auth

package

v0.34.2 Latest Latest Go to latest Published: Sep 23, 2025 License: Apache-2.0 Imports: 30 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/theopenlane/core

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth handles auth

Index ¶

Constants
Variables
func Authenticate(conf *Options) echo.MiddlewareFunc
func Reauthenticate(conf *Options, validator tokens.Validator) func(c echo.Context) (string, error)
type Option
type Options
- func NewAuthOptions(opts ...Option) (conf Options)
- func (conf *Options) Validator() (tokens.Validator, error)
- func (conf *Options) WithLocalValidator() error
type Reauthenticator

Constants ¶

View Source

const (
	// SystemObject type for FGA authorization
	SystemObject = "system"
	// SystemObjectID for FGA authorization
	SystemObjectID = "openlane_core"
)

These are stored here, instead of iam because they are specific to the openlane core service setup, other services could define different object type and ids in particular

Variables ¶

View Source

var (
	// ErrNoClaims is returned when no claims are found on the request context
	ErrNoClaims = errors.New("no claims found on the request context")
	// ErrNoUserInfo is returned when no user info is found on the request context
	ErrNoUserInfo = errors.New("no user info found on the request context")
	// ErrUnverifiedUser is returned when the user is not verified
	ErrUnverifiedUser = errors.New("user is not verified")
	// ErrParseBearer is returned when the bearer token could not be parsed from the authorization header
	ErrParseBearer = errors.New("could not parse bearer token from authorization header")
	// ErrNoAuthorization is returned when no authorization header is found in the request
	ErrNoAuthorization = errors.New("no authorization header in request")
	// ErrNoRequest is returned when no request is found on the context
	ErrNoRequest = errors.New("no request found on the context")
	// ErrNoRefreshToken is returned when no refresh token is found on the request
	ErrNoRefreshToken = errors.New("no refresh token available on request")
	// ErrRefreshDisabled is returned when re-authentication with refresh tokens is disabled
	ErrRefreshDisabled = errors.New("re-authentication with refresh tokens disabled")
	// ErrUnableToConstructValidator is returned when the validator cannot be constructed
	ErrUnableToConstructValidator = errors.New("unable to construct validator")
	// ErrPasswordTooWeak is returned when the password is too weak
	ErrPasswordTooWeak = errors.New("password is too weak: use a combination of upper and lower case letters, numbers, and special characters")
	// ErrTokenSSORequired is returned when a token must be authorized via SSO for the organization
	ErrTokenSSORequired = errors.New("token requires SSO authorization")

	// ErrAnonymousAccessNotAllowed is returned when anonymous access is not allowed
	ErrAnonymousAccessNotAllowed = errors.New("anonymous access not allowed")
)

View Source

var DefaultAuthOptions = Options{
	KeysURL:            "http://localhost:17608/.well-known/jwks.json",
	Audience:           "http://localhost:17608",
	Issuer:             "http://localhost:17608",
	MinRefreshInterval: 5 * time.Minute,
	Skipper:            middleware.DefaultSkipper,
	CookieConfig:       sessions.DefaultCookieConfig,
}

DefaultAuthOptions is the default auth options used by the middleware.

View Source

var SessionSkipperFunc = func(c echo.Context) bool {
	return auth.GetAuthTypeFromEchoContext(c) != auth.JWTAuthentication
}

SessionSkipperFunc is the function that determines if the session check should be skipped due to the request being a PAT or API Token auth request

Functions ¶

func Authenticate ¶

func Authenticate(conf *Options) echo.MiddlewareFunc

Authenticate is a middleware function that is used to authenticate requests - it is not applied to all routes so be cognizant of that

func Reauthenticate ¶

func Reauthenticate(conf *Options, validator tokens.Validator) func(c echo.Context) (string, error)

Reauthenticate is a middleware helper that can use refresh tokens in the echo context to obtain a new access token. If it is unable to obtain a new valid access token, then an error is returned and processing should stop.

