contexts

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 24, 2025 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AppContextKey is the context key for the current app ID (platform tenant)
	AppContextKey contextKey = "app_id"

	// EnvironmentContextKey is the context key for the current environment ID
	EnvironmentContextKey contextKey = "environment_id"

	// OrganizationContextKey is the context key for the current organization ID (end-user workspace)
	OrganizationContextKey contextKey = "organization_id"

	// UserContextKey is the context key for the current authenticated user ID
	UserContextKey contextKey = "user_id"
)

Variables

View Source 
var (
	// ErrAppContextRequired is returned when app context is required but not found
	ErrAppContextRequired = errors.New("app context is required")

	// ErrEnvironmentContextRequired is returned when environment context is required but not found
	ErrEnvironmentContextRequired = errors.New("environment context is required")

	// ErrOrganizationContextRequired is returned when organization context is required but not found
	ErrOrganizationContextRequired = errors.New("organization context is required")

	// ErrUserContextRequired is returned when user context is required but not found
	ErrUserContextRequired = errors.New("user context is required")

	// ErrAuthContextRequired is returned when auth context is required but not found
	ErrAuthContextRequired = errors.New("authentication context is required")

	// ErrUserAuthRequired is returned when user authentication is required
	ErrUserAuthRequired = errors.New("user authentication is required")

	// ErrAPIKeyRequired is returned when API key authentication is required
	ErrAPIKeyRequired = errors.New("API key authentication is required")

	// ErrInsufficientScope is returned when API key lacks required scope
	ErrInsufficientScope = errors.New("insufficient API key scope")

	// ErrInsufficientPermission is returned when lacking required RBAC permission
	ErrInsufficientPermission = errors.New("insufficient permission")
)

Context-related errors

Functions

func GetAPIKey 

func GetAPIKey(ctx context.Context) *base.APIKey

GetAPIKey safely retrieves the API key from context (returns nil if not present)

func GetAppID 

func GetAppID(ctx context.Context) (xid.ID, bool)

GetAppID retrieves the app ID from context Returns the app ID and true if found, or xid.NilID() and false if not found

func GetEnvironmentID 

func GetEnvironmentID(ctx context.Context) (xid.ID, bool)

GetEnvironmentID retrieves the environment ID from context

func GetOrganizationID 

func GetOrganizationID(ctx context.Context) (xid.ID, bool)

GetOrganizationID retrieves the organization ID from context

func GetSession 

func GetSession(ctx context.Context) *base.Session

GetSession safely retrieves the session from context (returns nil if not present)

func GetUser 

func GetUser(ctx context.Context) *base.User

GetUser safely retrieves the user from context (returns nil if not present)

func GetUserID 

func GetUserID(ctx context.Context) (xid.ID, bool)

GetUserID retrieves the user ID from context

func RequireAPIKey 

func RequireAPIKey(ctx context.Context) (*base.APIKey, error)

RequireAPIKey ensures an API key is present

func RequireAppID 

func RequireAppID(ctx context.Context) (xid.ID, error)

RequireAppID retrieves the app ID from context or returns an error

func RequireEnvironmentID 

func RequireEnvironmentID(ctx context.Context) (xid.ID, error)

RequireEnvironmentID retrieves the environment ID from context or returns an error

func RequireOrganizationID 

func RequireOrganizationID(ctx context.Context) (xid.ID, error)

RequireOrganizationID retrieves the organization ID from context or returns an error

func RequireUser 

func RequireUser(ctx context.Context) (*base.User, error)

RequireUser ensures a user is authenticated

func RequireUserID 

func RequireUserID(ctx context.Context) (xid.ID, error)

RequireUserID retrieves the user ID from context or returns an error

func SetAppID 

func SetAppID(ctx context.Context, appID xid.ID) context.Context

SetAppID sets the app ID in context

func SetAuthContext 

func SetAuthContext(ctx context.Context, ac *AuthContext) context.Context

SetAuthContext stores the auth context in the request context

func SetEnvironmentID 

func SetEnvironmentID(ctx context.Context, envID xid.ID) context.Context

SetEnvironmentID sets the environment ID in context

func SetOrganizationID 

func SetOrganizationID(ctx context.Context, orgID xid.ID) context.Context

SetOrganizationID sets the organization ID in context

func SetUserID 

func SetUserID(ctx context.Context, userID xid.ID) context.Context

SetUserID sets the user ID in context

func WithAll 

func WithAll(ctx context.Context, appID, envID, orgID, userID xid.ID) context.Context

