auth

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2026 License: BSD-2-Clause Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TokenPrefix  = "mdn_"
	IDLength     = 6  // base32 characters
	SecretLength = 32 // base32 characters

)

Token format constants

Variables

View Source 
var (
	ErrKeyNotFound    = errors.New("api key not found")
	ErrKeyExists      = errors.New("api key already exists")
	ErrKeyRevoked     = errors.New("api key has been revoked")
	ErrKeyExpired     = errors.New("api key has expired")
	ErrInvalidScope   = errors.New("invalid scope")
	ErrInvalidZone    = errors.New("invalid zone")
	ErrAccessDenied   = errors.New("access denied")
	ErrZoneNotAllowed = errors.New("zone not allowed")
)

APIKey errors

View Source 
var (
	ErrInvalidTokenFormat = errors.New("invalid token format")
	ErrInvalidTokenPrefix = errors.New("token must start with mdn_")
	ErrInvalidTokenID     = errors.New("invalid token ID")
	ErrInvalidTokenSecret = errors.New("invalid token secret")
)

Token errors

Functions

func AllScopes 

func AllScopes() []string

AllScopes returns all valid scope strings (excluding admin).

func BuildToken 

func BuildToken(id, secret string) string

BuildToken constructs a token from id and secret.

func CanAccessZone 

func CanAccessZone(ctx context.Context, zone string) bool

CanAccessZone checks if the identity in the context can access the given zone. Returns false if no identity is present.

func ContextWithIdentity 

func ContextWithIdentity(ctx context.Context, id *Identity) context.Context

ContextWithIdentity returns a new context with the identity attached.

func GenerateToken 

func GenerateToken() (token, id string, err error)

GenerateToken creates a new token with random ID and secret. Returns the full token and the extracted ID.

func GenerateTokenWithID 

func GenerateTokenWithID(id string) (token, secret string, err error)

GenerateTokenWithID creates a token with a specific ID. Returns the full token and the secret portion.

func GetMethodOptions added in v0.6.1 

func GetMethodOptions(method string) (scope mindnspb.Scope, zoneScoped bool, found bool)

GetMethodOptions returns the auth options for a method directly from proto. This is useful for debugging or introspection.

func HasScope 

func HasScope(ctx context.Context, scope string) bool

HasScope checks if the identity in the context has the given scope. Returns false if no identity is present.

func HashToken 

func HashToken(token string) ([]byte, error)

HashToken returns an argon2id hash of the token. The returned bytes include the salt prepended to the hash.

func IsValidScope 

func IsValidScope(scope string) bool

IsValidScope checks if a scope string is valid.

func IsZoneScoped 

func IsZoneScoped(method string) bool

IsZoneScoped returns true if the method requires zone authorization.

func MethodScopeEnum added in v0.6.1 

func MethodScopeEnum(method string) mindnspb.Scope

MethodScopeEnum returns the Scope enum for a method. Returns SCOPE_UNSPECIFIED if method not found.

func ParseToken 

func ParseToken(token string) (id, secret string, err error)

ParseToken extracts id and secret from a token.

func RecordAudit 

func RecordAudit(ctx context.Context, event *AuditEvent)

RecordAudit records an audit event to both traces and logs.

func RegisterSkipAuthMethod added in v0.6.1 

func RegisterSkipAuthMethod(method string)

RegisterSkipAuthMethod registers a method to skip authentication. Use this with constants from generated gRPC code, e.g.: 

auth.RegisterSkipAuthMethod(grpc_health_v1.Health_Check_FullMethodName)

func RegisterSkipAuthMethods added in v0.6.1 

func RegisterSkipAuthMethods(methods ...string)

RegisterSkipAuthMethods registers multiple methods to skip authentication.

func RequiredScopes 

func RequiredScopes(method string) []string

RequiredScopes returns the scopes required for a method. Returns nil if the method is not in the map (unknown method).

func ScopeFromString added in v0.6.1 

func ScopeFromString(s string) mindnspb.Scope

ScopeFromString returns the Scope enum value for a string. Returns SCOPE_UNSPECIFIED if not found.

func ScopeString added in v0.6.1 

func ScopeString(scope mindnspb.Scope) string

ScopeString returns the string representation of a Scope enum value.

func ShouldSkipAuth 

func ShouldSkipAuth(method string) bool

ShouldSkipAuth returns true if the method should skip authentication.

func StartAuthSpan 

func StartAuthSpan(ctx context.Context, method string) (context.Context, trace.Span)

StartAuthSpan starts a new span for authentication processing.

func ValidateID 

func ValidateID(id string) error

ValidateID checks if an ID is valid. Rules: 1-32 chars, alphanumeric + hyphen, lowercase.

func ValidateScopes 

func ValidateScopes(scopes []string) error

ValidateScopes checks if all provided scopes are valid.

func VerifyToken 

func VerifyToken(token string, hashedToken []byte) bool

VerifyToken checks if a token matches a hash.