Types ¶

type Option ¶ added in v0.8.5

type Option func(opts *Options)

Option allows users to optionally supply configuration to the Authorization middleware.

func WithAllowAnonymous ¶ added in v0.20.5

func WithAllowAnonymous(allow bool) Option

WithAllowAnonymous allows anonymous access to the API.

func WithAudience ¶

func WithAudience(audience string) Option

WithAudience allows the user to specify an alternative audience.

func WithAuthOptions ¶

func WithAuthOptions(opts Options) Option

WithAuthOptions allows the user to update the default auth options with an auth options struct to set many options values at once. Zero values are ignored, so if using this option, the defaults will still be preserved if not set on the input.

func WithBeforeFunc ¶

func WithBeforeFunc(before middleware.BeforeFunc) Option

WithBeforeFunc allows the user to specify a function to happen before the auth middleware

func WithContext ¶

func WithContext(ctx context.Context) Option

WithContext allows the user to specify an external, cancelable context to control the background refresh behavior of the JWKS cache.

func WithCookieConfig ¶

func WithCookieConfig(cookieConfig *sessions.CookieConfig) Option

WithCookieConfig allows the user to specify a cookie configuration for the auth middleware in order to override the default cookie configuration.

func WithDBClient ¶

func WithDBClient(client *ent.Client) Option

WithDBClient is a function that returns an AuthOption function which sets the DBClient field of AuthOptions. The DBClient field is used to specify the database client to be to check authentication with personal access tokens.

func WithIssuer ¶

func WithIssuer(issuer string) Option

WithIssuer allows the user to specify an alternative issuer.

func WithJWKSEndpoint ¶

func WithJWKSEndpoint(url string) Option

WithJWKSEndpoint allows the user to specify an alternative endpoint to fetch the JWKS public keys from. This is useful for testing or for different environments.

func WithMinRefreshInterval ¶

func WithMinRefreshInterval(interval time.Duration) Option

WithMinRefreshInterval allows the user to specify an alternative minimum duration between cache refreshes to control refresh behavior for the JWKS public keys.

func WithReauthenticator ¶

func WithReauthenticator(reauth Reauthenticator) Option

WithReauthenticator allows the user to specify a reauthenticator to the auth middleware.

func WithRedisClient ¶ added in v0.23.1

func WithRedisClient(redisClient *redis.Client) Option

WithRedisClient allows the user to specify a Redis client for the auth middleware in order to set the permission cache in the context.

func WithSkipperFunc ¶

func WithSkipperFunc(skipper middleware.Skipper) Option

WithSkipperFunc allows the user to specify a skipper function for the middleware

func WithValidator ¶

func WithValidator(validator tokens.Validator) Option

WithValidator allows the user to specify an alternative validator to the auth middleware. This is particularly useful for testing authentication.

type Options ¶ added in v0.8.5

type Options struct {
	// KeysURL endpoint to the JWKS public keys on the server
	KeysURL string `default:"http://localhost:17608/.well-known/jwks.json"`
	// Audience to verify on tokens
	Audience string `default:"http://localhost:17608"`
	// Issuer to verify on tokens
	Issuer string `default:"http://localhost:17608"`
	// MinRefreshInterval to cache the JWKS public keys
	MinRefreshInterval time.Duration `default:"5m"`
	// Context to control the lifecycle of the background fetch routine
	Context context.Context

	// CookieConfig to set the cookie configuration for the auth middleware
	CookieConfig *sessions.CookieConfig

	// Skipper defines a function to skip middleware
	Skipper middleware.Skipper
	// BeforeFunc  defines a function which is executed just before the middleware
	BeforeFunc     middleware.BeforeFunc
	AllowAnonymous bool

	// Used to check other auth types like personal access tokens
	DBClient *ent.Client
	// RedisClient is used to set the permission cache in the context
	RedisClient *redis.Client
	// contains filtered or unexported fields
}

Options is constructed from variadic AuthOption arguments with reasonable defaults.

func NewAuthOptions ¶

func NewAuthOptions(opts ...Option) (conf Options)

NewAuthOptions creates an AuthOptions object with reasonable defaults and any user supplied input from the AuthOption variadic arguments.

func (*Options) Validator ¶ added in v0.8.5

func (conf *Options) Validator() (tokens.Validator, error)

Validator returns the user supplied validator or constructs a new JWKS Cache Validator from the supplied options. If the options are invalid or the validator cannot be created an error is returned

func (*Options) WithLocalValidator ¶ added in v0.8.5

func (conf *Options) WithLocalValidator() error

WithLocalValidator returns a new JWKS Validator constructed from the supplied options using the local keys instead of fetching them from the server

type Reauthenticator ¶

type Reauthenticator interface {
	Refresh(context.Context, *api.RefreshRequest) (*api.LoginReply, error)
}

Reauthenticator generates new access and refresh pair given a valid refresh token.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL