Documentation ¶
Index ¶
- Constants
- func NewCSRFMw(config CSRFConfig) func(handler http.Handler) http.Handler
- func NewLoadUserMw(config LoadUserConfig) func(handler http.Handler) http.Handler
- func RedirectAlreadyAuthenticatedUsers(matchString, matchRegex []string) func(handler http.Handler) http.Handler
- func RequiresAuthentication(handler http.Handler) http.Handler
- func ValidateRedirectURIQueryParameter(matchString, matchRegex []string) func(handler http.Handler) http.Handler
- type AuthError
- type CSRFConfig
- type CSRFErrorHandler
- type CSRFTokenHandler
- type Claims
- type ClaimsInfo
- type GithubConfig
- type GithubCookieHandler
- type GithubUserEmail
- type GithubUserEmails
- type GithubUserInfo
- type Hooks
- type LoadUserConfig
- type OAuth2AuthenticationConfig
- type OAuth2AuthenticationHandler
- type OAuth2UserRetriever
- type OpenIDConnectConfig
- type OpenIDConnectCookieHandler
- type OpenIDConnectFlavor
- type OpenIDConnectProvider
- type OpenIDConnectProviderOptions
- type OpenIDConnectProviderSet
- type OpenIDDisconnectResult
- type ProviderConfig
- type QueryParameter
- type RBACEnforcer
- type RedirectURIValidator
- type User
- type UserHandler
- type UserLoadConfig
- type UserLoader
- type UserLogoutHandler
Constants ¶
const ( // AuthorizePath indicates the name for the path component used for authorization handlers AuthorizePath = "authorize" // CallbackPath indicates the name for the path component used for callback handlers CallbackPath = "callback" )
Variables ¶
This section is empty.
Functions ¶
func NewLoadUserMw ¶
func NewLoadUserMw(config LoadUserConfig) func(handler http.Handler) http.Handler
Types ¶
type CSRFConfig ¶
type CSRFErrorHandler ¶
type CSRFErrorHandler struct { }
func (*CSRFErrorHandler) ServeHTTP ¶
func (u *CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type CSRFTokenHandler ¶
type CSRFTokenHandler struct{}
func (*CSRFTokenHandler) ServeHTTP ¶
func (*CSRFTokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type Claims ¶
type Claims struct { Issuer string `json:"iss"` Subject string `json:"sub"` Name string `json:"name"` GivenName string `json:"given_name"` FamilyName string `json:"family_name"` MiddleName string `json:"middle_name"` NickName string `json:"nickname"` PreferredUsername string `json:"preferred_username"` Profile string `json:"profile"` Picture string `json:"picture"` Website string `json:"website"` Email string `json:"email"` EmailVerified bool `json:"-"` EmailVerifiedRaw interface{} `json:"email_verified"` Gender string `json:"gender"` BirthDate string `json:"birthdate"` ZoneInfo string `json:"zoneinfo"` Locale string `json:"locale"` Location string `json:"location"` Raw map[string]interface{} `json:"-"` }
Claims decodes JWT claims. See https://www.iana.org/assignments/jwt/jwt.xhtml.
type ClaimsInfo ¶
type GithubConfig ¶
type GithubConfig struct { Provider ProviderConfig ClientID string ClientSecret string }
type GithubCookieHandler ¶
type GithubCookieHandler struct {
// contains filtered or unexported fields
}
func NewGithubCookieHandler ¶
func NewGithubCookieHandler(config GithubConfig, hooks Hooks, log *zap.Logger) *GithubCookieHandler
func (*GithubCookieHandler) Register ¶
func (h *GithubCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router)
type GithubUserEmail ¶
type GithubUserEmails ¶
type GithubUserEmails []GithubUserEmail
type GithubUserInfo ¶
type Hooks ¶
type Hooks interface { // PostAuthentication runs after authentication and doesn't mutate the user PostAuthentication(ctx context.Context, user *User) error // MutatingPostAuthentication runs after PostAuthentication and might mutate the user MutatingPostAuthentication(ctx context.Context, user *User) (*User, error) // PostLogout runs after logout and doesn't mutate the user PostLogout(ctx context.Context, user *User) error // RevalidateAuthentication is used when an API client request the // authenticated user to be revalidated. It might mutate the user RevalidateAuthentication(ctx context.Context, user *User) (*User, error) }
Hooks represents the interface for the available authentication hooks
