component used for callback handlers CallbackPath = "callback" )
Variables ¶
This section is empty.
Functions ¶
func NewLoadUserMw ¶
func NewLoadUserMw(config LoadUserConfig) func(handler http.Handler) http.Handler
Types ¶
type CSRFConfig ¶
type CSRFErrorHandler ¶
type CSRFErrorHandler struct {
InsecureCookies bool
}
func (*CSRFErrorHandler) ServeHTTP ¶
func (u *CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type CSRFTokenHandler ¶
type CSRFTokenHandler struct{}
func (*CSRFTokenHandler) ServeHTTP ¶
func (*CSRFTokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type Claims ¶
type Claims struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
Name string `json:"name"`
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
MiddleName string `json:"middle_name"`
NickName string `json:"nickname"`
PreferredUsername string `json:"preferred_username"`
Profile string `json:"profile"`
Picture string `json:"picture"`
Website string `json:"website"`
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
Gender string `json:"gender"`
BirthDate string `json:"birthdate"`
ZoneInfo string `json:"zoneinfo"`
Locale string `json:"locale"`
Location string `json:"location"`
Raw map[string]interface{} `json:"-"`
}
Claims decodes JWT claims. See https://www.iana.org/assignments/jwt/jwt.xhtml.
type ClaimsInfo ¶
type GithubConfig ¶
type GithubConfig struct {
ClientID string
ClientSecret string
ProviderID string
InsecureCookies bool
ForceRedirectHttps bool
Cookie *securecookie.SecureCookie
AuthTimeout time.Duration
}
type GithubCookieHandler ¶
type GithubCookieHandler struct {
// contains filtered or unexported fields
}
func NewGithubCookieHandler ¶
func NewGithubCookieHandler(config GithubConfig, hooks Hooks, log *zap.Logger) *GithubCookieHandler
func (*GithubCookieHandler) Register ¶
func (h *GithubCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router)
type GithubUserEmail ¶
type GithubUserEmails ¶
type GithubUserEmails []GithubUserEmail
type GithubUserInfo ¶
type Hooks ¶
type Hooks interface {
// PostAuthentication runs after authentication and doesn't mutate the user
PostAuthentication(ctx context.Context, user *User) error
// MutatingPostAuthentication runs after PostAuthentication and might mutate the user
MutatingPostAuthentication(ctx context.Context, user *User) (*User, error)
// PostLogout runs after logout and doesn't mutate the user
PostLogout(ctx context.Context, user *User) error
// RevalidateAuthentication is used when an API client request the
// authenticated user to be revalidated. It might mutate the user
RevalidateAuthentication(ctx context.Context, user *User) (*User, error)
}
Hooks represents the interface for the available authentication hooks
type LoadUserConfig ¶
type LoadUserConfig struct {
Log *zap.Logger
Cookie *securecookie.SecureCookie
CSRFSecret []byte
JwksProviders []*wgpb.JwksAuthProvider
Hooks Hooks
}
type OAuth2AuthenticationConfig ¶ added in v0.167.0
type OAuth2AuthenticationConfig struct {
ProviderID string
ClientID string
ClientSecret string
Endpoint oauth2.Endpoint
Scopes []string
AuthTimeout time.Duration
ForceRedirectHttps bool
QueryParameters []QueryParameter
Hooks Hooks
Cookie *securecookie.SecureCookie
InsecureCookies bool
Log *zap.Logger
}
type OAuth2AuthenticationHandler ¶ added in v0.167.0
type OAuth2AuthenticationHandler struct {
// contains filtered or unexported fields
}
func NewOAuth2AuthenticationHandler ¶ added in v0.167.0
func NewOAuth2AuthenticationHandler(config OAuth2AuthenticationConfig, retriever OAuth2UserRetriever) *OAuth2AuthenticationHandler
func (*OAuth2AuthenticationHandler) Authorize ¶ added in v0.167.0
func (h *OAuth2AuthenticationHandler) Authorize(w http.ResponseWriter, r *http.Request)
func (*OAuth2AuthenticationHandler) Callback ¶ added in v0.167.0
func (h *OAuth2AuthenticationHandler) Callback(w http.ResponseWriter, r *http.Request)
type OAuth2UserRetriever ¶ added in v0.167.0
type OpenIDConnectConfig ¶
type OpenIDConnectConfig struct {
Issuer string
ClientID string
ClientSecret string
QueryParameters []QueryParameter
ProviderID string
InsecureCookies bool
ForceRedirectHttps bool
Cookie *securecookie.SecureCookie
AuthTimeout time.Duration
}
type OpenIDConnectCookieHandler ¶
type OpenIDConnectCookieHandler struct {
// contains filtered or unexported fields
}
func NewOpenIDConnectCookieHandler ¶
func NewOpenIDConnectCookieHandler(config OpenIDConnectConfig, hooks Hooks, log *zap.Logger) (*OpenIDConnectCookieHandler, error)
func (*OpenIDConnectCookieHandler) Register ¶
func (h *OpenIDConnectCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router)
type OpenIDConnectFlavor ¶ added in v0.126.0
type OpenIDConnectFlavor int
const ( OpenIDConnectFlavorDefault OpenIDConnectFlavor = iota OpenIDConnectFlavorAuth0 )
type OpenIDConnectProvider ¶ added in v0.126.0
type OpenIDConnectProvider struct {
// contains filtered or unexported fields
}
func NewOpenIDConnectProvider ¶ added in v0.126.0
func NewOpenIDConnectProvider(issuer string, clientID string, clientSecret string, opts *OpenIDConnectProviderOptions) (*OpenIDConnectProvider, error)
func (*OpenIDConnectProvider) Disconnect ¶ added in v0.126.0
