auth

package
v0.0.0-...-1a28f28 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 22, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package auth provides unified credential management for Deputy.

This package implements secure, host-aware credential resolution to prevent "confused deputy" attacks where credentials are inadvertently sent to the wrong endpoints. It supports multiple authentication backends including:

  • Git hosting services (GitHub, GitLab, Bitbucket, self-hosted)
  • Package registries (npm, Go proxy, PyPI, container registries)
  • REST APIs (GitHub API, GitLab API)
  • LLM providers (Anthropic, OpenAI, etc.)

Credential Resolution

Credentials are resolved through a chain of providers with host matching: 

store := auth.NewStore(
    auth.WithProvider(auth.NewChainProvider(
        auth.NewEnvProvider(),   // GITHUB_TOKEN, ANTHROPIC_API_KEY, etc.
        // Add more providers here...
    )),
)

// Get Git auth for a specific host - safe, won't leak to other hosts
gitAuth, err := store.GitAuth(ctx, "https://github.com/owner/repo")

// Get HTTP bearer token for API calls
token, err := store.HTTPBearerToken(ctx, "api.github.com")

Security Model

The package follows a principle of least privilege:

  • Credentials are scoped to specific hosts or host patterns
  • No credential is sent unless the target host explicitly matches
  • HTTPS is required for credential transmission (configurable)
  • Sensitive values are redacted in logs and error messages

Upstream API Integration

The package provides adapters for common Go authentication interfaces:

## oauth2.TokenSource

For creating authenticated HTTP clients with golang.org/x/oauth2: 

ts, err := store.TokenSource(ctx, "api.github.com")
client := oauth2.NewClient(ctx, ts)
gh := github.NewClient(client)  // Use with go-github

## http.RoundTripper

For automatic credential injection in HTTP requests: 

rt := store.RoundTripper(http.DefaultTransport)
client := &http.Client{Transport: rt}

## go-git transport.AuthMethod

For Git clone/fetch/push operations: 

auth, err := store.GitAuth(ctx, "https://github.com/owner/repo")
repo, err := git.Clone(storage, worktree, &git.CloneOptions{
    URL:  "https://github.com/owner/repo",
    Auth: auth,
})

Supported Credential Types

Environment Variable Conventions

The package recognizes standard environment variables: 

GITHUB_TOKEN          - GitHub Personal Access Token
GH_TOKEN              - GitHub CLI token (alternative)
GITLAB_TOKEN          - GitLab Personal Access Token
BITBUCKET_TOKEN       - Bitbucket App Password
ANTHROPIC_API_KEY     - Anthropic Claude API key
OPENAI_API_KEY        - OpenAI API key
NPM_TOKEN             - npm registry auth token

For self-hosted instances: 

GITHUB_ENTERPRISE_HOST=github.mycompany.com
GITHUB_ENTERPRISE_TOKEN=ghp_xxx
Example (GitOperations)

Example_gitOperations demonstrates using auth for git clone operations. 

package main

import (
	"context"
	"fmt"

	"github.com/picatz/deputy/internal/auth"
)

func main() {
	ctx := context.Background()
	store := auth.DefaultStore()

	// Get git auth for a GitHub repository
	gitAuth, err := store.GitAuth(ctx, "https://github.com/owner/private-repo")
	if err != nil {
		fmt.Println("Failed to get git auth:", err)
		return
	}

	if gitAuth == nil {
		fmt.Println("No credentials available - will use anonymous access")
		return
	}

	fmt.Println("Git auth ready:", gitAuth.String())
}
Example (HttpRoundTripper)

Example_httpRoundTripper demonstrates using the auth package with custom HTTP clients. 

package main

import (
	"fmt"
	"net/http"

	"github.com/picatz/deputy/internal/auth"
)

func main() {
	store := auth.DefaultStore()

	// Create an HTTP client with automatic auth
	client := store.HTTPClient(nil)