type LoadUserConfig ¶
type LoadUserConfig struct { Log *zap.Logger Cookie *securecookie.SecureCookie InsecureCookies bool CSRFSecret []byte JwksProviders []*wgpb.JwksAuthProvider Hooks Hooks }
type OAuth2AuthenticationConfig ¶ added in v0.167.0
type OAuth2AuthenticationConfig struct { Provider ProviderConfig ClientID string ClientSecret string Endpoint oauth2.Endpoint Scopes []string QueryParameters []QueryParameter Hooks Hooks Log *zap.Logger }
type OAuth2AuthenticationHandler ¶ added in v0.167.0
type OAuth2AuthenticationHandler struct {
// contains filtered or unexported fields
}
func NewOAuth2AuthenticationHandler ¶ added in v0.167.0
func NewOAuth2AuthenticationHandler(config OAuth2AuthenticationConfig, retriever OAuth2UserRetriever) *OAuth2AuthenticationHandler
func (*OAuth2AuthenticationHandler) Authorize ¶ added in v0.167.0
func (h *OAuth2AuthenticationHandler) Authorize(w http.ResponseWriter, r *http.Request)
func (*OAuth2AuthenticationHandler) Callback ¶ added in v0.167.0
func (h *OAuth2AuthenticationHandler) Callback(w http.ResponseWriter, r *http.Request)
type OAuth2UserRetriever ¶ added in v0.167.0
type OpenIDConnectConfig ¶
type OpenIDConnectConfig struct { Provider ProviderConfig Issuer string ClientID string ClientSecret string QueryParameters []QueryParameter }
type OpenIDConnectCookieHandler ¶
type OpenIDConnectCookieHandler struct {
// contains filtered or unexported fields
}
func NewOpenIDConnectCookieHandler ¶
func NewOpenIDConnectCookieHandler(config OpenIDConnectConfig, hooks Hooks, log *zap.Logger) (*OpenIDConnectCookieHandler, error)
func (*OpenIDConnectCookieHandler) Register ¶
func (h *OpenIDConnectCookieHandler) Register(authorizeRouter, callbackRouter *mux.Router)
type OpenIDConnectFlavor ¶ added in v0.126.0
type OpenIDConnectFlavor int
const ( OpenIDConnectFlavorDefault OpenIDConnectFlavor = iota OpenIDConnectFlavorAuth0 )
type OpenIDConnectProvider ¶ added in v0.126.0
type OpenIDConnectProvider struct {
// contains filtered or unexported fields
}
func NewOpenIDConnectProvider ¶ added in v0.126.0
func NewOpenIDConnectProvider(issuer string, clientID string, clientSecret string, opts *OpenIDConnectProviderOptions) (*OpenIDConnectProvider, error)
func (*OpenIDConnectProvider) Disconnect ¶ added in v0.126.0
func (p *OpenIDConnectProvider) Disconnect(ctx context.Context, user *User) (*OpenIDDisconnectResult, error)
type OpenIDConnectProviderOptions ¶ added in v0.126.0
type OpenIDConnectProviderOptions struct { Flavor OpenIDConnectFlavor HTTPClient *http.Client Logger *zap.Logger }
type OpenIDConnectProviderSet ¶ added in v0.126.0
type OpenIDConnectProviderSet struct {
// contains filtered or unexported fields
}
func (*OpenIDConnectProviderSet) Add ¶ added in v0.126.0
func (s *OpenIDConnectProviderSet) Add(id string, p *OpenIDConnectProvider) error
func (*OpenIDConnectProviderSet) ByID ¶ added in v0.126.0
func (s *OpenIDConnectProviderSet) ByID(id string) (*OpenIDConnectProvider, error)
type OpenIDDisconnectResult ¶ added in v0.126.0
type OpenIDDisconnectResult struct { // Redirect indicates an URL that must be visited by the client to complete the logout Redirect string `json:"redirect,omitempty"` }
func (*OpenIDDisconnectResult) RequiresClientCooperation ¶ added in v0.126.0
func (r *OpenIDDisconnectResult) RequiresClientCooperation() bool
type ProviderConfig ¶ added in v0.174.0
type ProviderConfig struct { ID string InsecureCookies bool // ForceRedirectHttps makes all redirect_uris become HTTPS when // redirecting the out provider ForceRedirectHttps bool Cookie *securecookie.SecureCookie AuthTimeout time.Duration }
ProviderConfig holds the common configuration between all authentication provider types
func (*ProviderConfig) RedirectProtocol ¶ added in v0.174.0
func (c *ProviderConfig) RedirectProtocol(r *http.Request, redirectURI string) string
RedirectProtocol returns the protocol that should be used for a redirect to this provider and back into the application, set from the ForceRedirectHttps. If ForceRedirectHttps is not set the protocol is guessed based on the incoming request and the redirectURI to be used after authentication.
