auth

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 5, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package auth provides authentication context types and goAuth provider integration.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrUnauthenticated signals missing or invalid authentication context.
	ErrUnauthenticated = errors.New("unauthenticated")
	// ErrForbidden signals authenticated access without sufficient authorization.
	ErrForbidden = errors.New("forbidden")
)
View Source
var ErrAuthUserNotFound = errors.New("auth user not found")

Functions

func NewGoAuthEngine

func NewGoAuthEngine(redisClient redis.UniversalClient, mode Mode, userProvider goauth.UserProvider) (*goauth.Engine, func(), error)

NewGoAuthEngine builds a goAuth engine backed by Redis and SQLC user provider.

Usage:

engine, shutdown, err := auth.NewGoAuthEngine(redisClient, mode, userProvider)

Notes: - redisClient must be non-nil - shutdown should be called during application shutdown - AUTH_TEST_* variables are honored for deterministic local perf scenarios

func WithContext

func WithContext(ctx context.Context, principal AuthContext) context.Context

WithContext stores AuthContext on a request context.

Types

type AuthContext

type AuthContext struct {
	// UserID is the canonical authenticated user identifier.
	UserID string `json:"user_id"`
	// TenantID is the tenant scope resolved by the auth provider.
	TenantID string `json:"tenant_id,omitempty"`
	// Role is the resolved role name for RBAC checks.
	Role string `json:"role,omitempty"`
	// Permissions is the resolved permission set for RBAC checks.
	Permissions []string `json:"permissions,omitempty"`
}

AuthContext represents authenticated principal data attached to request context.

func FromContext

func FromContext(ctx context.Context) (AuthContext, bool)

FromContext reads AuthContext from request context.

type CreateStoredUserInput added in v0.7.0

type CreateStoredUserInput struct {
	Identifier   string
	PasswordHash string
	Role         string
	Status       string
}

CreateStoredUserInput is the repository input model for creating auth users.

type Mode

type Mode string

Mode selects auth validation strictness.

const (
	// ModeJWTOnly validates only JWT claims and signature.
	ModeJWTOnly Mode = "jwt_only"
	// ModeHybrid prefers strict checks but can fallback when dependencies fail.
	ModeHybrid Mode = "hybrid"
	// ModeStrict requires backing session checks for revocation-aware auth.
	ModeStrict Mode = "strict"
)

func ParseMode

func ParseMode(mode string) (Mode, error)

ParseMode normalizes mode input into a supported auth Mode value.

Empty values default to ModeHybrid to keep startup behavior predictable.

type StoreUserProvider added in v0.7.0

type StoreUserProvider struct {
	// contains filtered or unexported fields
}

StoreUserProvider is the DB-backed UserProvider for goAuth. It depends on a domain repository, not backend query objects.

func NewStoreUserProvider added in v0.7.0

func NewStoreUserProvider(repo UserRepository) *StoreUserProvider

NewStoreUserProvider creates a store-backed user provider.

func (*StoreUserProvider) ConsumeBackupCode added in v0.7.0

func (p *StoreUserProvider) ConsumeBackupCode(_ context.Context, _ string, _ [32]byte) (bool, error)

ConsumeBackupCode is a stub until backup-code persistence is implemented.

func (*StoreUserProvider) CreateUser added in v0.7.0

CreateUser inserts a new auth user record.

func (*StoreUserProvider) DisableTOTP added in v0.7.0

func (p *StoreUserProvider) DisableTOTP(_ context.Context, _ string) error

DisableTOTP is a stub until MFA persistence is implemented.

func (*StoreUserProvider) EnableTOTP added in v0.7.0

func (p *StoreUserProvider) EnableTOTP(_ context.Context, _ string, _ []byte) error

EnableTOTP is a stub until MFA persistence is implemented.

func (*StoreUserProvider) GetBackupCodes added in v0.7.0

func (p *StoreUserProvider) GetBackupCodes(_ context.Context, _ string) ([]goauth.BackupCodeRecord, error)

Backup code stubs — implement when MFA is needed.

func (*StoreUserProvider) GetTOTPSecret added in v0.7.0

func (p *StoreUserProvider) GetTOTPSecret(_ context.Context, _ string) (*goauth.TOTPRecord, error)

TOTP stubs — implement when MFA is needed.

func (*StoreUserProvider) GetUserByID added in v0.7.0

func (p *StoreUserProvider) GetUserByID(userID string) (goauth.UserRecord, error)

GetUserByID looks up a user by canonical user id.

func (*StoreUserProvider) GetUserByIdentifier added in v0.7.0

func (p *StoreUserProvider) GetUserByIdentifier(identifier string) (goauth.UserRecord, error)

GetUserByIdentifier looks up a user by login identifier.

func (*StoreUserProvider) MarkTOTPVerified added in v0.7.0

func (p *StoreUserProvider) MarkTOTPVerified(_ context.Context, _ string) error

MarkTOTPVerified is a stub until MFA persistence is implemented.

func (*StoreUserProvider) ReplaceBackupCodes added in v0.7.0

func (p *StoreUserProvider) ReplaceBackupCodes(_ context.Context, _ string, _ []goauth.BackupCodeRecord) error

ReplaceBackupCodes is a stub until backup-code persistence is implemented.

func (*StoreUserProvider) UpdateAccountStatus added in v0.7.0

func (p *StoreUserProvider) UpdateAccountStatus(ctx context.Context, userID string, status goauth.AccountStatus) (goauth.UserRecord, error)

UpdateAccountStatus updates account status and returns latest user record.

func (*StoreUserProvider) UpdatePasswordHash added in v0.7.0

func (p *StoreUserProvider) UpdatePasswordHash(userID string, newHash string) error

UpdatePasswordHash persists a new password hash for the given user.

func (*StoreUserProvider) UpdateTOTPLastUsedCounter added in v0.7.0

func (p *StoreUserProvider) UpdateTOTPLastUsedCounter(_ context.Context, _ string, _ int64) error

UpdateTOTPLastUsedCounter is a stub until MFA persistence is implemented.

type StoredUser added in v0.7.0

type StoredUser struct {
	ID           string
	Email        string
	PasswordHash string
	Role         string
	Status       string
}

StoredUser is the storage-layer projection used by the auth repository.

type UserRepository added in v0.7.0

type UserRepository interface {
	GetByIdentifier(ctx context.Context, identifier string) (StoredUser, error)
	GetByID(ctx context.Context, userID string) (StoredUser, error)
	UpdatePasswordHash(ctx context.Context, userID, newHash string) error
	Create(ctx context.Context, input CreateStoredUserInput) (StoredUser, error)
	UpdateStatus(ctx context.Context, userID string, status string) (StoredUser, error)
}

UserRepository defines domain-level auth user persistence operations.

func NewRelationalUserRepository added in v0.7.0

func NewRelationalUserRepository(store storage.RelationalStore) UserRepository

NewRelationalUserRepository creates an auth repository over a relational store.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL