README
¶
tinywasm/user
User management library for the tinywasm ecosystem. Handles user entities,
password authentication, OAuth providers (Google, Microsoft), LAN (local network)
authentication by RUT + IP, and session management.
Applications import tinywasm/user directly to configure session behaviour and register
isomorphic UI modules into tinywasm/site.
Documentation
- docs/ARCHITECTURE.md — What & Why: schema, contracts, design principles
- docs/IMPLEMENTATION.md — How: file layout, reference code, test strategy
Note: RBAC is now integrated into the User module (see ARCHITECTURE.md).
Diagrams
- docs/diagrams/AUTH_FLOW.md — Local login credential validation
- docs/diagrams/SESSION_FLOW.md — Session lifecycle
- docs/diagrams/USER_CRUD_FLOW.md — User creation pipeline
- docs/diagrams/OAUTH_FLOW.md — OAuth begin/callback flow (all branches)
- docs/diagrams/LAN_AUTH_FLOW.md — LAN login: RUT validation + IP allowlist check
- docs/diagrams/LAN_IP_FLOW.md — LAN IP management: RegisterLAN, AssignLANIP, RevokeLANIP, GetLANIPs, UnregisterLAN
Integration
// main.go — application setup
// 1. Configure site (DB shared with user via applyUser internally)
site.SetDB(db)
site.SetUserID(extractUserID) // reads session cookie, calls user.GetSession
site.CreateRole('a', "Admin", "full access")
// 2. Configure user via Config struct (all optional, zero values = defaults)
site.SetUserConfig(user.Config{
SessionCookieName: "s", // default: "session"
SessionTTL: 86400, // default: 86400 (24h)
TrustProxy: true, // default: false
OAuthProviders: []user.OAuthProvider{
&user.GoogleProvider{
ClientID: os.Getenv("GOOGLE_CLIENT_ID"),
ClientSecret: os.Getenv("GOOGLE_CLIENT_SECRET"),
RedirectURL: "https://example.com/oauth/callback",
},
},
})
// 3. Register user modules alongside app modules
site.RegisterHandlers(
user.LoginModule, // /login — handles auth end-to-end (validate → login → session → cookie)
user.RegisterModule, // /register
user.ProfileModule, // /profile
user.LANModule, // /lan
user.OAuthCallback, // /oauth/callback
&myapp.Dashboard{},
)
site.Serve(":8080")
// site.Serve internally calls: applyUser() → user.Init(dbExecutor, cfg)
// After user registration/OAuth, assign default role:
// site.AssignRole(u.ID, 'v')
Status
Implementation pending. Documentation complete.
Documentation
¶
Overview ¶
Code generated by ormc; DO NOT EDIT. NOTE: Schema() and Values() must always be in the same field order. String PK: set via github.com/tinywasm/unixid before calling db.Create().
Index ¶
- Variables
- func AssignLANIP(userID, ip, label string) error
- func AssignPermission(roleID, permissionID string) error
- func AssignRole(userID, roleID string) error
- func BeginOAuth(providerName string) (string, error)
- func CreateIdentity(userID, provider, providerID, email string) error
- func CreatePermission(id, name, resource string, action string) error
- func CreateRole(id string, code string, name, description string) error
- func DeletePermission(id string) error
- func DeleteRole(id string) error
- func DeleteSession(id string) error
- func HasPermission(userID, resource string, action byte) (bool, error)
- func Init(db *orm.DB, cfg Config) error
- func PurgeExpiredOAuthStates() error
- func PurgeExpiredSessions() error
- func ReactivateUser(id string) error
- func Register(handlers ...RBACObject) error
- func RegisterLAN(userID, rut string) error
- func RevokeLANIP(userID, ip string) error
- func RevokeRole(userID, roleID string) error
- func SessionCookieName() string
- func SetPassword(userID, password string) error
- func SuspendUser(id string) error
- func UnlinkIdentity(userID, provider string) error
- func UnregisterLAN(userID string) error
- func UpdateUser(id, name, phone string) error
- func VerifyPassword(userID, password string) error
- type Config
- type Executor
- type GoogleProvider
- type Identity
- type LANIP
- type LoginData
- type MicrosoftProvider
- func (p *MicrosoftProvider) AuthCodeURL(state string) string
- func (p *MicrosoftProvider) ExchangeCode(ctx context.Context, code string) (*oauth2.Token, error)
- func (p *MicrosoftProvider) GetUserInfo(ctx context.Context, token *oauth2.Token) (OAuthUserInfo, error)
- func (p *MicrosoftProvider) Name() string
- type OAuthProvider
- type OAuthState
- type OAuthUserInfo
- type PasswordData
- type Permission
- type ProfileData
- type RBACObject
- type RegisterData
- type Role
- type RolePermission
- type Rows
- type Scanner
- type Session
- type Store
- type User
- func CompleteOAuth(providerName string, r *http.Request, ip, ua string) (User, bool, error)
- func CreateUser(email, name, phone string) (User, error)
- func GetUser(id string) (User, error)
- func GetUserByEmail(email string) (User, error)
- func Login(email, password string) (User, error)
- func LoginLAN(rut string, r *http.Request) (User, error)
- func ReadAllUser(qb *orm.QB) ([]*User, error)
- func ReadOneUser(qb *orm.QB, model *User) (*User, error)
- type UserRole
Constants ¶
This section is empty.