WithAll sets all context values

func WithAppAndOrganization 

func WithAppAndOrganization(ctx context.Context, appID, orgID xid.ID) context.Context

WithAppAndOrganization sets both app and organization context

func WithAppAndUser 

func WithAppAndUser(ctx context.Context, appID, userID xid.ID) context.Context

WithAppAndUser sets both app and user context

func WithAppEnvironmentAndOrganization 

func WithAppEnvironmentAndOrganization(ctx context.Context, appID, envID, orgID xid.ID) context.Context

WithAppEnvironmentAndOrganization sets app, environment, and organization context

Types

type AuthContext 

type AuthContext struct {
	// Platform/App Authentication (via API key)
	APIKey       *base.APIKey `json:"apiKey,omitempty"`
	APIKeyScopes []string     `json:"apiKeyScopes,omitempty"`

	// End-User Authentication (via session/bearer token)
	Session *base.Session `json:"session,omitempty"`
	User    *base.User    `json:"user,omitempty"`

	// Resolved Context (from either API key or session)
	AppID          xid.ID  `json:"appID"`
	EnvironmentID  xid.ID  `json:"environmentID"`
	OrganizationID *xid.ID `json:"organizationID,omitempty"`

	// Authentication Metadata
	Method          AuthMethod `json:"method"`
	IsAuthenticated bool       `json:"isAuthenticated"`
	IsAPIKeyAuth    bool       `json:"isAPIKeyAuth"`
	IsUserAuth      bool       `json:"isUserAuth"`

	// Security Metadata
	IPAddress string `json:"ipAddress"`
	UserAgent string `json:"userAgent"`

	// RBAC Integration (Hybrid Approach)
	APIKeyRoles        []string `json:"apiKeyRoles,omitempty"`        // Roles assigned to API key
	APIKeyPermissions  []string `json:"apiKeyPermissions,omitempty"`  // Permissions from API key roles
	CreatorPermissions []string `json:"creatorPermissions,omitempty"` // Permissions from key creator (if delegated)
	UserRoles          []string `json:"userRoles,omitempty"`          // Roles from session user
	UserPermissions    []string `json:"userPermissions,omitempty"`    // Permissions from session user roles

	// Effective (computed) permissions - union of all applicable permissions
	EffectivePermissions []string `json:"effectivePermissions,omitempty"`
}

AuthContext holds complete authentication state for a request This provides a unified view of both API key (app) authentication and user session authentication, following production patterns like Clerk

func GetAuthContext 

func GetAuthContext(ctx context.Context) (*AuthContext, bool)

GetAuthContext retrieves the auth context from the request context

func RequireAuthContext 

func RequireAuthContext(ctx context.Context) (*AuthContext, error)

RequireAuthContext retrieves auth context or returns error

func (*AuthContext) CanAccess 

func (ac *AuthContext) CanAccess(action, resource string) bool

CanAccess checks if the auth context can perform an action on a resource This is the main permission check method that combines: 1. Legacy scope strings (e.g., "users:read") 2. RBAC permissions (e.g., action="view", resource="users") 3. Delegated permissions (from creator) 4. User session permissions

func (*AuthContext) CanAccessOrgData 

func (ac *AuthContext) CanAccessOrgData(targetOrgID xid.ID) bool

CanAccessOrgData checks if the context can access data for a specific org Returns true if: - The user belongs to the org, OR - The API key is scoped to the org, OR - The API key has admin privileges

func (*AuthContext) CanAccessUserData 

func (ac *AuthContext) CanAccessUserData(targetUserID xid.ID) bool

CanAccessUserData checks if the context can access data for a specific user Returns true if: - The authenticated user is the target user, OR - The API key has admin privileges

func (*AuthContext) CanPerformAdminOp 

func (ac *AuthContext) CanPerformAdminOp() bool

CanPerformAdminOp returns true if can perform admin operations Must have secret key with admin scope

func (*AuthContext) GetEffectiveAppID 

func (ac *AuthContext) GetEffectiveAppID() xid.ID

GetEffectiveAppID returns the app ID to use for the request Priority: API key app > Session app