func (p *OpenIDConnectProvider) Disconnect(ctx context.Context, user *User) (*OpenIDDisconnectResult, error)
type OpenIDConnectProviderOptions ¶ added in v0.126.0
type OpenIDConnectProviderOptions struct {
Flavor OpenIDConnectFlavor
HTTPClient *http.Client
Logger *zap.Logger
}
type OpenIDConnectProviderSet ¶ added in v0.126.0
type OpenIDConnectProviderSet struct {
// contains filtered or unexported fields
}
func (*OpenIDConnectProviderSet) Add ¶ added in v0.126.0
func (s *OpenIDConnectProviderSet) Add(id string, p *OpenIDConnectProvider) error
func (*OpenIDConnectProviderSet) ByID ¶ added in v0.126.0
func (s *OpenIDConnectProviderSet) ByID(id string) (*OpenIDConnectProvider, error)
type OpenIDDisconnectResult ¶ added in v0.126.0
type OpenIDDisconnectResult struct {
// Redirect indicates an URL that must be visited by the client to complete the logout
Redirect string `json:"redirect,omitempty"`
}
func (*OpenIDDisconnectResult) RequiresClientCooperation ¶ added in v0.126.0
func (r *OpenIDDisconnectResult) RequiresClientCooperation() bool
type QueryParameter ¶ added in v0.108.0
type RBACEnforcer ¶
type RBACEnforcer struct {
// contains filtered or unexported fields
}
func NewRBACEnforcer ¶
func NewRBACEnforcer(operation *wgpb.Operation) *RBACEnforcer
type RedirectURIValidator ¶
type RedirectURIValidator struct {
// contains filtered or unexported fields
}
func NewRedirectValidator ¶
func NewRedirectValidator(matchString, matchRegex []string) *RedirectURIValidator
func (*RedirectURIValidator) GetValidatedRedirectURI ¶
func (v *RedirectURIValidator) GetValidatedRedirectURI(r *http.Request) (redirectURI string, authorized bool)
type User ¶
type User struct {
ProviderName string `json:"provider,omitempty"`
ProviderID string `json:"providerId,omitempty"`
UserID string `json:"userId,omitempty"`
Name string `json:"name,omitempty"`
FirstName string `json:"firstName,omitempty"`
LastName string `json:"lastName,omitempty"`
MiddleName string `json:"middleName,omitempty"`
NickName string `json:"nickName,omitempty"`
PreferredUsername string `json:"preferredUsername,omitempty"`
Profile string `json:"profile,omitempty"`
Picture string `json:"picture,omitempty"`
Website string `json:"website,omitempty"`
Email string `json:"email,omitempty"`
EmailVerified bool `json:"emailVerified,omitempty"`
Gender string `json:"gender,omitempty"`
BirthDate string `json:"birthDate,omitempty"`
ZoneInfo string `json:"zoneInfo,omitempty"`
Locale string `json:"locale,omitempty"`
Location string `json:"location,omitempty"`
// Expires indicate the unix timestamp in milliseconds when this User is
// considered as expired. This can only be set from the authentication
// hooks.
Expires *int64 `json:"expires,omitempty"`
CustomClaims map[string]interface{} `json:"customClaims,omitempty"`
CustomAttributes []string `json:"customAttributes,omitempty"`
Roles []string `json:"roles"`
/* Internal fields */
ExpiresAt time.Time `json:"-"`
ETag string `json:"etag,omitempty"`
FromCookie bool `json:"fromCookie,omitempty"`
AccessToken json.RawMessage `json:"accessToken,omitempty"`
RawAccessToken string `json:"rawAccessToken,omitempty"`
IdToken json.RawMessage `json:"idToken,omitempty"`
RawIDToken string `json:"rawIdToken,omitempty"`
}
User holds user data for non public APIs (backend and hooks). Before exposing a User publicly, always call User.ToPublic().
XXX: Keep in sync with the TS side (wellKnownClaimField, type User, type WunderGraphUser)
func UserFromContext ¶
func (*User) HasExpired ¶ added in v0.159.0
HasExpired returns true iff the user has expired, as configured by the authentication hooks (via User.Expired)
func (*User) Save ¶
func (u *User) Save(s *securecookie.SecureCookie, w http.ResponseWriter, r *http.Request, domain string, insecureCookies bool) error
func (*User) ToPublic ¶ added in v0.132.0
ToPublic returns a copy of the User with fields non intended for public consumption erased. If publicClaims is non-empty, only fields listed in it are included. Each public claim must be either a well known claim (as in the WG_CLAIM enum) or a JSON path to a custom claim.
type UserHandler ¶ added in v0.126.0
type UserHandler struct {
Log *zap.Logger
Host string
InsecureCookies bool
Hooks Hooks
Cookie *securecookie.SecureCookie
PublicClaims []string
}
func (*UserHandler) ServeHTTP ¶ added in v0.126.0
func (u *UserHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type UserLoadConfig ¶
type UserLoadConfig struct {
// contains filtered or unexported fields
}
func (*UserLoadConfig) Keyfunc ¶ added in v0.128.0
func (cfg *UserLoadConfig) Keyfunc() jwt.Keyfunc
Keyfunc returns a function for retrieving a token key from the UserLoadConfig's key set if there are any keys. Otherwise, it returns nil.
type UserLoader ¶
type UserLoader struct {
// contains filtered or unexported fields
}
type UserLogoutHandler ¶
type UserLogoutHandler struct {
InsecureCookies bool
OpenIDProviders *OpenIDConnectProviderSet
Hooks Hooks
Log *zap.Logger
}
func (*UserLogoutHandler) ServeHTTP ¶
func (u *UserLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
Source Files
Click to show internal directories.
Click to hide internal directories.