auth

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 7, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildAuthURL 

func BuildAuthURL(port int, state, codeChallenge, dpopJKT string) string

BuildAuthURL constructs the Spotify authorization URL with PKCE params. dpopJKT is the JWK SHA-256 thumbprint that binds the authorization code to the DPoP key.

func ExchangeCode 

func ExchangeCode(client *http.Client, code, codeVerifier string, port int, dpopKey *DPoPKey) (*config.TokenData, error)

ExchangeCode exchanges an authorization code for tokens using PKCE. If dpopKey is non-nil, a DPoP proof is included in the token request.

func ExtractCodeFromURL 

func ExtractCodeFromURL(rawURL, expectedState string) (string, error)

ExtractCodeFromURL parses an authorization code from a pasted redirect URL and validates the state parameter for CSRF protection.

func GenerateCodeChallenge 

func GenerateCodeChallenge(verifier string) string

GenerateCodeChallenge derives the S256 code challenge from a verifier.

func GenerateCodeVerifier 

func GenerateCodeVerifier() (string, error)

GenerateCodeVerifier creates a cryptographically random PKCE code verifier. Length is between 43-128 characters per RFC 7636.

func GenerateState 

func GenerateState() (string, error)

GenerateState creates a random state parameter for CSRF protection.

func OpenBrowser 

func OpenBrowser(url string) error

OpenBrowser attempts to open a URL in the default browser. Returns an error if it can't (e.g., headless server).

func RefreshAccessToken 

func RefreshAccessToken(client *http.Client, refreshToken string, dpopKey *DPoPKey) (*config.TokenData, error)

RefreshAccessToken uses a refresh token to get a new access token. If dpopKey is non-nil, a DPoP proof is included in the token request.

func StartCallbackServer 

func StartCallbackServer(port int, expectedState string) (*http.Server, <-chan CallbackResult, error)

StartCallbackServer starts a temporary HTTP server to receive the OAuth callback. It returns the server, a channel that receives the callback result, and any error.

Types

type CallbackResult 

type CallbackResult struct {
	Code             string
	State            string
	Error            string
	ErrorDescription string
}

CallbackResult is sent through the channel from the local HTTP callback handler.

func WaitForCallback 

func WaitForCallback(srv *http.Server, resultCh <-chan CallbackResult, timeout time.Duration) (*CallbackResult, error)

WaitForCallback waits for the callback result with a timeout.

type DPoPKey 

type DPoPKey struct {
	PrivateKey *ecdsa.PrivateKey
}

DPoPKey holds an ECDSA P-256 key pair for DPoP proof-of-possession (RFC 9449).

func GenerateDPoPKey 

func GenerateDPoPKey() (*DPoPKey, error)

GenerateDPoPKey creates a new ECDSA P-256 key pair for DPoP.

func UnmarshalDPoPKey 

func UnmarshalDPoPKey(data []byte) (*DPoPKey, error)

UnmarshalDPoPKey deserializes a DPoP key pair from its JSON representation.

func (*DPoPKey) CreateProof 

func (k *DPoPKey) CreateProof(method, rawURL, nonce string) (string, error)

CreateProof generates a DPoP proof JWT for the given HTTP method and URL. nonce is included when non-empty (for server-provided DPoP-Nonce).

func (*DPoPKey) MarshalJSON 

func (k *DPoPKey) MarshalJSON() ([]byte, error)

MarshalJSON serializes the full key pair (including private key) for persistence.

func (*DPoPKey) Thumbprint 

func (k *DPoPKey) Thumbprint() string

Thumbprint returns the base64url-encoded SHA-256 JWK Thumbprint (RFC 7638).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.