	// All requests will have auth headers added automatically
	// (only for hosts that have credentials)
	req, _ := http.NewRequest("GET", "https://api.github.com/user", nil)
	resp, err := client.Do(req)
	if err != nil {
		fmt.Println("Request failed:", err)
		return
	}
	defer resp.Body.Close()

	fmt.Println("Request completed with status:", resp.Status)
}
Example (LlmAPIKey)

Example_llmAPIKey demonstrates retrieving API keys for LLM providers. 

package main

import (
	"context"
	"fmt"

	"github.com/picatz/deputy/internal/auth"
)

func main() {
	ctx := context.Background()
	store := auth.DefaultStore()

	// Get API key for Anthropic
	key, err := store.LLMAPIKey(ctx, "api.anthropic.com")
	if err != nil {
		fmt.Println("Error:", err)
		return
	}

	if key == "" {
		fmt.Println("No API key configured for Anthropic")
		return
	}

	fmt.Println("Anthropic API key retrieved successfully")
}
Example (MultipleProviders)

Example_multipleProviders demonstrates chaining multiple credential providers. 

package main

import (
	"context"
	"fmt"

	"github.com/picatz/deputy/internal/auth"
)

func main() {
	// Create a chain of providers with fallback behavior
	chain := auth.NewChainProvider(
		// Add custom providers here...
		auth.NewEnvProvider(), // Falls back to environment variables
	)

	store := auth.NewStore(auth.WithProvider(chain))

	ctx := context.Background()
	token, err := store.HTTPBearerToken(ctx, "api.github.com")
	if err != nil {
		fmt.Println("Error:", err)
		return
	}

	if token != "" {
		fmt.Println("Token retrieved from chain")
	} else {
		fmt.Println("No token available")
	}
}
Example (Oauth2Client)

Example_oauth2Client demonstrates using the auth package with oauth2 to create authenticated GitHub API clients. 

package main

import (
	"context"
	"fmt"

	"github.com/google/go-github/v63/github"
	"github.com/picatz/deputy/internal/auth"
	"golang.org/x/oauth2"
)

func main() {
	ctx := context.Background()
	store := auth.DefaultStore()

	// Get a token source for GitHub API
	ts, err := store.TokenSource(ctx, "api.github.com")
	if err != nil || ts == nil {
		fmt.Println("No GitHub credentials available (set GITHUB_TOKEN)")
		return
	}

	// Create an oauth2 HTTP client
	client := oauth2.NewClient(ctx, ts)

	// Use with go-github
	gh := github.NewClient(client)
	_ = gh // Use gh for GitHub API calls

	fmt.Println("GitHub client created with auth")
}

Index

Examples

Constants

View Source 
const InsecureAllowAnyHost = "*"

InsecureAllowAnyHost is a sentinel that disables host scoping. Using this expands a credential to all hosts and should be avoided in production.

Variables

View Source 
var (
	// ErrNoCredential is returned when no credential is available for a host.
	ErrNoCredential = errors.New("no credential available")

	// ErrCredentialExpired is returned when a credential has expired and cannot be refreshed.
	ErrCredentialExpired = errors.New("credential expired")

	// ErrHostMismatch is returned when a credential is not valid for the requested host.
	ErrHostMismatch = errors.New("credential not valid for host")

	// ErrUnsupportedCredentialType is returned when a credential type cannot be used
	// for the requested operation (e.g., SSH credential for HTTP bearer auth).
	ErrUnsupportedCredentialType = errors.New("unsupported credential type")
)

Sentinel errors for common authentication failure cases.

Functions

func GitAuthForURL 

func GitAuthForURL(ctx context.Context, rawURL string) (transport.AuthMethod, error)

GitAuthForURL is a convenience function that creates a default store and returns a go-git transport.AuthMethod for the given URL. It uses environment variables to find credentials.