Types

type APIKey 

type APIKey struct {
	ID          string     // Unique identifier (from token)
	HashedToken []byte     // argon2id hash of full token
	Scopes      []string   // Permission scopes
	Zones       []string   // Authorized zones (or ["*"] for all)
	Description string     // Human-readable description
	CreatedAt   time.Time  // Creation timestamp
	ExpiresAt   *time.Time // Optional expiry (nil = no expiry)
	LastUsedAt  *time.Time // Last usage timestamp
	Revoked     bool       // Soft-delete flag
}

APIKey represents an authenticated principal.

func (*APIKey) CanAccessAnyZone 

func (k *APIKey) CanAccessAnyZone() bool

CanAccessAnyZone checks if the key has access to all zones ("*").

func (*APIKey) CanAccessZone 

func (k *APIKey) CanAccessZone(zone string) bool

CanAccessZone checks if the key authorizes access to the given zone. A zone list containing "*" grants access to all zones.

func (*APIKey) Clone 

func (k *APIKey) Clone() *APIKey

Clone creates a deep copy of the APIKey.

func (*APIKey) HasAnyScope 

func (k *APIKey) HasAnyScope(scopes []string) bool

HasAnyScope checks if the key has any of the required scopes.

func (*APIKey) HasScope 

func (k *APIKey) HasScope(scope string) bool

HasScope checks if the key has the required scope. The "admin" scope grants access to all scopes.

func (*APIKey) IsValid 

func (k *APIKey) IsValid() bool

IsValid checks if the key is not revoked and not expired.

func (*APIKey) ValidationError 

func (k *APIKey) ValidationError() error

ValidationError returns a specific error if the key is invalid.

type AuditEvent 

type AuditEvent struct {
	Method     string    // gRPC method name
	Identity   *Identity // Authenticated identity (nil if unauthenticated)
	Zone       string    // Target zone (if applicable)
	Authorized bool      // Whether the request was authorized
	Error      string    // Error message if authorization failed
}

AuditEvent represents an auditable authentication/authorization event.

type Identity 

type Identity struct {
	KeyID       string   // The API key ID
	Scopes      []string // The scopes granted to this key
	Zones       []string // The zones this key can access
	Description string   // Human-readable key description
}

Identity represents the authenticated principal from a request. This is injected into the context after successful authentication.

func IdentityFromContext 

func IdentityFromContext(ctx context.Context) (*Identity, bool)

IdentityFromContext retrieves the identity from the context. Returns nil and false if no identity is present.

func MustIdentityFromContext 

func MustIdentityFromContext(ctx context.Context) *Identity

MustIdentityFromContext retrieves the identity from the context. Panics if no identity is present.

type Interceptor 

type Interceptor struct {
	// contains filtered or unexported fields
}

Interceptor provides gRPC authentication and authorization interceptors.

func NewInterceptor 

func NewInterceptor(store *Store) *Interceptor

NewInterceptor creates a new auth interceptor.

func (*Interceptor) Stream 

func (i *Interceptor) Stream() grpc.StreamServerInterceptor

Stream returns a gRPC stream server interceptor for authentication.

func (*Interceptor) Unary 

func (i *Interceptor) Unary() grpc.UnaryServerInterceptor

Unary returns a gRPC unary server interceptor for authentication.

type Store 

type Store struct {
	// contains filtered or unexported fields
}

Store provides persistent storage for API keys using BadgerDB.

func NewStore 

func NewStore(db *badger.DB) *Store

NewStore creates a new auth store using the provided BadgerDB instance.

func (*Store) Create 

func (s *Store) Create(ctx context.Context, key *APIKey) error

Create stores a new API key. Returns ErrKeyExists if a key with the same ID already exists.

func (*Store) Delete 

func (s *Store) Delete(ctx context.Context, id string) error

Delete removes an API key by ID. Returns ErrKeyNotFound if the key doesn't exist.

func (*Store) Exists 

func (s *Store) Exists(ctx context.Context, id string) (bool, error)

Exists checks if an API key with the given ID exists.

func (*Store) Get 

func (s *Store) Get(ctx context.Context, id string) (*APIKey, error)

Get retrieves an API key by ID. Returns ErrKeyNotFound if the key doesn't exist.

func (*Store) List 

func (s *Store) List(ctx context.Context) ([]*APIKey, error)

List returns all API keys.

func (*Store) Revoke 

func (s *Store) Revoke(ctx context.Context, id string) (*APIKey, error)

Revoke marks an API key as revoked without deleting it (for audit trail).

func (*Store) Update 

func (s *Store) Update(ctx context.Context, key *APIKey) error

Update updates an existing API key. Returns ErrKeyNotFound if the key doesn't exist.

func (*Store) UpdateLastUsed 

func (s *Store) UpdateLastUsed(ctx context.Context, id string, t time.Time) error

UpdateLastUsed updates the LastUsedAt timestamp for a key. This is a lightweight operation that only updates the timestamp.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.