internal

package
v0.0.0-...-0014def Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 7, 2025 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// SessionCookieName is the name of the session cookie.
	SessionCookieName = "LUCISID"

	// UnlimitedCookiePath is a path to set the cookie on by default.
	UnlimitedCookiePath = "/"

	// LimitedCookiePath is a path to set the cookie on when limiting exposure.
	LimitedCookiePath = "/auth/openid/"
)

Variables

This section is empty.

Functions

func DecryptPrivate

func DecryptPrivate(aead tink.AEAD, enc []byte) (*sessionpb.Private, error)

DecryptPrivate decrypts and deserializes sessionpb.Private proto.

func DecryptSessionCookie

func DecryptSessionCookie(aead tink.AEAD, c *http.Cookie) (*encryptedcookiespb.SessionCookie, error)

DecryptSessionCookie decrypts the encrypted session cookie.

func DecryptStateB64

func DecryptStateB64(aead tink.AEAD, enc string) (*encryptedcookiespb.OpenIDState, error)

DecryptStateB64 decrypts and deserializes `state` used in OpneID protocol.

func DeriveCodeChallenge

func DeriveCodeChallenge(codeVerifier string) string

DeriveCodeChallenge derives code_challenge from the code_verifier.

func EncryptPrivate

func EncryptPrivate(aead tink.AEAD, private *sessionpb.Private) ([]byte, error)

EncryptPrivate serializes and encrypts sessionpb.Private proto.

func EncryptSessionCookie

func EncryptSessionCookie(aead tink.AEAD, pb *encryptedcookiespb.SessionCookie) (*http.Cookie, error)

EncryptSessionCookie produces the session cookie with prepopulated fields.

The caller still needs to fill in at least `Path` field.

func EncryptStateB64

func EncryptStateB64(aead tink.AEAD, state *encryptedcookiespb.OpenIDState) (string, error)

EncryptStateB64 serializes and encrypts `state` used in OpenID protocol.

func GenerateCodeVerifier

func GenerateCodeVerifier() string

GenerateCodeVerifier generates a random string used as a code_verifier in the PKCE protocol.

See https://tools.ietf.org/html/rfc7636.

func GenerateNonce

func GenerateNonce() []byte

GenerateNonce generates a new random string.

func HitRevocationEndpoint

func HitRevocationEndpoint(ctx context.Context, doc *openid.DiscoveryDoc, params map[string]string) error

HitRevocationEndpoint sends a request to the OpenID provider's revocation endpoint.

Returns nil if the token was successfully revoked or it is already invalid.

func HitTokenEndpoint

func HitTokenEndpoint(ctx context.Context, doc *openid.DiscoveryDoc, params map[string]string) (*sessionpb.Private, time.Time, error)

HitTokenEndpoint sends a request to the OpenID provider's token endpoint.

Returns the produced tokens and their expiry time. Tags errors as transient if necessary.

func MakeRedirectURL

func MakeRedirectURL(base, dest string) (string, error)

MakeRedirectURL is used to generate login and logout URLs.

func NewSessionCookie

func NewSessionCookie(id session.ID) (*encryptedcookiespb.SessionCookie, tink.AEAD)

NewSessionCookie generates a new session cookie (in a clear text form).

Generates the per-session encryption key and puts it into the produced cookie. Returns the AEAD primitive that can be used to encrypt things using the new per-session key.

func NormalizeURL

func NormalizeURL(dest string) (string, error)

NormalizeURL verifies URL is parsable and that it is relative.

func RegisterStoreImpl

func RegisterStoreImpl(impl StoreImpl)

RegisterStoreImpl registers an available store implementation.

Called during init() time by packages that implements stores.

func RemoveCookie

func RemoveCookie(rw http.ResponseWriter, r *http.Request, cookie, path string)

RemoveCookie sets a cookie to a past expiration date so that the browser can remove it.

It also replaces the value with junk, in unlikely case the browser decides to ignore the expiration time.

func ShouldRefreshSession

func ShouldRefreshSession(ctx context.Context, ttl time.Duration) bool

ShouldRefreshSession returns true if we should refresh the session now.

The decision in based on `ttl`, which is a duration till the hard session staleness deadline. We attempt to refresh the session sooner.

func UnsealPrivate

UnsealPrivate decrypts the private part of the session using the key from the cookie.

Returns the instantiated per-session AEAD primitive.

Types

type EndpointError

type EndpointError struct {
	Code        string `json:"error"`             // e.g. invalid_grant
	Description string `json:"error_description"` // human readable text
}

EndpointError is returned on recognized error responses.

If the provider replies with some gibberish, some generic error will be returned instead.

func (*EndpointError) Error

func (ee *EndpointError) Error() string

Error makes EndpointError implement `error` interface.

type StoreImpl

type StoreImpl struct {
	ID      string
	Factory func(ctx context.Context, namespace string) (session.Store, error)
	Deps    []module.Dependency
}

StoreImpl represents a factory for producing session.Store.

func StoreImpls

func StoreImpls() []StoreImpl

StoreImpls returns registered store implementations.

Directories

Path Synopsis
Package fakecookies implements a cookie-based fake authentication method.
Package fakecookies implements a cookie-based fake authentication method.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL