auth

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2026 License: AGPL-3.0, AGPL-3.0-or-later Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func HashToken 

func HashToken(token string) string

HashToken returns the SHA-256 hex hash of a token (for storage lookup).

func LoadOrCreateSecret 

func LoadOrCreateSecret(configDir string) (string, error)

LoadOrCreateSecret reads the secret from configDir/secret, or generates and persists a new 256-bit hex-encoded secret if the file is missing or empty.

func RotateSecret 

func RotateSecret(configDir string) (string, error)

RotateSecret generates a new secret, replacing the existing one. All existing sessions are invalidated when the secret changes.

func SignToken 

func SignToken(claims TokenClaims, secret []byte) (string, error)

SignToken creates a signed JWT from the given claims. A unique JTI is generated automatically if not set.

Types

type AuthCode 

type AuthCode struct {
	CodeHash      string
	ClientID      string
	RedirectURI   string
	CodeChallenge string
	Scope         string
	ExpiresAt     time.Time
	Used          bool
}

AuthCode represents an OAuth authorization code.

type AuthStore 

type AuthStore interface {
	StoreCode(code *AuthCode)
	ConsumeCode(codeHash string) (*AuthCode, error)
	StoreToken(token *StoredToken)
	GetToken(tokenHash string) (*StoredToken, error)
	RevokeToken(tokenHash string)
	Cleanup()
}

AuthStore is the persistence interface for OAuth codes and tokens.

type MemoryAuthStore 

type MemoryAuthStore struct {
	// contains filtered or unexported fields
}

MemoryAuthStore handles in-memory persistence of OAuth codes and tokens.

func NewMemoryAuthStore 

func NewMemoryAuthStore() *MemoryAuthStore

NewMemoryAuthStore creates an in-memory AuthStore.

func (*MemoryAuthStore) Cleanup 

func (s *MemoryAuthStore) Cleanup()

func (*MemoryAuthStore) ConsumeCode 

func (s *MemoryAuthStore) ConsumeCode(codeHash string) (*AuthCode, error)

func (*MemoryAuthStore) GetToken 

func (s *MemoryAuthStore) GetToken(tokenHash string) (*StoredToken, error)

func (*MemoryAuthStore) RevokeToken 

func (s *MemoryAuthStore) RevokeToken(tokenHash string)

func (*MemoryAuthStore) StoreCode 

func (s *MemoryAuthStore) StoreCode(code *AuthCode)

func (*MemoryAuthStore) StoreToken 

func (s *MemoryAuthStore) StoreToken(token *StoredToken)

type OAuthServer 

type OAuthServer struct {
	// contains filtered or unexported fields
}

OAuthServer implements OAuth 2.1 with PKCE for Claude Chat Custom Connectors.

func NewOAuthServer 

func NewOAuthServer(cfg config.AuthConfig, publicURL string) *OAuthServer

NewOAuthServer creates an OAuth 2.1 server from config.

func NewOAuthServerWithStore 

func NewOAuthServerWithStore(cfg config.AuthConfig, publicURL string, store AuthStore) *OAuthServer

NewOAuthServerWithStore creates an OAuth 2.1 server with the given auth store.

func (*OAuthServer) HandleAuthorize 

func (s *OAuthServer) HandleAuthorize(w http.ResponseWriter, r *http.Request)

HandleAuthorize handles the authorization endpoint. GET /oauth/authorize

func (*OAuthServer) HandleMetadata 

func (s *OAuthServer) HandleMetadata(w http.ResponseWriter, r *http.Request)

HandleMetadata serves the OAuth 2.1 server metadata (RFC 8414). GET /.well-known/oauth-authorization-server

func (*OAuthServer) HandleProtectedResourceMetadata 

func (s *OAuthServer) HandleProtectedResourceMetadata(w http.ResponseWriter, r *http.Request)

HandleProtectedResourceMetadata serves the Protected Resource Metadata (RFC 9728). GET /.well-known/oauth-protected-resource

func (*OAuthServer) HandleToken 

func (s *OAuthServer) HandleToken(w http.ResponseWriter, r *http.Request)

HandleToken handles the token endpoint. POST /oauth/token

func (*OAuthServer) Secret 

func (s *OAuthServer) Secret() []byte

Secret returns the HMAC signing key (for middleware use).

func (*OAuthServer) StartCleanupLoop 

func (s *OAuthServer) StartCleanupLoop(done <-chan struct{})

StartCleanupLoop runs periodic cleanup of expired tokens and codes.

func (*OAuthServer) ValidateAccessToken 

func (s *OAuthServer) ValidateAccessToken(tokenStr string) (*TokenClaims, error)

ValidateAccessToken verifies an access token string (for middleware).

type SQLiteAuthStore 

type SQLiteAuthStore struct {
	// contains filtered or unexported fields
}

SQLiteAuthStore adapts store.Store to the AuthStore interface.

func NewSQLiteAuthStore 

func NewSQLiteAuthStore(db store.Store) *SQLiteAuthStore

NewSQLiteAuthStore creates an AuthStore backed by SQLite.

func (*SQLiteAuthStore) Cleanup 

func (s *SQLiteAuthStore) Cleanup()

func (*SQLiteAuthStore) ConsumeCode 

func (s *SQLiteAuthStore) ConsumeCode(codeHash string) (*AuthCode, error)

func (*SQLiteAuthStore) GetToken 

func (s *SQLiteAuthStore) GetToken(tokenHash string) (*StoredToken, error)

func (*SQLiteAuthStore) RevokeToken 

func (s *SQLiteAuthStore) RevokeToken(tokenHash string)

func (*SQLiteAuthStore) StoreCode 

func (s *SQLiteAuthStore) StoreCode(code *AuthCode)

func (*SQLiteAuthStore) StoreToken 

func (s *SQLiteAuthStore) StoreToken(token *StoredToken)

type StoredToken 

type StoredToken struct {
	TokenHash string
	TokenType string // "access" or "refresh"
	ClientID  string
	Scope     string
	ExpiresAt time.Time
	Revoked   bool
}

StoredToken represents a persisted OAuth token.

type TokenClaims 

type TokenClaims struct {
	JTI       string `json:"jti"`
	Subject   string `json:"sub"`
	ClientID  string `json:"client_id"`
	Scope     string `json:"scope"`
	TokenType string `json:"token_type"` // "access" or "refresh"
	IssuedAt  int64  `json:"iat"`
	ExpiresAt int64  `json:"exp"`
	Issuer    string `json:"iss"`
}

TokenClaims represents the payload of a Herald JWT.

func VerifyToken 

func VerifyToken(tokenStr string, secret []byte) (*TokenClaims, error)

VerifyToken validates a JWT signature and returns the claims.

func (TokenClaims) IsExpired 

func (c TokenClaims) IsExpired() bool

IsExpired returns true if the token has expired.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.