func (*AuthContext) GetEffectiveEnvironmentID 

func (ac *AuthContext) GetEffectiveEnvironmentID() xid.ID

GetEffectiveEnvironmentID returns the environment ID to use Priority: API key env > Session env

func (*AuthContext) GetEffectiveOrgID 

func (ac *AuthContext) GetEffectiveOrgID() *xid.ID

GetEffectiveOrgID returns the organization ID to use for the request Priority: Session org > API key org

func (*AuthContext) GetImpersonatedUserID 

func (ac *AuthContext) GetImpersonatedUserID() *xid.ID

GetImpersonatedUserID returns the user ID being impersonated (if any)

func (*AuthContext) GetUserOrAPIKeyUser 

func (ac *AuthContext) GetUserOrAPIKeyUser() *base.User

GetUserOrAPIKeyUser returns the session user or nil In production auth systems, the session user takes precedence

func (*AuthContext) HasAPIKey 

func (ac *AuthContext) HasAPIKey() bool

HasAPIKey returns true if authenticated via API key

func (*AuthContext) HasAllPermissions 

func (ac *AuthContext) HasAllPermissions(permissions ...string) bool

HasAllPermissions checks if context has all of the specified permissions

func (*AuthContext) HasAllScopesOf 

func (ac *AuthContext) HasAllScopesOf(scopes ...string) bool

HasAllScopesOf checks if the API key has all of the specified scopes

func (*AuthContext) HasAnyPermission 

func (ac *AuthContext) HasAnyPermission(permissions ...string) bool

HasAnyPermission checks if context has any of the specified permissions

func (*AuthContext) HasAnyScopeOf 

func (ac *AuthContext) HasAnyScopeOf(scopes ...string) bool

HasAnyScopeOf checks if the API key has any of the specified scopes

func (*AuthContext) HasRBACPermission 

func (ac *AuthContext) HasRBACPermission(action, resource string) bool

HasRBACPermission checks if the auth context has a specific RBAC permission Permission format: "action:resource" (e.g., "view:users", "edit:posts")

func (*AuthContext) HasScope 

func (ac *AuthContext) HasScope(scope string) bool

HasScope checks if the API key has a specific scope

func (*AuthContext) HasSession 

func (ac *AuthContext) HasSession() bool

HasSession returns true if authenticated via user session

func (*AuthContext) IsAdmin 

func (ac *AuthContext) IsAdmin() bool

IsAdmin returns true if the API key has admin privileges

func (*AuthContext) IsDelegatingCreatorPermissions 

func (ac *AuthContext) IsDelegatingCreatorPermissions() bool

IsDelegatingCreatorPermissions returns true if API key is delegating creator's permissions

func (*AuthContext) IsImpersonating 

func (ac *AuthContext) IsImpersonating() bool

IsImpersonating returns true if API key is impersonating a user

func (*AuthContext) IsPublishableKey 

func (ac *AuthContext) IsPublishableKey() bool

IsPublishableKey returns true if authenticated with a publishable key

func (*AuthContext) IsRestrictedKey 

func (ac *AuthContext) IsRestrictedKey() bool

IsRestrictedKey returns true if authenticated with a restricted key

func (*AuthContext) IsSecretKey 

func (ac *AuthContext) IsSecretKey() bool

IsSecretKey returns true if authenticated with a secret key

func (*AuthContext) RequireCanAccess 

func (ac *AuthContext) RequireCanAccess(action, resource string) error

RequireCanAccess ensures the context can access (scopes OR RBAC)

func (*AuthContext) RequireRBACPermission 

func (ac *AuthContext) RequireRBACPermission(action, resource string) error

RequireRBACPermission ensures the context has a specific RBAC permission

func (*AuthContext) RequireScope 

func (ac *AuthContext) RequireScope(scope string) error

RequireScope ensures the API key has a specific scope

func (*AuthContext) String 

func (ac *AuthContext) String() string

String returns a human-readable representation of the auth context

type AuthMethod 

type AuthMethod string

AuthMethod indicates how the request was authenticated 

const (
	AuthMethodNone    AuthMethod = "none"
	AuthMethodSession AuthMethod = "session"
	AuthMethodAPIKey  AuthMethod = "apikey"
	AuthMethodBoth    AuthMethod = "both"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.