This is a shorthand for: 

store := auth.DefaultStore()
gitAuth, err := store.GitAuth(ctx, rawURL)

If no credentials are found or an error occurs, it returns nil, nil (safe to pass directly to go-git). This makes it ideal for best-effort auth where public repos should still work without credentials.

func GitHubHosts 

func GitHubHosts() []string

GitHubHosts returns the list of hosts that GitHub tokens are valid for. This is useful for creating credentials that should only be sent to GitHub.

func InsecureAllowAnyHosts 

func InsecureAllowAnyHosts() []string

InsecureAllowAnyHosts returns the sentinel slice that opts a credential into insecure wildcard host allowance. Prefer host-specific lists whenever possible.

Types

type BasicAuthProvider 

type BasicAuthProvider interface {
	// BasicAuth returns the username and password for HTTP Basic Auth.
	BasicAuth() (username, password string)
}

BasicAuthProvider is implemented by credentials that can provide username/password for HTTP Basic Authentication.

type BasicCredential 

type BasicCredential struct {
	// Username is the authentication username.
	Username string

	// Password is the authentication password or token.
	Password string

	// Expiry optionally indicates when the credential expires. If nil, treated as non-expiring.
	Expiry *time.Time

	// AllowedHosts restricts which hosts can receive this credential.
	// If empty, the credential is not used; use InsecureAllowAnyHosts to opt into
	// insecure wildcard matching.
	AllowedHosts []string

	// Source indicates where the credential came from.
	Source string
}

BasicCredential holds username/password authentication.

func (*BasicCredential) BasicAuth 

func (c *BasicCredential) BasicAuth() (username, password string)

BasicAuth implements BasicAuthProvider.

func (*BasicCredential) BearerToken 

func (c *BasicCredential) BearerToken() string

BearerToken implements BearerTokenProvider. Some APIs accept password as bearer token.

func (*BasicCredential) CredentialSource 

func (c *BasicCredential) CredentialSource() string

CredentialSource implements Sourced.

func (*BasicCredential) ExpiresAt 

func (c *BasicCredential) ExpiresAt() *time.Time

ExpiresAt implements Expirable.

func (*BasicCredential) Hosts 

func (c *BasicCredential) Hosts() []string

Hosts implements Credential.

func (*BasicCredential) Redacted 

func (c *BasicCredential) Redacted() string

Redacted implements Credential.

func (*BasicCredential) String 

func (c *BasicCredential) String() string

String implements fmt.Stringer using the redacted representation.

func (*BasicCredential) Type 

func (c *BasicCredential) Type() CredentialType

Type implements Credential.

func (*BasicCredential) ValidForHost 

func (c *BasicCredential) ValidForHost(host string) bool

ValidForHost implements Credential.

type BearerTokenProvider 

type BearerTokenProvider interface {
	// BearerToken returns the token string for use in "Authorization: Bearer <token>".
	BearerToken() string
}

BearerTokenProvider is implemented by credentials that can provide a bearer token for HTTP Authorization headers.

type ChainProvider 

type ChainProvider struct {
	// contains filtered or unexported fields
}

ChainProvider chains multiple providers, returning the first successful match. Hard errors (non-ErrNoCredential) are propagated immediately; providers returning nil or ErrNoCredential are skipped.

func NewChainProvider 

func NewChainProvider(providers ...Provider) *ChainProvider

NewChainProvider creates a provider that tries each provider in order.

func (*ChainProvider) Add 

func (c *ChainProvider) Add(providers ...Provider)

Add appends providers to the chain.

func (*ChainProvider) Len 

func (c *ChainProvider) Len() int

Len returns the number of providers in the chain.

func (*ChainProvider) Lookup 

func (c *ChainProvider) Lookup(ctx context.Context, scope Scope) (Credential, error)

Lookup implements Provider. It tries each provider in order, returning the first successful match. Hard errors are propagated; ErrNoCredential is treated as "continue to next provider".

func (*ChainProvider) Name 

func (c *ChainProvider) Name() string

Name implements Provider.

func (*ChainProvider) Providers 

func (c *ChainProvider) Providers() []Provider

Providers returns a copy of the provider list for introspection.

type Credential 

type Credential interface {
	// Type returns the credential type identifier.
	Type() CredentialType

	// Hosts returns the list of hosts this credential is valid for.
	// An empty slice means the credential cannot be used; use InsecureAllowAnyHosts
	// to explicitly opt into insecure wildcard host allowance.
	Hosts() []string

	// ValidForHost reports whether this credential can be used for the given host.
	ValidForHost(host string) bool

	// Redacted returns a safe-to-log representation of the credential.
	Redacted() string
}

Credential represents an authentication credential. It is designed to be type-safe and prevent accidental credential leakage.

type CredentialType 

type CredentialType string

CredentialType identifies the kind of credential. 

const (
	// TypeToken represents bearer/API token credentials.
	TypeToken CredentialType = "token"

	// TypeBasic represents username/password credentials.
	TypeBasic CredentialType = "basic"

	// TypeSSH represents SSH key credentials.
	TypeSSH CredentialType = "ssh"

	// TypeDocker represents Docker/OCI registry credentials.
	TypeDocker CredentialType = "docker"
)

func (CredentialType) String 

func (t CredentialType) String() string

String implements fmt.Stringer.

type DockerCredential 

type DockerCredential struct {
	// Username is the registry username.
	Username string

	// Password is the registry password or token.
	Password string

	// IdentityToken is an alternative to password (for OAuth).
	IdentityToken string

	// RegistryToken is used by some registries.
	RegistryToken string

	// ServerAddress is the registry server (e.g., "https://index.docker.io/v1/").
	ServerAddress string

	// Source indicates where the credential came from.
	Source string
}

DockerCredential holds container registry authentication.

func (*DockerCredential) BasicAuth 

func (c *DockerCredential) BasicAuth() (username, password string)

BasicAuth implements BasicAuthProvider.

func (*DockerCredential) CredentialSource 

func (c *DockerCredential) CredentialSource() string

CredentialSource implements Sourced.

func (*DockerCredential) Hosts 

func (c *DockerCredential) Hosts() []string

Hosts implements Credential.

func (*DockerCredential) Redacted 

func (c *DockerCredential) Redacted() string

Redacted implements Credential.

func (*DockerCredential) String 

func (c *DockerCredential) String() string

String implements fmt.Stringer using the redacted representation.

func (*DockerCredential) Type 

func (c *DockerCredential) Type() CredentialType

Type implements Credential.

func (*DockerCredential) ValidForHost 

func (c *DockerCredential) ValidForHost(host string) bool

ValidForHost implements Credential.

type EnvProvider 

type EnvProvider struct {
	// Prefix is prepended to environment variable names.
	// Defaults to no prefix.
	Prefix string
	// contains filtered or unexported fields
}

EnvProvider reads credentials from environment variables. It follows common conventions for credential environment variables.

func NewEnvProvider 

func NewEnvProvider() *EnvProvider

NewEnvProvider creates a provider that reads from environment variables.

func NewEnvProviderWithPrefix 

func NewEnvProviderWithPrefix(prefix string) *EnvProvider

NewEnvProviderWithPrefix creates a provider with a custom prefix.

func (*EnvProvider) Lookup 

func (e *EnvProvider) Lookup(ctx context.Context, scope Scope) (Credential, error)

Lookup implements Provider. It checks environment variables based on the requested host and hint type.

func (*EnvProvider) Name 

func (e *EnvProvider) Name() string

Name implements Provider.

type Expirable 

type Expirable interface {
	// ExpiresAt returns the expiry timestamp, or nil if the credential does not expire.
	ExpiresAt() *time.Time
}

Expirable is implemented by credentials that have an expiry time.

