Documentation
¶
Overview ¶
Package authapi mounts hand-coded Auth0 Authentication API endpoints onto chi. Unlike the Mgmt API, these endpoints are functional — they mint real RS256 JWTs and respond with valid OIDC discovery / JWKS payloads.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var Fragment []byte
Fragment is the per-package OpenAPI 3.1 partial document describing every Auth API endpoint registered in this package's Mount function. The genopenapi bundler merges it with the base Mgmt API spec to produce api/auth0-mock.openapi.json.
Functions ¶
Types ¶
type AuthorizeHandler ¶
type AuthorizeHandler struct {
// PKCE may be nil; when set, /authorize will stash any code_challenge it
// receives so the matching /oauth/token exchange can verify the
// code_verifier.
PKCE *pkce.Store
// AllowedRedirectURIs is the allow-list of absolute redirect_uri values
// that /authorize will 302 to. Mirrors Auth0's per-application
// "Allowed Callback URLs" tenant setting. Same threat model as
// LogoutHandler.AllowedReturnURLs but on the higher-value endpoint:
// /authorize carries `code` / `access_token` in the URL, so an
// unvalidated redirect_uri leaks them to attacker-controlled hosts.
// Relative URIs are always permitted. Empty list = no enforcement
// (test-friendly default).
AllowedRedirectURIs []string
}
AuthorizeHandler handles OIDC authorization requests.
func (*AuthorizeHandler) ServeHTTP ¶
func (h *AuthorizeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type DBConnectionsChangePasswordHandler ¶
type DBConnectionsChangePasswordHandler struct{}
DBConnectionsChangePasswordHandler handles password change requests.
func (*DBConnectionsChangePasswordHandler) ServeHTTP ¶
func (h *DBConnectionsChangePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type DBConnectionsSignupHandler ¶
type DBConnectionsSignupHandler struct{}
DBConnectionsSignupHandler handles user signup via database connections.
func (*DBConnectionsSignupHandler) ServeHTTP ¶
func (h *DBConnectionsSignupHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type Deps ¶
type Deps struct {
Router chi.Router
Keys *jwks.KeySet
Issuer string
DefaultAudience string
Log zerolog.Logger
Claims *claims.Store
Permissions *permissions.Store
PKCE *pkce.Store
MFA *mfa.Store
LogoutAllowedURLs []string
AuthorizeAllowedRedirectURIs []string
}
Deps is the parameter object for Mount.
type DiscoveryHandler ¶
type DiscoveryHandler struct {
Issuer string
}
DiscoveryHandler serves the OIDC discovery document.
func (*DiscoveryHandler) ServeHTTP ¶
func (h *DiscoveryHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type LogoutHandler ¶
type LogoutHandler struct {
AllowedReturnURLs []string
}
LogoutHandler 302-redirects to the returnTo query parameter (or "/" when missing). When AllowedReturnURLs is empty (the default) every returnTo is permitted — this is a CI/local-testing mock, so the permissive default matches the same opt-in pattern as AuthorizeHandler and means SDK tests calling `/v2/logout?returnTo=https://app/…` work out of the box. When AllowedReturnURLs is set (via LOGOUT_ALLOWED_URLS) the handler enforces the allow-list like real Auth0 does, with the URL-scheme / backslash bypass guards described in isAllowed.
Never expose the mock to untrusted networks — see the README disclaimer.
func (*LogoutHandler) ServeHTTP ¶
func (h *LogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type PasswordlessStartHandler ¶
type PasswordlessStartHandler struct{}
PasswordlessStartHandler initiates a passwordless authentication flow.
func (*PasswordlessStartHandler) ServeHTTP ¶
func (h *PasswordlessStartHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type PasswordlessVerifyHandler ¶
type PasswordlessVerifyHandler struct {
Keys *jwks.KeySet
DefaultAudience string
Claims *claims.Store
Permissions *permissions.Store
}
PasswordlessVerifyHandler verifies a passwordless OTP and mints a token.
func (*PasswordlessVerifyHandler) ServeHTTP ¶
func (h *PasswordlessVerifyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type RevokeHandler ¶
type RevokeHandler struct{}
RevokeHandler is a no-op mock; refresh tokens aren't tracked.
func (*RevokeHandler) ServeHTTP ¶
func (h *RevokeHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request)
type TokenHandler ¶
type TokenHandler struct {
Keys *jwks.KeySet
Issuer string
DefaultAudience string
Log zerolog.Logger
Claims *claims.Store
Permissions *permissions.Store
// PKCE may be nil. When set and the authorization_code grant supplies a
// code that was stashed at /authorize with a code_challenge, the matching
// code_verifier is required and verified.
PKCE *pkce.Store
// MFA may be nil. When set and IsRequired() returns true, the password
// and password-realm grants return 403 mfa_required + mfa_token instead
// of minting; the three Auth0 mfa-* grants then trade the mfa_token plus
// a fixed canned challenge for an access_token.
MFA *mfa.Store
}
TokenHandler handles OAuth token requests.
func (*TokenHandler) ServeHTTP ¶
func (h *TokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type UserInfoHandler ¶
UserInfoHandler returns claims for the authenticated user.
func (*UserInfoHandler) ServeHTTP ¶
func (h *UserInfoHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
Source Files