router

Documentation

Overview

Package router builds the http.Handler that fronts the mock service.

Index

• Variables
• func MountOpenAPI(r chi.Router) error
• func New(d Deps) (http.Handler, error)
• type Deps

Variables

var ServiceFragment []byte

ServiceFragment is the per-package OpenAPI 3.1 partial doc describing the service-plumbing endpoints mounted directly on the root router (`/healthz`, `/.well-known/jwks.json`, `/openapi.json`, `/openapi.yaml`). The genopenapi bundler reads it from here.

Functions

func MountOpenAPI

func MountOpenAPI(r chi.Router) error

MountOpenAPI registers `GET /openapi.json`, `GET /openapi.yaml`, and the `/docs` API reference page (with its static assets) on r. All endpoints are unauthenticated.

func New

func New(d Deps) (http.Handler, error)

New constructs the http.Handler with admin0, JWKS, Auth API, Mgmt API mounts.

Types

type Deps

type Deps struct {
	Log                  zerolog.Logger
	Store                *matches.Store
	Claims               *claims.Store
	Permissions          *permissions.Store
	PKCE                 *pkce.Store
	MFA                  *mfa.Store
	Keys                 *jwks.KeySet
	Spec                 *spec.Spec
	Validator            *spec.Validator
	Issuer               string
	DefaultAudience      string
	SpecValidationStrict bool
	// MaxRequestBodyBytes caps every incoming request body. Zero or negative
	// disables the cap.
	MaxRequestBodyBytes int64
	// LogoutAllowedURLs is the allow-list of absolute returnTo URLs that
	// /v2/logout will redirect to. Relative URLs are always allowed.
	LogoutAllowedURLs []string
	// AuthorizeAllowedRedirectURIs is the allow-list of absolute
	// redirect_uri values that /authorize will 302 to. Same threat model
	// as LogoutAllowedURLs but on the higher-value endpoint (it carries
	// `code` / `access_token` in the URL). Empty = no enforcement.
	AuthorizeAllowedRedirectURIs []string
	// BearerRequireAudience, when non-empty, makes the Mgmt-API bearer
	// middleware reject tokens whose `aud` claim doesn't contain this
	// value. Opt-in to preserve the documented test-friendly default.
	BearerRequireAudience string
	// Debug enables the request/response dump middleware. Off by default;
	// when on, every request and response gets a full method/path/query/
	// headers/body log line at INFO level. Authorization + Cookie headers
	// are redacted, bodies truncated at 8 KiB.
	Debug bool
	// Clock is the controllable time source mounted at /admin0/clock and
	// surfaced via the SDK's Client.Clock. May be nil in tests that don't
	// exercise the admin surface, in which case /admin0/clock handlers
	// will panic if hit.
	Clock *clock.Controlled
	// EventsReplayBuffer is the cap of the SSE replay ring buffer for
	// GET /events. 100 in production via EVENTS_REPLAY_BUFFER; <= 0
	// disables replay (the endpoint still works; resume params become
	// no-ops). Zero value is the test-friendly default.
	EventsReplayBuffer int
}

Deps is the parameter object for New.