type GitAuthMethod 

type GitAuthMethod struct {
	// contains filtered or unexported fields
}

GitAuthMethod implements transport.AuthMethod backed by a credential. This is what Store.GitAuth returns internally, but exposed for direct use.

func (*GitAuthMethod) Name 

func (g *GitAuthMethod) Name() string

Name implements transport.AuthMethod.

func (*GitAuthMethod) String 

func (g *GitAuthMethod) String() string

String implements transport.AuthMethod (via fmt.Stringer).

func (*GitAuthMethod) ToTransportAuth 

func (g *GitAuthMethod) ToTransportAuth() (transport.AuthMethod, error)

ToTransportAuth converts to go-git's native auth types. This is called internally when the auth is actually used.

type NullProvider 

type NullProvider struct{}

NullProvider never returns credentials. It is used as a default/sentinel.

func (NullProvider) Lookup 

func (NullProvider) Lookup(ctx context.Context, scope Scope) (Credential, error)

Lookup implements Provider. It always returns nil, nil.

func (NullProvider) Name 

func (NullProvider) Name() string

Name implements Provider.

type Provider 

type Provider interface {
	// Name returns a human-readable name for this provider.
	Name() string

	// Lookup attempts to find a credential for the given scope.
	// Returns nil, nil if no credential is available (not an error).
	// Returns nil, error if there was a problem looking up credentials.
	Lookup(ctx context.Context, scope Scope) (Credential, error)
}

Provider is a source of credentials. Implementations should be safe for concurrent use.

type RefreshableCredential 

type RefreshableCredential interface {
	Refresh(ctx context.Context) (Credential, error)
}

RefreshableCredential can produce a fresh credential (e.g., token refresh). Implementations should preserve host scoping and avoid leaking secrets.

type SSHCredential 

type SSHCredential struct {
	// User is the SSH username (typically "git").
	User string

	// Expiry optionally indicates when the credential expires.
	Expiry *time.Time

	// PrivateKey is the PEM-encoded private key.
	PrivateKey []byte

	// PrivateKeyPath is the path to the private key file (alternative to PrivateKey).
	PrivateKeyPath string

	// Passphrase is the optional key passphrase.
	Passphrase string

	// AllowedHosts restricts which hosts can use this key.
	// If empty, the credential is not used; use InsecureAllowAnyHosts to opt into
	// insecure wildcard matching.
	AllowedHosts []string

	// Source indicates where the credential came from.
	Source string
}

SSHCredential holds SSH key-based authentication.

func (*SSHCredential) CredentialSource 

func (c *SSHCredential) CredentialSource() string

CredentialSource implements Sourced.

func (*SSHCredential) ExpiresAt 

func (c *SSHCredential) ExpiresAt() *time.Time

ExpiresAt implements Expirable.

func (*SSHCredential) Hosts 

func (c *SSHCredential) Hosts() []string

Hosts implements Credential.

func (*SSHCredential) Redacted 

func (c *SSHCredential) Redacted() string

Redacted implements Credential.

func (*SSHCredential) String 

func (c *SSHCredential) String() string

String implements fmt.Stringer using the redacted representation.

func (*SSHCredential) Type 

func (c *SSHCredential) Type() CredentialType

Type implements Credential.

func (*SSHCredential) ValidForHost 

func (c *SSHCredential) ValidForHost(host string) bool

ValidForHost implements Credential.

type Scope 

type Scope struct {
	// Host is the target hostname (required).
	Host string

	// Hint provides additional context for credential lookup.
	// For example, "git" for Git operations, "llm" for LLM providers,
	// "container" for container registries, etc.
	Hint string
}

Scope describes what kind of credential is needed and for what purpose.

func NewScope 

func NewScope(host string) Scope

NewScope creates a new Scope for the given host. This is the preferred constructor for building scopes.

