auth

package

v0.0.0-...-8883d6f Latest Latest Go to latest Published: Mar 22, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/mojomast/ussycode

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth provides HTTP middleware for token-based authentication.

Package auth implements SSH key-based authentication and stateless token signing/verification for ussycode.

Tokens use the format: base64url(JSON_payload).base64url(ssh_wire_signature) Signed with SSH private keys, verified with SSH public keys.

Index ¶

Constants
func FingerprintKey(key ssh.PublicKey) string
func GenerateHandle() (string, error)
func Middleware(resolve KeyResolver) func(http.Handler) http.Handler
func ParsePublicKey(authorizedKey string) (ssh.PublicKey, string, error)
func SignToken(signer ssh.Signer, subject string, ttl time.Duration, perms []string) (string, error)
type KeyResolver
type TokenPayload
- func PayloadFromContext(ctx context.Context) (*TokenPayload, bool)
- func VerifyToken(token string, trustedKeys []ssh.PublicKey) (*TokenPayload, error)

Constants ¶

View Source

const (
	// ContextKeyPayload is the context key for the authenticated token payload.
	ContextKeyPayload contextKey = "auth.payload"
)

Variables ¶

This section is empty.

Functions ¶

func FingerprintKey ¶

func FingerprintKey(key ssh.PublicKey) string

FingerprintKey returns the SHA256 fingerprint of an SSH public key.

func GenerateHandle ¶

func GenerateHandle() (string, error)

GenerateHandle creates a random short handle for token storage. Returns a 22-character base64url string (16 bytes of entropy).

func Middleware ¶

func Middleware(resolve KeyResolver) func(http.Handler) http.Handler

Middleware returns HTTP middleware that validates Bearer tokens. It extracts the token from the Authorization header, verifies it, and stores the payload in the request context.

func ParsePublicKey ¶

func ParsePublicKey(authorizedKey string) (ssh.PublicKey, string, error)

ParsePublicKey parses an SSH public key from authorized_keys format.

func SignToken ¶

func SignToken(signer ssh.Signer, subject string, ttl time.Duration, perms []string) (string, error)

SignToken creates a signed token string using an SSH private key. Format: base64url(json_payload).base64url(ssh_signature)

Types ¶

type KeyResolver ¶

type KeyResolver func(ctx context.Context, subject string) ([]ssh.PublicKey, error)

KeyResolver returns the trusted public keys for a given subject (user handle).

type TokenPayload ¶

type TokenPayload struct {
	Subject   string   `json:"sub"`             // user handle
	IssuedAt  int64    `json:"iat"`             // unix timestamp
	ExpiresAt int64    `json:"exp"`             // unix timestamp
	NotBefore int64    `json:"nbf"`             // unix timestamp
	Perms     []string `json:"perms,omitempty"` // permission scopes
	Nonce     string   `json:"nonce"`           // replay prevention
}

TokenPayload is the claims embedded in a signed token.

func PayloadFromContext ¶

func PayloadFromContext(ctx context.Context) (*TokenPayload, bool)

PayloadFromContext extracts the token payload from the request context.

func VerifyToken ¶

func VerifyToken(token string, trustedKeys []ssh.PublicKey) (*TokenPayload, error)

VerifyToken verifies a signed token against a set of trusted public keys. Returns the payload if valid, or an error if verification fails.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL