auth

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 4, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package auth provides authentication context types and goAuth provider integration.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrUnauthenticated signals missing or invalid authentication context.
	ErrUnauthenticated = errors.New("unauthenticated")
	// ErrForbidden signals authenticated access without sufficient authorization.
	ErrForbidden = errors.New("forbidden")
)

Functions

func NewGoAuthEngine

func NewGoAuthEngine(redisClient redis.UniversalClient, mode Mode, userProvider goauth.UserProvider) (*goauth.Engine, func(), error)

NewGoAuthEngine builds a goAuth engine backed by Redis and SQLC user provider.

Usage:

engine, shutdown, err := auth.NewGoAuthEngine(redisClient, mode, userProvider)

Notes: - redisClient must be non-nil - shutdown should be called during application shutdown - AUTH_TEST_* variables are honored for deterministic local perf scenarios

func WithContext

func WithContext(ctx context.Context, principal AuthContext) context.Context

WithContext stores AuthContext on a request context.

Types

type AuthContext

type AuthContext struct {
	// UserID is the canonical authenticated user identifier.
	UserID string `json:"user_id"`
	// TenantID is the tenant scope resolved by the auth provider.
	TenantID string `json:"tenant_id,omitempty"`
	// Role is the resolved role name for RBAC checks.
	Role string `json:"role,omitempty"`
	// Permissions is the resolved permission set for RBAC checks.
	Permissions []string `json:"permissions,omitempty"`
}

AuthContext represents authenticated principal data attached to request context.

func FromContext

func FromContext(ctx context.Context) (AuthContext, bool)

FromContext reads AuthContext from request context.

type Mode

type Mode string

Mode selects auth validation strictness.

const (
	// ModeJWTOnly validates only JWT claims and signature.
	ModeJWTOnly Mode = "jwt_only"
	// ModeHybrid prefers strict checks but can fallback when dependencies fail.
	ModeHybrid Mode = "hybrid"
	// ModeStrict requires backing session checks for revocation-aware auth.
	ModeStrict Mode = "strict"
)

func ParseMode

func ParseMode(mode string) (Mode, error)

ParseMode normalizes mode input into a supported auth Mode value.

Empty values default to ModeHybrid to keep startup behavior predictable.

type SQLCUserProvider

type SQLCUserProvider struct {
	// contains filtered or unexported fields
}

SQLCUserProvider is the DB-backed UserProvider for goAuth. Generated by authgen — do not edit manually.

func NewSQLCUserProvider

func NewSQLCUserProvider(queries *sqlcgen.Queries) *SQLCUserProvider

NewSQLCUserProvider creates a DB-backed user provider.

func (*SQLCUserProvider) ConsumeBackupCode

func (p *SQLCUserProvider) ConsumeBackupCode(_ context.Context, _ string, _ [32]byte) (bool, error)

ConsumeBackupCode is a stub until backup-code persistence is implemented.

func (*SQLCUserProvider) CreateUser

CreateUser inserts a new auth user record.

func (*SQLCUserProvider) DisableTOTP

func (p *SQLCUserProvider) DisableTOTP(_ context.Context, _ string) error

DisableTOTP is a stub until MFA persistence is implemented.

func (*SQLCUserProvider) EnableTOTP

func (p *SQLCUserProvider) EnableTOTP(_ context.Context, _ string, _ []byte) error

EnableTOTP is a stub until MFA persistence is implemented.

func (*SQLCUserProvider) GetBackupCodes

func (p *SQLCUserProvider) GetBackupCodes(_ context.Context, _ string) ([]goauth.BackupCodeRecord, error)

Backup code stubs — implement when MFA is needed.

func (*SQLCUserProvider) GetTOTPSecret

func (p *SQLCUserProvider) GetTOTPSecret(_ context.Context, _ string) (*goauth.TOTPRecord, error)

TOTP stubs — implement when MFA is needed.

func (*SQLCUserProvider) GetUserByID

func (p *SQLCUserProvider) GetUserByID(userID string) (goauth.UserRecord, error)

GetUserByID looks up a user by canonical user id.

func (*SQLCUserProvider) GetUserByIdentifier

func (p *SQLCUserProvider) GetUserByIdentifier(identifier string) (goauth.UserRecord, error)

GetUserByIdentifier looks up a user by login identifier.

func (*SQLCUserProvider) MarkTOTPVerified

func (p *SQLCUserProvider) MarkTOTPVerified(_ context.Context, _ string) error

MarkTOTPVerified is a stub until MFA persistence is implemented.

func (*SQLCUserProvider) ReplaceBackupCodes

func (p *SQLCUserProvider) ReplaceBackupCodes(_ context.Context, _ string, _ []goauth.BackupCodeRecord) error

ReplaceBackupCodes is a stub until backup-code persistence is implemented.

func (*SQLCUserProvider) UpdateAccountStatus

func (p *SQLCUserProvider) UpdateAccountStatus(ctx context.Context, userID string, status goauth.AccountStatus) (goauth.UserRecord, error)

UpdateAccountStatus updates account status and returns latest user record.

func (*SQLCUserProvider) UpdatePasswordHash

func (p *SQLCUserProvider) UpdatePasswordHash(userID string, newHash string) error

UpdatePasswordHash persists a new password hash for the given user.

func (*SQLCUserProvider) UpdateTOTPLastUsedCounter

func (p *SQLCUserProvider) UpdateTOTPLastUsedCounter(_ context.Context, _ string, _ int64) error

UpdateTOTPLastUsedCounter is a stub until MFA persistence is implemented.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL