Documentation
¶
Overview ¶
Package auth provides authentication context types and goAuth provider integration.
Index ¶
- Variables
- func NewGoAuthEngine(redisClient redis.UniversalClient, mode Mode, userProvider goauth.UserProvider) (*goauth.Engine, func(), error)
- func WithContext(ctx context.Context, principal AuthContext) context.Context
- type AuthContext
- type CreateStoredUserInput
- type Mode
- type StoreUserProvider
- func (p *StoreUserProvider) ConsumeBackupCode(_ context.Context, _ string, _ [32]byte) (bool, error)
- func (p *StoreUserProvider) CreateUser(ctx context.Context, input goauth.CreateUserInput) (goauth.UserRecord, error)
- func (p *StoreUserProvider) DisableTOTP(_ context.Context, _ string) error
- func (p *StoreUserProvider) EnableTOTP(_ context.Context, _ string, _ []byte) error
- func (p *StoreUserProvider) GetBackupCodes(_ context.Context, _ string) ([]goauth.BackupCodeRecord, error)
- func (p *StoreUserProvider) GetTOTPSecret(_ context.Context, _ string) (*goauth.TOTPRecord, error)
- func (p *StoreUserProvider) GetUserByID(userID string) (goauth.UserRecord, error)
- func (p *StoreUserProvider) GetUserByIdentifier(identifier string) (goauth.UserRecord, error)
- func (p *StoreUserProvider) MarkTOTPVerified(_ context.Context, _ string) error
- func (p *StoreUserProvider) ReplaceBackupCodes(_ context.Context, _ string, _ []goauth.BackupCodeRecord) error
- func (p *StoreUserProvider) UpdateAccountStatus(ctx context.Context, userID string, status goauth.AccountStatus) (goauth.UserRecord, error)
- func (p *StoreUserProvider) UpdatePasswordHash(userID string, newHash string) error
- func (p *StoreUserProvider) UpdateTOTPLastUsedCounter(_ context.Context, _ string, _ int64) error
- type StoredUser
- type UserRepository
Constants ¶
This section is empty.
Variables ¶
var ( // ErrUnauthenticated signals missing or invalid authentication context. ErrUnauthenticated = errors.New("unauthenticated") // ErrForbidden signals authenticated access without sufficient authorization. ErrForbidden = errors.New("forbidden") )
var ErrAuthUserNotFound = errors.New("auth user not found")
Functions ¶
func NewGoAuthEngine ¶
func NewGoAuthEngine(redisClient redis.UniversalClient, mode Mode, userProvider goauth.UserProvider) (*goauth.Engine, func(), error)
NewGoAuthEngine builds a goAuth engine backed by Redis and SQLC user provider.
Usage:
engine, shutdown, err := auth.NewGoAuthEngine(redisClient, mode, userProvider)
Notes: - redisClient must be non-nil - shutdown should be called during application shutdown - AUTH_TEST_* variables are honored for deterministic local perf scenarios
func WithContext ¶
func WithContext(ctx context.Context, principal AuthContext) context.Context
WithContext stores AuthContext on a request context.
Types ¶
type AuthContext ¶
type AuthContext struct {
// UserID is the canonical authenticated user identifier.
UserID string `json:"user_id"`
// TenantID is the tenant scope resolved by the auth provider.
TenantID string `json:"tenant_id,omitempty"`
// Role is the resolved role name for RBAC checks.
Role string `json:"role,omitempty"`
// Permissions is the resolved permission set for RBAC checks.
Permissions []string `json:"permissions,omitempty"`
}
AuthContext represents authenticated principal data attached to request context.
func FromContext ¶
func FromContext(ctx context.Context) (AuthContext, bool)
FromContext reads AuthContext from request context.
type CreateStoredUserInput ¶ added in v0.7.0
type CreateStoredUserInput struct {
Identifier string
PasswordHash string
Role string
Status string
}
CreateStoredUserInput is the repository input model for creating auth users.
type StoreUserProvider ¶ added in v0.7.0
type StoreUserProvider struct {
// contains filtered or unexported fields
}
StoreUserProvider is the DB-backed UserProvider for goAuth. It depends on a domain repository, not backend query objects.
