token

package
v0.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 9, 2026 License: MIT Imports: 21 Imported by: 0

Documentation

Overview

Package token provides JWT claims and token handling for registry authentication.

Index

Constants

View Source 
const (
	AuthMethodOAuth       = "oauth"
	AuthMethodAppPassword = "app_password"
)

Auth method constants

Variables

This section is empty.

Functions

func ExtractAccess 

func ExtractAccess(tokenString string) []auth.AccessEntry

ExtractAccess parses a JWT token string and extracts the access entries (scopes) Returns nil if not found or token is invalid This does NOT validate the token - it only parses it to extract the claim

func ExtractAuthMethod 

func ExtractAuthMethod(tokenString string) string

ExtractAuthMethod parses a JWT token string and extracts the auth_method claim Returns the auth method or empty string if not found or token is invalid This does NOT validate the token - it only parses it to extract the claim

func ExtractSubject 

func ExtractSubject(tokenString string) string

ExtractSubject parses a JWT token string and extracts the Subject claim (the user's DID) Returns the subject or empty string if not found or token is invalid This does NOT validate the token - it only parses it to extract the claim

func HasPushScope 

func HasPushScope(access []auth.AccessEntry) bool

HasPushScope checks if any access entry contains a "push" action

Types

type AuthErrorResponse 

type AuthErrorResponse struct {
	Error    string `json:"error"`
	Message  string `json:"message"`
	LoginURL string `json:"login_url,omitempty"`
}

AuthErrorResponse is returned when authentication fails in a way the credential helper can handle

type Claims 

type Claims struct {
	jwt.RegisteredClaims
	Access     []auth.AccessEntry `json:"access,omitempty"`
	AuthMethod string             `json:"auth_method,omitempty"` // "oauth" or "app_password"
}

Claims represents the JWT claims for registry authentication This follows the Docker Registry token specification

func NewClaims 

func NewClaims(subject, issuer, audience string, expiration time.Duration, access []auth.AccessEntry, authMethod string) *Claims

NewClaims creates a new Claims structure with standard fields

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

Handler handles /auth/token requests

func NewHandler 

func NewHandler(issuer *Issuer, deviceStore *db.DeviceStore) *Handler

NewHandler creates a new token handler

func (*Handler) ServeHTTP 

func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP handles the token request

func (*Handler) SetOAuthSessionValidator 

func (h *Handler) SetOAuthSessionValidator(validator OAuthSessionValidator)

SetOAuthSessionValidator sets the OAuth session validator for validating device auth When set, the handler will validate OAuth sessions are usable before issuing tokens for device auth This prevents the flood of errors that occurs when a stale session is discovered during push

func (*Handler) SetPostAuthCallback 

func (h *Handler) SetPostAuthCallback(callback PostAuthCallback)

SetPostAuthCallback sets the callback to be invoked after successful Basic Auth authentication This allows AppView to inject business logic without coupling the token package

type Issuer 

type Issuer struct {
	// contains filtered or unexported fields
}

Issuer handles JWT token creation and signing

func NewIssuer 

func NewIssuer(privateKeyPath, issuer, service string, expiration time.Duration) (*Issuer, error)

NewIssuer creates a new JWT issuer

func NewIssuerFromKey 

func NewIssuerFromKey(privateKey *rsa.PrivateKey, certDER []byte, issuer, service string, expiration time.Duration) *Issuer

NewIssuerFromKey creates a JWT issuer from pre-loaded key material. certDER is the DER-encoded X.509 certificate for the x5c JWT header.

func (*Issuer) Expiration 

func (i *Issuer) Expiration() time.Duration

Expiration returns the token expiration duration

func (*Issuer) Issue 

func (i *Issuer) Issue(subject string, access []auth.AccessEntry, authMethod string) (string, error)

Issue creates and signs a new JWT token

func (*Issuer) PublicKey 

func (i *Issuer) PublicKey() *rsa.PublicKey

PublicKey returns the public key for token verification

type OAuthSessionValidator 

type OAuthSessionValidator interface {
	// ValidateSession checks if OAuth session is usable by attempting to load/refresh it
	// Returns nil if session is valid, error if session is invalid/expired/needs re-auth
	ValidateSession(ctx context.Context, did string) error
}

OAuthSessionValidator validates OAuth sessions before issuing tokens This interface allows the token handler to verify OAuth sessions are usable (not just that they exist) without depending directly on the OAuth implementation.

type PostAuthCallback 

type PostAuthCallback func(ctx context.Context, did, handle, pdsEndpoint, accessToken string) error

PostAuthCallback is called after successful Basic Auth authentication. Parameters: ctx, did, handle, pdsEndpoint, accessToken This allows AppView to perform business logic (profile creation, etc.) without coupling the token package to AppView-specific dependencies.

type TokenResponse 

type TokenResponse struct {
	Token       string `json:"token,omitempty"`        // Legacy field
	AccessToken string `json:"access_token,omitempty"` // Standard field
	ExpiresIn   int    `json:"expires_in,omitempty"`
	IssuedAt    string `json:"issued_at,omitempty"`
}

TokenResponse represents the response from /auth/token

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.