Variables ¶
View Source
var ( LoginModule *loginModule RegisterModule *registerModule ProfileModule *profileModule LANModule *lanModule OAuthCallback *oauthModule )
View Source
var ( ErrInvalidCredentials = fmt.Err("access", "denied") // EN: Access Denied / ES: Acceso Denegado ErrSuspended = fmt.Err("user", "suspended") // EN: User Suspended / ES: Usuario Suspendido ErrEmailTaken = fmt.Err("email", "registered") // EN: Email Registered / ES: Correo electrónico Registrado ErrWeakPassword = fmt.Err("password", "weak") // EN: Password Weak / ES: Contraseña Débil ErrSessionExpired = fmt.Err("token", "expired") // EN: Token Expired / ES: Token Expirado ErrNotFound = fmt.Err("user", "not", "found") // EN: User Not Found / ES: Usuario No Encontrado ErrProviderNotFound = fmt.Err("provider", "not", "found") // EN: Provider Not Found / ES: Proveedor No Encontrado ErrInvalidOAuthState = fmt.Err("state", "invalid") // EN: State Invalid / ES: Estado Inválido ErrCannotUnlink = fmt.Err("identity", "cannot", "unlink") // EN: Identity Cannot Unlink / ES: Identidad No puede Desvincular ErrInvalidRUT = fmt.Err("rut", "invalid") // EN: Rut Invalid / ES: Rut Inválido ErrRUTTaken = fmt.Err("rut", "registered") // EN: Rut Registered / ES: Rut Registrado ErrIPTaken = fmt.Err("ip", "registered") // EN: Ip Registered / ES: Ip Registrado )
View Source
var IdentityMeta = struct { TableName string ID string UserID string Provider string ProviderID string Email string CreatedAt string }{ TableName: "user_identities", ID: "id", UserID: "user_id", Provider: "provider", ProviderID: "provider_id", Email: "email", CreatedAt: "created_at", }
View Source
var LANIPMeta = struct { TableName string ID string UserID string IP string Label string CreatedAt string }{ TableName: "user_lan_ips", ID: "id", UserID: "user_id", IP: "ip", Label: "label", CreatedAt: "created_at", }
View Source
var OAuthStateMeta = struct { TableName string State string Provider string ExpiresAt string CreatedAt string }{ TableName: "user_oauth_states", State: "state", Provider: "provider", ExpiresAt: "expires_at", CreatedAt: "created_at", }
View Source
var PasswordHashCost = bcrypt.DefaultCost
View Source
var PermissionMeta = struct { TableName string ID string Name string Resource string Action string }{ TableName: "rbac_permissions", ID: "id", Name: "name", Resource: "resource", Action: "action", }
View Source
var RoleMeta = struct { TableName string ID string Code string Name string Description string }{ TableName: "rbac_roles", ID: "id", Code: "code", Name: "name", Description: "description", }
View Source
var RolePermissionMeta = struct { TableName string RoleID string PermissionID string }{ TableName: "rbac_role_permissions", RoleID: "role_id", PermissionID: "permission_id", }
View Source
var SessionMeta = struct { TableName string ID string UserID string ExpiresAt string IP string UserAgent string CreatedAt string }{ TableName: "user_sessions", ID: "id", UserID: "user_id", ExpiresAt: "expires_at", IP: "ip", UserAgent: "user_agent", CreatedAt: "created_at", }
View Source
var UserMeta = struct { TableName string ID string Email string Name string Phone string Status string CreatedAt string }{ TableName: "users", ID: "id", Email: "email", Name: "name", Phone: "phone", Status: "status", CreatedAt: "created_at", }
View Source
var UserRoleMeta = struct { TableName string UserID string RoleID string }{ TableName: "rbac_user_roles", UserID: "user_id", RoleID: "role_id", }
Functions ¶
func AssignLANIP ¶ added in v0.0.2
func AssignPermission ¶ added in v0.0.6
func AssignRole ¶ added in v0.0.6
func BeginOAuth ¶ added in v0.0.2
func CreateIdentity ¶ added in v0.0.2
func CreatePermission ¶ added in v0.0.6
func CreateRole ¶ added in v0.0.6
func DeletePermission ¶ added in v0.0.6
func DeleteRole ¶ added in v0.0.6
func DeleteSession ¶ added in v0.0.2
func HasPermission ¶ added in v0.0.6
func PurgeExpiredOAuthStates ¶ added in v0.0.2
func PurgeExpiredOAuthStates() error