func NewStoreUserProvider ¶ added in v0.7.0
func NewStoreUserProvider(repo UserRepository) *StoreUserProvider
NewStoreUserProvider creates a store-backed user provider.
func (*StoreUserProvider) ConsumeBackupCode ¶ added in v0.7.0
func (p *StoreUserProvider) ConsumeBackupCode(_ context.Context, _ string, _ [32]byte) (bool, error)
ConsumeBackupCode is a stub until backup-code persistence is implemented.
func (*StoreUserProvider) CreateUser ¶ added in v0.7.0
func (p *StoreUserProvider) CreateUser(ctx context.Context, input goauth.CreateUserInput) (goauth.UserRecord, error)
CreateUser inserts a new auth user record.
func (*StoreUserProvider) DisableTOTP ¶ added in v0.7.0
func (p *StoreUserProvider) DisableTOTP(_ context.Context, _ string) error
DisableTOTP is a stub until MFA persistence is implemented.
func (*StoreUserProvider) EnableTOTP ¶ added in v0.7.0
EnableTOTP is a stub until MFA persistence is implemented.
func (*StoreUserProvider) GetBackupCodes ¶ added in v0.7.0
func (p *StoreUserProvider) GetBackupCodes(_ context.Context, _ string) ([]goauth.BackupCodeRecord, error)
Backup code stubs — implement when MFA is needed.
func (*StoreUserProvider) GetTOTPSecret ¶ added in v0.7.0
func (p *StoreUserProvider) GetTOTPSecret(_ context.Context, _ string) (*goauth.TOTPRecord, error)
TOTP stubs — implement when MFA is needed.
func (*StoreUserProvider) GetUserByID ¶ added in v0.7.0
func (p *StoreUserProvider) GetUserByID(userID string) (goauth.UserRecord, error)
GetUserByID looks up a user by canonical user id.
func (*StoreUserProvider) GetUserByIdentifier ¶ added in v0.7.0
func (p *StoreUserProvider) GetUserByIdentifier(identifier string) (goauth.UserRecord, error)
GetUserByIdentifier looks up a user by login identifier.
func (*StoreUserProvider) MarkTOTPVerified ¶ added in v0.7.0
func (p *StoreUserProvider) MarkTOTPVerified(_ context.Context, _ string) error
MarkTOTPVerified is a stub until MFA persistence is implemented.
func (*StoreUserProvider) ReplaceBackupCodes ¶ added in v0.7.0
func (p *StoreUserProvider) ReplaceBackupCodes(_ context.Context, _ string, _ []goauth.BackupCodeRecord) error
ReplaceBackupCodes is a stub until backup-code persistence is implemented.
func (*StoreUserProvider) UpdateAccountStatus ¶ added in v0.7.0
func (p *StoreUserProvider) UpdateAccountStatus(ctx context.Context, userID string, status goauth.AccountStatus) (goauth.UserRecord, error)
UpdateAccountStatus updates account status and returns latest user record.
func (*StoreUserProvider) UpdatePasswordHash ¶ added in v0.7.0
func (p *StoreUserProvider) UpdatePasswordHash(userID string, newHash string) error
UpdatePasswordHash persists a new password hash for the given user.
func (*StoreUserProvider) UpdateTOTPLastUsedCounter ¶ added in v0.7.0
UpdateTOTPLastUsedCounter is a stub until MFA persistence is implemented.
type StoredUser ¶ added in v0.7.0
StoredUser is the storage-layer projection used by the auth repository.
type UserRepository ¶ added in v0.7.0
type UserRepository interface {
GetByIdentifier(ctx context.Context, identifier string) (StoredUser, error)
GetByID(ctx context.Context, userID string) (StoredUser, error)
UpdatePasswordHash(ctx context.Context, userID, newHash string) error
Create(ctx context.Context, input CreateStoredUserInput) (StoredUser, error)
UpdateStatus(ctx context.Context, userID string, status string) (StoredUser, error)
}
UserRepository defines domain-level auth user persistence operations.
func NewRelationalUserRepository ¶ added in v0.7.0
func NewRelationalUserRepository(store storage.RelationalStore) UserRepository
NewRelationalUserRepository creates an auth repository over a relational store.