Documentation ¶
Overview ¶
Package googlesignin implements a Go API to sign in users with Google accounts. It attempts to use the most up to date "recommended" API from Google, since they seem to decide to change it every few years.
Index ¶
- func InsecureMakeAuthenticated(r *http.Request, idToken string) *http.Request
- type Authenticator
- func (a *Authenticator) GetEmail(r *http.Request) (string, error)
- func (a *Authenticator) GetIDToken(r *http.Request) (*jwkkeys.ValidatedGoogleToken, error)
- func (a *Authenticator) IsSignedIn(r *http.Request) bool
- func (a *Authenticator) MakePublic(path string)
- func (a *Authenticator) MustGetEmail(r *http.Request) string
- func (a *Authenticator) PermitInsecureCookies()
- func (a *Authenticator) RequireSignIn(handler http.Handler) http.Handler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func InsecureMakeAuthenticated ¶
InsecureMakeAuthenticated makes a new *http.Request that is authenticated. It copies r and sets idToken and accessToken in the correct cookies, and marks the request as valid for MustGetEmail. This should only be called by tests.
Types ¶
type Authenticator ¶
type Authenticator struct { // If set, the Google accounts must belong to this domain. See: // https://developers.google.com/identity/protocols/OpenIDConnect#hd-param HostedDomain string // The path used to start and complete Google Sign In. Defaults to "/__start_signin". // Must start with /. SignInPath string // The path used to sign users out. Defaults to "/__signout". Must start with /. SignOutPath string // The path users will be redirected to after signing out, or when loading the sign in page // directly without a redirect (e.g. sometimes when hitting back). Defaults to "/". DefaultRedirect string // If true, users will be redirected to log in if they are not. Otherwise they get a failed // response. RedirectIfNotSignedIn bool // Gets keys to validate tokens. Should not be changed except in tests. CachedKeys jwkkeys.Set // contains filtered or unexported fields }
Authenticator is an HTTP server middleware for requiring Google Sign-In.
func New ¶
func New(clientID string) *Authenticator
New creates an Authenticator, configured with the provided OAuth configuration. The middleware will serve the page to start the sign in publicly at signInPath.
func (*Authenticator) GetEmail ¶
func (a *Authenticator) GetEmail(r *http.Request) (string, error)
GetEmail returns the email for a request if it is signed in. This can be used on public pages. The error reports details that should not be returned to the client.
func (*Authenticator) GetIDToken ¶
func (a *Authenticator) GetIDToken(r *http.Request) (*jwkkeys.ValidatedGoogleToken, error)
GetIDToken returns the valid ID token for an authenticated request. This can be used on public pages. The error reports details that should not be returned to the client.
func (*Authenticator) IsSignedIn ¶
func (a *Authenticator) IsSignedIn(r *http.Request) bool
IsSignedIn returns true if the user is signed in to an accepted Google account. This can be used on public pages, for example to conditionally display content.
func (*Authenticator) MakePublic ¶
func (a *Authenticator) MakePublic(path string)
MakePublic makes path accessible without signing in. This does path matching, unlike ServeMux, so "/" only permits the root page, and "/dir/" only permits the exact path "/dir/". It is currently not possible to permit subdirectories or any kind of pattern.
func (*Authenticator) MustGetEmail ¶
func (a *Authenticator) MustGetEmail(r *http.Request) string
MustGetEmail returns the authenticated user's email address, or panics if the user is not signed in. The request must have been served by RequiresSignIn.
func (*Authenticator) PermitInsecureCookies ¶
func (a *Authenticator) PermitInsecureCookies()
PermitInsecureCookies configures the Authenticator to allow sending cookies over HTTP connections (not setting the Secure cookie option). This should only be used for localhost testing. In production, you should only send cookies over HTTPS since they contain sensitive user data.
func (*Authenticator) RequireSignIn ¶
func (a *Authenticator) RequireSignIn(handler http.Handler) http.Handler
RequireSignIn wraps an existing http.Handler to require a user to be signed in. It will fail the request, or will redirect the user to sign in.
Directories ¶
Path | Synopsis |
---|---|
Package iap provides HTTP middleware for Google Cloud's Identity-Aware Proxy.
|
Package iap provides HTTP middleware for Google Cloud's Identity-Aware Proxy. |
Package jwkkeys verifies JWTs using keys published at known URLs.
|
Package jwkkeys verifies JWTs using keys published at known URLs. |
Checks how Google rotates its public keyss
|
Checks how Google rotates its public keyss |
Package serviceaccount authenticates requests using Google Cloud service accounts, on both the client and server side.
|
Package serviceaccount authenticates requests using Google Cloud service accounts, on both the client and server side. |
Package signintest provides shared test code for testing signing in with Google accounts.
|
Package signintest provides shared test code for testing signing in with Google accounts. |