security

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 23, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// RSAKeySize is the size of RSA keys in bits
	RSAKeySize = 2048
	// KeyAlgorithm is the algorithm used for signing
	KeyAlgorithm = "RS256"
	// KeyUsage indicates the key is used for signing
	KeyUsage = "sig"
)

Variables

This section is empty.

Functions

func GenerateToken 

func GenerateToken(claims *StandardClaims, privateKey *rsa.PrivateKey, keyID string) (string, error)

GenerateToken creates a signed JWT token from claims using RS256.

func HashPassword 

func HashPassword(password string) (string, error)

HashPassword hashes password using Argon2ID.

func NewTokenPair 

func NewTokenPair(
	userID string,
	config TokenConfig,
) (*identra_v1_pb.TokenPair, error)

NewTokenPair creates a new access/refresh token pair following JWKS standards.

func RefreshTokenPair 

func RefreshTokenPair(
	refreshTokenString string,
	config TokenConfig,
) (*identra_v1_pb.TokenPair, error)

RefreshTokenPair creates a new token pair using a valid refresh token.

func VerifyPassword 

func VerifyPassword(password, hash string) (bool, error)

VerifyPassword verifies a password against its hash.

Types

type Config 

type Config struct {
	// contains filtered or unexported fields
}

Config controls Argon2ID hashing parameters.

type KeyEntry added in v0.1.2 

type KeyEntry struct {
	// contains filtered or unexported fields
}

KeyEntry represents a single key in the key ring with its lifecycle state

type KeyInfo added in v0.1.2 

type KeyInfo struct {
	KeyID string
	State KeyState
}

KeyInfo contains information about a key in the key ring.

type KeyManager 

type KeyManager struct {
	// contains filtered or unexported fields
}

KeyManager manages RSA key pairs for JWT signing and verification with support for key rotation. It maintains a key ring where: - Exactly one key is ACTIVE for signing new tokens - Zero or more keys are PASSIVE for verification only - RETIRED keys are removed from the ring

func GetKeyManager 

func GetKeyManager() *KeyManager

GetKeyManager returns the global KeyManager instance.

func (*KeyManager) AddKeyPassive added in v0.1.2 

func (km *KeyManager) AddKeyPassive() (string, error)

AddKeyPassive adds a new key to the key ring in PASSIVE state. This allows the key to be published in JWKS for verification before promoting it to ACTIVE.

func (*KeyManager) DemoteKey added in v0.1.2 

func (km *KeyManager) DemoteKey(keyID string) error

DemoteKey demotes an ACTIVE key to PASSIVE state. Use this if you need to temporarily stop signing with a key while keeping it for verification.

func (*KeyManager) ExportPrivateKeyPEM 

func (km *KeyManager) ExportPrivateKeyPEM() (string, error)

ExportPrivateKeyPEM exports the private key in PEM format.

func (*KeyManager) ExportPublicKeyPEM 

func (km *KeyManager) ExportPublicKeyPEM() (string, error)

ExportPublicKeyPEM exports the public key in PEM format.

func (*KeyManager) GenerateKeyPair 

func (km *KeyManager) GenerateKeyPair() error

GenerateKeyPair generates a new RSA key pair and adds it to the key ring in ACTIVE state. If an ACTIVE key already exists, it is demoted to PASSIVE.

func (*KeyManager) GetJWKS 

func (km *KeyManager) GetJWKS() *identra_v1_pb.GetJWKSResponse

GetJWKS returns the JSON Web Key Set containing all ACTIVE and PASSIVE public keys. This enables smooth key rotation as both old and new keys are published during the transition. Keys are sorted by KeyID to ensure deterministic output and stable ETags.

func (*KeyManager) GetKeyID 

func (km *KeyManager) GetKeyID() string

GetKeyID returns the key ID.

func (*KeyManager) GetPrivateKey 

func (km *KeyManager) GetPrivateKey() *rsa.PrivateKey

GetPrivateKey returns the RSA private key for signing.

func (*KeyManager) GetPublicKey 

func (km *KeyManager) GetPublicKey() *rsa.PublicKey

GetPublicKey returns the RSA public key for verification.

func (*KeyManager) InitializeFromPEM 

func (km *KeyManager) InitializeFromPEM(privateKeyPEM string) error

InitializeFromPEM initializes the key manager from a PEM-encoded private key. The key is added to the key ring in ACTIVE state. If an ACTIVE key already exists, it is demoted to PASSIVE.

func (*KeyManager) IsInitialized 

func (km *KeyManager) IsInitialized() bool

IsInitialized checks if the key manager has been initialized.

func (*KeyManager) ListKeys added in v0.1.2 

func (km *KeyManager) ListKeys() []KeyInfo

ListKeys returns information about all keys in the key ring.

func (*KeyManager) PromoteKey added in v0.1.2 

func (km *KeyManager) PromoteKey(keyID string) error

PromoteKey promotes a PASSIVE key to ACTIVE state and demotes the current ACTIVE key to PASSIVE. This is the core operation for key rotation.

func (*KeyManager) RetireKey added in v0.1.2 

func (km *KeyManager) RetireKey(keyID string) error

RetireKey removes a key from the key ring. Only PASSIVE keys can be retired. ACTIVE keys must be demoted first.

type KeyState added in v0.1.2 

type KeyState string

KeyState represents the lifecycle state of a signing key 

const (
	// KeyStateActive indicates the key is currently used for signing new tokens
	KeyStateActive KeyState = "ACTIVE"
	// KeyStatePassive indicates the key is published in JWKS for verification but not used for signing
	KeyStatePassive KeyState = "PASSIVE"
	// KeyStateRetired indicates the key is no longer published and should be removed
	KeyStateRetired KeyState = "RETIRED"
)

type StandardClaims 

type StandardClaims struct {
	jwt.RegisteredClaims
	UserID    string    `json:"uid"`
	TokenType TokenType `json:"typ"`
	TokenID   string    `json:"jti"`
}

StandardClaims represents JWKS-compliant JWT claims.

func NewStandardClaims 

func NewStandardClaims(
	userID string,
	tokenType TokenType,
	issuer string,
	expiresAt time.Time,
) (*StandardClaims, error)

NewStandardClaims creates JWKS-compliant claims for a token.

func ValidateAccessToken 

func ValidateAccessToken(tokenString string, publicKey *rsa.PublicKey) (*StandardClaims, error)

ValidateAccessToken validates an access token specifically.

func ValidateRefreshToken 

func ValidateRefreshToken(tokenString string, publicKey *rsa.PublicKey) (*StandardClaims, error)

ValidateRefreshToken validates a refresh token specifically.

func ValidateToken 

func ValidateToken(tokenString string, publicKey *rsa.PublicKey) (*StandardClaims, error)

ValidateToken validates a JWT token and returns the claims.

type TokenConfig 

type TokenConfig struct {
	PrivateKey             *rsa.PrivateKey
	PublicKey              *rsa.PublicKey
	KeyID                  string
	Issuer                 string
	AccessTokenExpiration  time.Duration
	RefreshTokenExpiration time.Duration
}

TokenConfig holds configuration for token generation.

type TokenType 

type TokenType string

TokenType represents the type of JWT token. 

const (
	AccessTokenType  TokenType = "access"
	RefreshTokenType TokenType = "refresh"
)

type UserTokenClaims 

type UserTokenClaims struct {
	jwt.MapClaims
}

func NewUserTokenClaims 

func NewUserTokenClaims(userID string) UserTokenClaims

NewUserTokenClaims creates a new UserTokenClaims with a default 24-hour expiration. Deprecated: Use NewTokenPair instead for JWKS-compliant tokens.

func NewUserTokenClaimsWithExpiration 

func NewUserTokenClaimsWithExpiration(
	userID string,
	expiresAt time.Time,
) UserTokenClaims

NewUserTokenClaimsWithExpiration creates a new UserTokenClaims with a custom expiration time. Deprecated: Use NewTokenPair instead for JWKS-compliant tokens.

func ValidateUserToken 

func ValidateUserToken(tokenString, secret string) (*UserTokenClaims, error)

ValidateUserToken validates a legacy user token. Deprecated: Use ValidateAccessToken instead for JWKS-compliant tokens.

func (UserTokenClaims) GetAudience 

func (c UserTokenClaims) GetAudience() (jwt.ClaimStrings, error)

func (UserTokenClaims) GetExpirationTime 

func (c UserTokenClaims) GetExpirationTime() (*jwt.NumericDate, error)

func (UserTokenClaims) GetIssuedAt 

func (c UserTokenClaims) GetIssuedAt() (*jwt.NumericDate, error)

func (UserTokenClaims) GetIssuer 

func (c UserTokenClaims) GetIssuer() (string, error)

func (UserTokenClaims) GetNotBefore 

func (c UserTokenClaims) GetNotBefore() (*jwt.NumericDate, error)

func (UserTokenClaims) GetSubject 

func (c UserTokenClaims) GetSubject() (string, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.