type QueryParameter ¶ added in v0.108.0
type RBACEnforcer ¶
type RBACEnforcer struct {
// contains filtered or unexported fields
}
func NewRBACEnforcer ¶
func NewRBACEnforcer(operation *wgpb.Operation) *RBACEnforcer
type RedirectURIValidator ¶
type RedirectURIValidator struct {
// contains filtered or unexported fields
}
func NewRedirectValidator ¶
func NewRedirectValidator(matchString, matchRegex []string) *RedirectURIValidator
func (*RedirectURIValidator) GetValidatedRedirectURI ¶
func (v *RedirectURIValidator) GetValidatedRedirectURI(r *http.Request) (redirectURI string, authorized bool)
func (*RedirectURIValidator) IsValid ¶ added in v0.175.0
func (v *RedirectURIValidator) IsValid(redirectURI string) bool
type User ¶
type User struct { ProviderName string `json:"provider,omitempty"` ProviderID string `json:"providerId,omitempty"` UserID string `json:"userId,omitempty"` Name string `json:"name,omitempty"` FirstName string `json:"firstName,omitempty"` LastName string `json:"lastName,omitempty"` MiddleName string `json:"middleName,omitempty"` NickName string `json:"nickName,omitempty"` PreferredUsername string `json:"preferredUsername,omitempty"` Profile string `json:"profile,omitempty"` Picture string `json:"picture,omitempty"` Website string `json:"website,omitempty"` Email string `json:"email,omitempty"` EmailVerified bool `json:"emailVerified,omitempty"` Gender string `json:"gender,omitempty"` BirthDate string `json:"birthDate,omitempty"` ZoneInfo string `json:"zoneInfo,omitempty"` Locale string `json:"locale,omitempty"` Location string `json:"location,omitempty"` // Expires indicate the unix timestamp in milliseconds when this User is // considered as expired. This can only be set from the authentication // hooks. Expires *int64 `json:"expires,omitempty"` CustomClaims map[string]interface{} `json:"customClaims,omitempty"` CustomAttributes []string `json:"customAttributes,omitempty"` Roles []string `json:"roles"` /* Internal fields */ ExpiresAt time.Time `json:"-"` ETag string `json:"etag,omitempty"` FromCookie bool `json:"fromCookie,omitempty"` AccessToken json.RawMessage `json:"accessToken,omitempty"` RawAccessToken string `json:"rawAccessToken,omitempty"` IdToken json.RawMessage `json:"idToken,omitempty"` RefreshToken string `json:"refreshToken,omitempty"` RawIDToken string `json:"rawIdToken,omitempty"` }
User holds user data for non public APIs (backend and hooks). Before exposing a User publicly, always call User.ToPublic().
XXX: Keep in sync with the TS side (wellKnownClaimField, type User, type WunderGraphUser)
func UserFromContext ¶
func (*User) HasExpired ¶ added in v0.159.0
HasExpired returns true iff the user has expired, as configured by the authentication hooks (via User.Expired)
func (*User) Load ¶
func (u *User) Load(loader *UserLoader, w http.ResponseWriter, r *http.Request) error
func (*User) Save ¶
func (u *User) Save(s *securecookie.SecureCookie, w http.ResponseWriter, r *http.Request, insecureCookies bool) error
func (*User) ToPublic ¶ added in v0.132.0
ToPublic returns a copy of the User with fields non intended for public consumption erased. If publicClaims is non-empty, only fields listed in it are included. Each public claim must be either a well known claim (as in the WG_CLAIM enum) or a JSON path to a custom claim.
type UserHandler ¶ added in v0.126.0
type UserHandler struct { Log *zap.Logger Host string InsecureCookies bool Hooks Hooks Cookie *securecookie.SecureCookie PublicClaims []string }
func (*UserHandler) ServeHTTP ¶ added in v0.126.0
func (u *UserHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type UserLoadConfig ¶
type UserLoadConfig struct {
// contains filtered or unexported fields
}
func (*UserLoadConfig) Keyfunc ¶ added in v0.128.0
func (cfg *UserLoadConfig) Keyfunc() jwt.Keyfunc
Keyfunc returns a function for retrieving a token key from the UserLoadConfig's key set if there are any keys. Otherwise, it returns nil.
type UserLoader ¶
type UserLoader struct {
// contains filtered or unexported fields
}
type UserLogoutHandler ¶
type UserLogoutHandler struct { InsecureCookies bool OpenIDProviders *OpenIDConnectProviderSet Hooks Hooks Log *zap.Logger }
func (*UserLogoutHandler) ServeHTTP ¶
func (u *UserLogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)