func PurgeExpiredSessions ¶ added in v0.0.2
func PurgeExpiredSessions() error
func ReactivateUser ¶ added in v0.0.2
func Register ¶ added in v0.0.6
func Register(handlers ...RBACObject) error
func RegisterLAN ¶ added in v0.0.2
func RevokeLANIP ¶ added in v0.0.2
func RevokeRole ¶ added in v0.0.6
func SessionCookieName ¶ added in v0.0.2
func SessionCookieName() string
func SetPassword ¶ added in v0.0.2
func SuspendUser ¶ added in v0.0.2
func UnlinkIdentity ¶ added in v0.0.2
func UnregisterLAN ¶ added in v0.0.2
func UpdateUser ¶ added in v0.0.2
func VerifyPassword ¶ added in v0.0.2
Types ¶
type Config ¶ added in v0.0.2
type Config struct {
SessionCookieName string // default: "session"
SessionTTL int // default: 86400 (24h)
TrustProxy bool // default: false
OAuthProviders []OAuthProvider
}
type Executor ¶ added in v0.0.2
type Executor interface {
Exec(query string, args ...any) error
Query(query string, args ...any) (Rows, error)
QueryRow(query string, args ...any) Scanner
Prepare(query string) (*sql.Stmt, error)
Begin() (*sql.Tx, error)
}
Executor interface abstracts database operations.
type GoogleProvider ¶ added in v0.0.2
type GoogleProvider struct {
ClientID string
ClientSecret string
RedirectURL string
// contains filtered or unexported fields
}
func (*GoogleProvider) AuthCodeURL ¶ added in v0.0.2
func (p *GoogleProvider) AuthCodeURL(state string) string
func (*GoogleProvider) ExchangeCode ¶ added in v0.0.2
func (*GoogleProvider) GetUserInfo ¶ added in v0.0.2
func (p *GoogleProvider) GetUserInfo(ctx context.Context, token *oauth2.Token) (OAuthUserInfo, error)
func (*GoogleProvider) Name ¶ added in v0.0.2
func (p *GoogleProvider) Name() string
type Identity ¶ added in v0.0.2
type Identity struct {
ID string `json:"id" db:"pk"`
UserID string `json:"user_id" db:"ref=users"`
Provider string `json:"provider"`
ProviderID string `json:"provider_id"`
Email string `json:"email,omitempty"`
CreatedAt int64 `json:"created_at"`
}
Identity
func GetIdentityByProvider ¶ added in v0.0.2
func GetUserIdentities ¶ added in v0.0.2
func ReadOneIdentity ¶ added in v0.0.6
type LANIP ¶ added in v0.0.2
type LANIP struct {
ID string `json:"id" db:"pk"`
UserID string `json:"user_id" db:"ref=users"`
IP string `json:"ip"`
Label string `json:"label"`
CreatedAt int64 `json:"created_at"`
}
LANIP
type LoginData ¶ added in v0.0.2
LoginData is validated by LoginModule on both frontend and backend.
type MicrosoftProvider ¶ added in v0.0.2
type MicrosoftProvider struct {
ClientID string
ClientSecret string
RedirectURL string
// contains filtered or unexported fields
}
func (*MicrosoftProvider) AuthCodeURL ¶ added in v0.0.2
func (p *MicrosoftProvider) AuthCodeURL(state string) string
func (*MicrosoftProvider) ExchangeCode ¶ added in v0.0.2
func (*MicrosoftProvider) GetUserInfo ¶ added in v0.0.2
func (p *MicrosoftProvider) GetUserInfo(ctx context.Context, token *oauth2.Token) (OAuthUserInfo, error)
func (*MicrosoftProvider) Name ¶ added in v0.0.2
func (p *MicrosoftProvider) Name() string
type OAuthProvider ¶ added in v0.0.2
type OAuthState ¶ added in v0.0.6
type OAuthState struct {
State string `json:"state" db:"pk"`
Provider string `json:"provider"`
ExpiresAt int64 `json:"expires_at"`
CreatedAt int64 `json:"created_at"`
}
OAuthState
func ReadAllOAuthState ¶ added in v0.0.6
func ReadAllOAuthState(qb *orm.QB) ([]*OAuthState, error)
func ReadOneOAuthState ¶ added in v0.0.6
func ReadOneOAuthState(qb *orm.QB, model *OAuthState) (*OAuthState, error)
func (*OAuthState) Pointers ¶ added in v0.0.6
func (m *OAuthState) Pointers() []any
func (*OAuthState) Schema ¶ added in v0.0.6
func (m *OAuthState) Schema() []orm.Field
func (OAuthState) TableName ¶ added in v0.0.6
func (OAuthState) TableName() string
func (*OAuthState) Values ¶ added in v0.0.6
func (m *OAuthState) Values() []any
type OAuthUserInfo ¶ added in v0.0.2
type PasswordData ¶ added in v0.0.2
PasswordData is validated by ProfileModule (password change sub-form).
type Permission ¶ added in v0.0.6
type Permission struct {
ID string `json:"id" db:"pk"`
Name string `json:"name"`
Resource string `json:"resource"`
Action string `json:"action"`
}
Permission
func GetPermission ¶ added in v0.0.6
func GetPermission(id string) (*Permission, error)
func ReadAllPermission ¶ added in v0.0.6
func ReadAllPermission(qb *orm.QB) ([]*Permission, error)
func ReadOnePermission ¶ added in v0.0.6
func ReadOnePermission(qb *orm.QB, model *Permission) (*Permission, error)
func (*Permission) Pointers ¶ added in v0.0.6
func (m *Permission) Pointers() []any
func (*Permission) Schema ¶ added in v0.0.6
func (m *Permission) Schema() []orm.Field
func (Permission) TableName ¶ added in v0.0.6
func (Permission) TableName() string
func (*Permission) Values ¶ added in v0.0.6
func (m *Permission) Values() []any
type ProfileData ¶ added in v0.0.2
ProfileData is validated by ProfileModule (name/phone update).
type RBACObject ¶ added in v0.0.6
type RegisterData ¶ added in v0.0.2
RegisterData is validated by RegisterModule.
type Role ¶ added in v0.0.6
type Role struct {
ID string `json:"id" db:"pk"`
Code string `json:"code"`
Name string `json:"name"`
Description string `json:"description"`
}
Role
func GetRoleByCode ¶ added in v0.0.6
func GetUserRoles ¶ added in v0.0.6
type RolePermission ¶ added in v0.0.6
type RolePermission struct {
RoleID string `json:"role_id"`
PermissionID string `json:"permission_id"`
}
RolePermission
func ReadAllRolePermission ¶ added in v0.0.6
func ReadAllRolePermission(qb *orm.QB) ([]*RolePermission, error)
func ReadOneRolePermission ¶ added in v0.0.6
func ReadOneRolePermission(qb *orm.QB, model *RolePermission) (*RolePermission, error)
func (*RolePermission) Pointers ¶ added in v0.0.6
func (m *RolePermission) Pointers() []any
func (*RolePermission) Schema ¶ added in v0.0.6
func (m *RolePermission) Schema() []orm.Field
func (RolePermission) TableName ¶ added in v0.0.6
func (RolePermission) TableName() string
func (*RolePermission) Values ¶ added in v0.0.6
func (m *RolePermission) Values() []any
type Session ¶ added in v0.0.2
type Session struct {
ID string `json:"id" db:"pk"`
UserID string `json:"user_id" db:"ref=users"`
ExpiresAt int64 `json:"expires_at"`
IP string `json:"ip,omitempty"`
UserAgent string `json:"user_agent,omitempty"`
CreatedAt int64 `json:"created_at"`
}
Session
func CreateSession ¶ added in v0.0.2
func GetSession ¶ added in v0.0.2
func ReadOneSession ¶ added in v0.0.6
type User ¶
type User struct {
ID string `json:"id" db:"pk"`
Email string `json:"email,omitempty" db:"unique"`
Name string `json:"name"`
Phone string `json:"phone,omitempty"`
Status string `json:"status"` // "active", "suspended"
CreatedAt int64 `json:"created_at"`
Roles []Role `json:"roles,omitempty" db:"-"`
Permissions []Permission `json:"permissions,omitempty" db:"-"`
}
User
func CompleteOAuth ¶ added in v0.0.2
func CreateUser ¶ added in v0.0.2
func GetUserByEmail ¶ added in v0.0.2
Source Files
¶
- auth.go
- cache.go
- cache_users.go
- crud.go
- forms.go
- generate.go
- google.go
- identities.go
- lan.go
- lan_ips.go
- microsoft.go
- migrate.go
- models.go
- models_orm.go
- module_lan.go
- module_lan_back.go
- module_login.go
- module_login_back.go
- module_oauth.go
- module_oauth_back.go
- module_profile.go
- module_profile_back.go
- module_register.go
- module_register_back.go
- modules.go
- oauth.go
- sessions.go
- sql.go
- user.go
- user_back.go
- user_rbac_mutations.go
Directories
Click to show internal directories.
Click to hide internal directories.