Example: 

scope := auth.NewScope("github.com")
scope := auth.NewScope("api.anthropic.com").WithHint("llm")

func (Scope) IsZero 

func (s Scope) IsZero() bool

IsZero reports whether the scope is empty/unset.

func (Scope) String 

func (s Scope) String() string

String implements fmt.Stringer for debugging and logging.

func (Scope) Validate 

func (s Scope) Validate() error

Validate checks if the scope has the minimum required fields.

func (Scope) WithHint 

func (s Scope) WithHint(hint string) Scope

WithHint returns a copy of the scope with the given hint.

type Sourced 

type Sourced interface {
	// CredentialSource returns a description of where the credential came from.
	CredentialSource() string
}

Sourced is implemented by credentials that track their origin. This is useful for debugging and audit logging.

type StaticProvider 

type StaticProvider struct {
	// contains filtered or unexported fields
}

StaticProvider returns a fixed credential for matching hosts.

func NewStaticProvider 

func NewStaticProvider(cred Credential) *StaticProvider

NewStaticProvider creates a provider that always returns the same credential.

func (*StaticProvider) Lookup 

func (s *StaticProvider) Lookup(ctx context.Context, scope Scope) (Credential, error)

Lookup implements Provider. It returns the static credential if it is valid for the requested host.

func (*StaticProvider) Name 

func (s *StaticProvider) Name() string

Name implements Provider.

type Store 

type Store struct {
	// contains filtered or unexported fields
}

Store is the central credential store for Deputy. It provides a unified interface for credential lookup with host-aware security to prevent credential leakage.

func DefaultStore 

func DefaultStore() *Store

DefaultStore creates a Store with sensible defaults: - Environment variables (standard conventions) - Docker config for container registries (if available)

func NewStore 

func NewStore(opts ...StoreOption) *Store

NewStore creates a credential store with the given options.

func (*Store) ConfigureHTTPRequest 

func (s *Store) ConfigureHTTPRequest(ctx context.Context, req *http.Request) error

ConfigureHTTPRequest adds authentication to an HTTP request. The host is extracted from the request URL and credentials are applied only if valid for that specific host.

func (*Store) ContainerAuth 

func (s *Store) ContainerAuth(ctx context.Context, registry string) (*DockerCredential, error)

ContainerAuth returns credentials for a container registry.

func (*Store) GitAuth 

func (s *Store) GitAuth(ctx context.Context, rawURL string) (transport.AuthMethod, error)

GitAuth returns a go-git transport.AuthMethod for the given URL. This is the primary method for Git operations (clone, fetch, push).

The URL is parsed to extract the host and determine the appropriate authentication method. Returns nil if no credentials are available.

func (*Store) HTTPBasicAuth 

func (s *Store) HTTPBasicAuth(ctx context.Context, host string) (username, password string, err error)

HTTPBasicAuth returns username/password for HTTP Basic Authentication.

func (*Store) HTTPBearerToken 

func (s *Store) HTTPBearerToken(ctx context.Context, host string) (string, error)

HTTPBearerToken returns a bearer token for HTTP Authorization headers. Returns empty string if no token is available for the host.

func (*Store) HTTPClient 

func (s *Store) HTTPClient(base http.RoundTripper) *http.Client

HTTPClient returns an *http.Client with authentication configured. The client will automatically add credentials based on request host.

func (*Store) LLMAPIKey 

func (s *Store) LLMAPIKey(ctx context.Context, host string) (string, error)

LLMAPIKey returns an API key for an LLM provider.

func (*Store) Logger 

func (s *Store) Logger() *slog.Logger

Logger returns the store's configured logger.

func (*Store) Lookup 

func (s *Store) Lookup(ctx context.Context, scope Scope) (Credential, error)

Lookup retrieves a credential for the given scope. Returns nil, nil if no credential is found.

func (*Store) RoundTripper 

func (s *Store) RoundTripper(base http.RoundTripper) http.RoundTripper

RoundTripper returns an http.RoundTripper that adds authentication headers to requests. It wraps the given base transport (or http.DefaultTransport if nil) and adds credentials based on the request host.

This is more flexible than oauth2.Transport because it:

  • Supports per-host credential resolution
  • Works with any credential type (token, basic auth, etc.)
  • Enforces host matching to prevent credential leakage

Example: 

rt := store.RoundTripper(http.DefaultTransport)
client := &http.Client{Transport: rt}

func (*Store) TokenSource 

func (s *Store) TokenSource(ctx context.Context, host string) (oauth2.TokenSource, error)

TokenSource returns an oauth2.TokenSource for the given host. This is useful for creating authenticated HTTP clients using oauth2.NewClient. 

client := oauth2.NewClient(ctx, ts)
// Use client for GitHub API calls

type StoreOption 

type StoreOption func(*Store)

StoreOption configures a Store.

func WithLogger 

func WithLogger(logger *slog.Logger) StoreOption

WithLogger sets a structured logger for observability. If not set, a no-op logger is used.

func WithProvider 

func WithProvider(p Provider) StoreOption

WithProvider sets the credential provider chain.

func WithStrictAuthErrors 

func WithStrictAuthErrors() StoreOption

WithStrictAuthErrors causes HTTP auth application failures to be returned to the caller (e.g., RoundTripper.RoundTrip). By default, errors are logged at debug level and the request continues without credentials.

func WithoutHTTPSRequirement 

func WithoutHTTPSRequirement() StoreOption

WithoutHTTPSRequirement disables the HTTPS requirement for credentials. Use with caution - only for testing or known-safe local networks.

type TokenCredential 

type TokenCredential struct {
	// Token is the secret token value.
	Token string

	// Expiry optionally indicates when the token expires. If nil, the token is treated as non-expiring.
	Expiry *time.Time

	// AllowedHosts restricts which hosts can receive this token.
	// If empty, the credential is not used; use InsecureAllowAnyHosts to opt into
	// insecure wildcard matching.
	AllowedHosts []string

	// Source indicates where the credential came from (for debugging).
	Source string
}

TokenCredential holds a bearer or API token.

func NewInsecureTokenForAnyHost 

func NewInsecureTokenForAnyHost(token, source string) *TokenCredential

NewInsecureTokenForAnyHost creates a TokenCredential that matches any host. This is dangerous and should only be used in controlled environments like local development or testing. The name is intentionally verbose to make the security implications clear.

WARNING: Credentials created with this function will be sent to ANY host. Use host-specific credentials in production.

func (*TokenCredential) BasicAuth 

func (c *TokenCredential) BasicAuth() (username, password string)

BasicAuth implements BasicAuthProvider. Many services accept token as password.

func (*TokenCredential) BearerToken 

func (c *TokenCredential) BearerToken() string

BearerToken implements BearerTokenProvider.

func (*TokenCredential) CredentialSource 

func (c *TokenCredential) CredentialSource() string

CredentialSource implements Sourced.

func (*TokenCredential) ExpiresAt 

func (c *TokenCredential) ExpiresAt() *time.Time

ExpiresAt implements Expirable.

func (*TokenCredential) Hosts 

func (c *TokenCredential) Hosts() []string

Hosts implements Credential.

func (*TokenCredential) Redacted 

func (c *TokenCredential) Redacted() string

Redacted implements Credential.

func (*TokenCredential) String 

func (c *TokenCredential) String() string

String implements fmt.Stringer using the redacted representation.

func (*TokenCredential) Type 

func (c *TokenCredential) Type() CredentialType

Type implements Credential.

func (*TokenCredential) ValidForHost 

func (c *TokenCredential) ValidForHost(host string) bool

ValidForHost implements Credential.

Source Files

View all Source files

Directories

Path Synopsis
Package jwt provides reusable JWT authentication middleware for HTTP services.
 Package jwt provides reusable JWT authentication middleware for HTTP services.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.