Documentation
¶
Index ¶
- Constants
- func ClearHMACCaches()
- func DecodeHeaderAlg(headerSegment string) string
- func DecodeSegment(segment string, dest any) error
- func GenerateTokenID() (string, error)
- func IsWeakKey(key []byte) bool
- func ParseTokenID(tokenString string) (string, error)
- func ReleaseCore(c *Core)
- func SignToken(alg string, claims any, method Method, key any) (string, error)
- func ZeroBytes(data []byte)
- type Core
- type Manager
- type Method
- type Store
Constants ¶
const ( // TokenIDLength is the length of the random portion of a token ID in bytes. TokenIDLength = 16 // TokenIDPrefix is the prefix added to all generated token IDs. TokenIDPrefix = "tok_" )
const DefaultBlacklistTTL = 7 * 24 * time.Hour
DefaultBlacklistTTL is the default time-to-live for blacklisted tokens when the token does not have an expiration time.
const MaxBlacklistTTL = 30 * 24 * time.Hour
MaxBlacklistTTL caps the maximum blacklist entry TTL to prevent untrusted exp values from crafted tokens causing DoS.
Variables ¶
This section is empty.
Functions ¶
func ClearHMACCaches ¶ added in v1.2.0
func ClearHMACCaches()
ClearHMACCaches drains all HMAC hasher pools, allowing GC to reclaim hasher objects that may retain secret key material in their internal state.
func DecodeHeaderAlg ¶ added in v1.2.0
DecodeHeaderAlg extracts the "alg" field from a base64url-encoded JWT header without fully decoding the header into a map. Returns empty string if alg is not found or if the header is invalid. This avoids map[string]any allocation and interface boxing for the common case where only the algorithm is needed.
func DecodeSegment ¶
func GenerateTokenID ¶ added in v1.1.0
GenerateTokenID generates a unique token ID using cryptographic random bytes. The ID has the format "tok_" followed by 32 hexadecimal characters. Uses stack-allocated arrays instead of pooled buffers because the fixed result size (36 bytes) makes pool Get/Put overhead (~60ns) more expensive than a single string() copy.
func ParseTokenID ¶ added in v1.2.0
ParseTokenID extracts the token ID (jti) from a JWT without verifying the signature. Returns empty string if the token has no jti claim.
func ReleaseCore ¶ added in v1.2.0
func ReleaseCore(c *Core)
ReleaseCore returns a Core struct to the pool after clearing its fields.
Types ¶
type Core ¶
type Core struct {
Header map[string]any `json:"header"`
Claims any `json:"claims"`
Signature string `json:"-"`
Method Method
Valid bool
Raw string
// Alg caches the algorithm extracted during fast-path parsing so keyFunc
// can read it without storing the string as an interface in Header (which
// causes one heap allocation per parse for the string→any boxing).
// Empty when the slow path (full header decode) was used.
Alg string
}
func ParseUnverified ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles token blacklist operations.
func NewManagerWithClock ¶ added in v1.2.0
NewManagerWithClock creates a new Manager with the given store and clock function. If nowFunc is nil, time.Now is used.
func (*Manager) BlacklistTokenString ¶
type Method ¶
type Method interface {
// Alg returns the algorithm identifier (e.g., "HS256", "RS256").
Alg() string
// Sign creates a signature for the given signing string.
Sign(signingString string, key any) (string, error)
// SignTo writes the base64-encoded signature to dst and returns bytes written.
// Avoids intermediate string allocation by encoding directly into the caller's buffer.
SignTo(dst []byte, signingString string, key any) (int, error)
// Verify checks if the signature is valid for the given signing string.
Verify(signingString string, signature string, key any) error
// Hash returns the hash function used by this method.
Hash() crypto.Hash
}
Method defines the interface for JWT signing algorithms.
func GetInternalSigningMethod ¶
GetInternalSigningMethod retrieves a signing method by algorithm name. All built-in methods are registered in init(), so this simply checks the registry.
Source Files