auth

package

v0.0.2 Latest Latest Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/xraph/ctrlplane

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth provides the authentication and authorization abstraction for the control plane. It defines the Provider interface that any auth backend can implement, along with claims, context helpers, and a noop provider for development and testing.

Index ¶

Variables
func WithClaims(ctx context.Context, c *Claims) context.Context
type AuthzRequest
type Claims
- func ClaimsFrom(ctx context.Context) *Claims
- func RequireClaims(ctx context.Context) (*Claims, error)
- func (c *Claims) HasRole(role string) bool
- func (c *Claims) IsSystemAdmin() bool
type NoopProvider
type Provider

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrUnauthorized = errors.New("ctrlplane: unauthorized")

ErrUnauthorized indicates the request lacks valid authentication credentials.

Functions ¶

func WithClaims ¶

func WithClaims(ctx context.Context, c *Claims) context.Context

WithClaims stores Claims in the context.

Types ¶

type AuthzRequest ¶

type AuthzRequest struct {
	TenantID   string `json:"tenant_id"`
	SubjectID  string `json:"subject_id"`
	Resource   string `json:"resource"`
	Action     string `json:"action"`
	ResourceID string `json:"resource_id,omitempty"`
}

AuthzRequest describes an authorization check.

type Claims ¶

type Claims struct {
	SubjectID string            `json:"sub"`
	TenantID  string            `json:"tenant_id,omitempty"`
	Email     string            `json:"email,omitempty"`
	Name      string            `json:"name,omitempty"`
	Roles     []string          `json:"roles,omitempty"`
	Metadata  map[string]string `json:"metadata,omitempty"`
}

Claims represents the authenticated identity.

func ClaimsFrom ¶

func ClaimsFrom(ctx context.Context) *Claims

ClaimsFrom retrieves Claims from context. Returns nil if absent.

func RequireClaims ¶

func RequireClaims(ctx context.Context) (*Claims, error)

RequireClaims retrieves Claims or returns ErrUnauthorized.

func (*Claims) HasRole ¶

func (c *Claims) HasRole(role string) bool

HasRole checks for a specific role.

func (*Claims) IsSystemAdmin ¶

func (c *Claims) IsSystemAdmin() bool

IsSystemAdmin returns true if claims contain the system admin role.

type NoopProvider ¶

type NoopProvider struct {
	DefaultTenantID string
	DefaultClaims   *Claims
}

NoopProvider allows all operations. Use for development and testing only.

func (*NoopProvider) Authenticate ¶

func (n *NoopProvider) Authenticate(_ context.Context, _ string) (*Claims, error)

Authenticate returns default claims for any token.

func (*NoopProvider) Authorize ¶

func (n *NoopProvider) Authorize(_ context.Context, _ AuthzRequest) (bool, error)

Authorize allows all operations.

func (*NoopProvider) GetTenantID ¶

func (n *NoopProvider) GetTenantID(_ context.Context) string

GetTenantID returns the default tenant ID.

type Provider ¶

type Provider interface {
	// Authenticate validates credentials or token and returns Claims.
	// Typically called by middleware from an HTTP request.
	Authenticate(ctx context.Context, token string) (*Claims, error)

	// Authorize checks whether the identity in ctx has the given
	// permission on the specified resource.
	Authorize(ctx context.Context, req AuthzRequest) (bool, error)

	// GetTenantID extracts the tenant/org ID from context.
	// Returns empty string if not in a tenant context.
	GetTenantID(ctx context.Context) string
}

Provider abstracts authentication and authorization. Implement this interface to plug in any auth backend.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL