auth

package
v0.137.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 24, 2026 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrAuthFailed = errors.New("authentication failed")

ErrAuthFailed is returned when the relay rejects a token with 401.

Functions

func Decrypt 

func Decrypt(gcm cipher.AEAD, encoded string) ([]byte, error)

Decrypt decodes base64 input then decrypts AES-256-GCM (iv || ciphertext || tag).

func DeriveSharedKey 

func DeriveSharedKey(privateKey *ecdh.PrivateKey, peerPublicKeyB64, info string) (cipher.AEAD, error)

DeriveSharedKey performs X25519 ECDH + HKDF to produce an AES-256-GCM key. The info parameter differentiates key domains (e.g. "wt-pty" for PTY sessions, "wt-tunnel" for the encrypted tunnel).

func Encrypt 

func Encrypt(gcm cipher.AEAD, plaintext []byte) (string, error)

Encrypt encrypts plaintext with AES-256-GCM and returns base64(iv || ciphertext || tag).

func EnsureKeyPair 

func EnsureKeyPair(dir string) (string, error)

EnsureKeyPair loads or generates an X25519 keypair. Returns the base64-encoded public key. Private key is stored in dir/wing_key.

func GenerateAuthToken added in v0.34.0 

func GenerateAuthToken() (string, error)

GenerateAuthToken returns a random hex-encoded auth token (32 bytes).

func GenerateChallenge added in v0.34.0 

func GenerateChallenge() ([]byte, error)

GenerateChallenge returns 32 random bytes for a passkey challenge.

func IsValidP256Point added in v0.34.0 

func IsValidP256Point(raw []byte) bool

IsValidP256Point checks if 64 raw bytes (X||Y) represent a valid point on the P-256 curve.

func LoadPrivateKey 

func LoadPrivateKey(dir string) (*ecdh.PrivateKey, error)

LoadPrivateKey loads the X25519 private key from disk.

func SHA256Sum added in v0.34.0 

func SHA256Sum(data []byte) [32]byte

SHA256Sum returns the SHA-256 hash of data.

func ValidateTokenRemote added in v0.107.0 

func ValidateTokenRemote(baseURL, token string) error

ValidateTokenRemote checks a device token against the relay's /auth/check endpoint. Returns nil on 200 (valid), ErrAuthFailed on 401, or a wrapped error for network failures.

func VerifyPasskeyAssertion added in v0.34.0 

func VerifyPasskeyAssertion(allowedKey, challenge, authenticatorData, clientDataJSON, signature []byte) error

VerifyPasskeyAssertion verifies a WebAuthn assertion using a raw P-256 public key (64 bytes: X||Y). Uses Go stdlib only — no external library.

Types

type AuthCache added in v0.34.0 

type AuthCache struct {
	// contains filtered or unexported fields
}

AuthCache caches passkey auth tokens in memory. Boot-scoped: tokens are valid until the wing process dies. Restart revokes everything. An optional TTL can further limit token lifetime (0 means no expiry).

func NewAuthCache added in v0.34.0 

func NewAuthCache() *AuthCache

NewAuthCache creates a new boot-scoped in-memory auth cache.

func (*AuthCache) Check added in v0.34.0 

func (c *AuthCache) Check(token string, ttl time.Duration) ([]byte, bool)

Check returns the public key for a valid token. If ttl > 0, expired tokens are rejected and removed from the cache. If ttl is 0, tokens never expire.

func (*AuthCache) Put added in v0.34.0 

func (c *AuthCache) Put(token string, pubKey []byte)

Put stores a token with the given public key.

type DeviceCodeResponse 

type DeviceCodeResponse struct {
	DeviceCode      string `json:"device_code"`
	UserCode        string `json:"user_code"`
	VerificationURL string `json:"verification_url"`
	ExpiresIn       int    `json:"expires_in"`
	Interval        int    `json:"interval"`
}

func RequestDeviceCode 

func RequestDeviceCode(baseURL, wingID string, publicKey ...string) (*DeviceCodeResponse, error)

type DeviceToken 

type DeviceToken struct {
	Token     string `json:"token" yaml:"device_token"`
	ExpiresAt int64  `json:"expires_at" yaml:"expires_at"`
	IssuedAt  int64  `json:"issued_at" yaml:"issued_at"`
	DeviceID  string `json:"device_id" yaml:"device_id"`
	PublicKey string `json:"public_key,omitempty" yaml:"public_key,omitempty"`
}

type TokenResponse 

type TokenResponse struct {
	Token       string `json:"token"`
	ExpiresAt   int64  `json:"expires_at"`
	Error       string `json:"error,omitempty"`
	DisplayName string `json:"display_name,omitempty"`
	Email       string `json:"email,omitempty"`
	Provider    string `json:"provider,omitempty"`
}

func PollForToken 

func PollForToken(ctx context.Context, baseURL, deviceCode string, interval int) (*TokenResponse, error)

func RefreshToken 

func RefreshToken(baseURL string, token DeviceToken) (*TokenResponse, error)

type TokenStore 

type TokenStore struct {
	Dir string
}

func NewTokenStore 

func NewTokenStore(dir string) *TokenStore

func (*TokenStore) Delete 

func (s *TokenStore) Delete() error

func (*TokenStore) IsValid 

func (s *TokenStore) IsValid(token *DeviceToken) bool

func (*TokenStore) Load 

func (s *TokenStore) Load() (*DeviceToken, error)

func (*TokenStore) Save 

func (s *TokenStore) Save(token *DeviceToken) error

type UserInfo added in v0.114.0 

type UserInfo struct {
	UserID      string `json:"user_id"`
	DisplayName string `json:"display_name"`
	Email       string `json:"email"`
	Provider    string `json:"provider"`
}

UserInfo represents the authenticated user's identity from the relay.

func FetchUserInfo added in v0.114.0 

func FetchUserInfo(baseURL, token string) (*UserInfo, error)

FetchUserInfo calls /auth/check and returns the authenticated user's identity. Returns ErrAuthFailed on 401, or a wrapped error for network failures.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.