authorize

package module
v0.0.0-...-69531c0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2026 License: MIT Imports: 31 Imported by: 0

README

Authorization handlers on top of Go-ActivityPub storage

This project can be used as a standalone application or as a package from an external project.

Documentation

Index

Constants

View Source 
const (
	ID osin.AuthorizeRequestType = "id"
)

Variables

View Source 
var AnonymousAcct = account{
	// contains filtered or unexported fields
}
View Source 
var InDebugMode bool = false
View Source 
var InMaintenanceMode bool = false
View Source 
var IsDev = false

Functions

func AddActor 

func AddActor(st FullStorage, p *vocab.Person, pw []byte, author vocab.Actor) (*vocab.Person, error)

func AddKeyToItem 

func AddKeyToItem(st FullStorage, it vocab.Item, typ string) error

func AddKeyToPerson 

func AddKeyToPerson(metaSaver MetadataStorage, typ string) func(act *vocab.Actor) error

func ByName 

func ByName(names ...string) url.Values

func ByType 

func ByType(types ...vocab.ActivityVocabularyType) url.Values

func ByURL 

func ByURL(urls ...vocab.IRI) url.Values

func GenerateRSAKeyPair 

func GenerateRSAKeyPair() (pem.Block, pem.Block)

func GeneratedClientActor 

func GeneratedClientActor(author vocab.Item, clientRequest ClientRegistrationRequest) *vocab.Actor

func IRIWithFilters 

func IRIWithFilters(iri vocab.IRI, searchParams ...url.Values) vocab.IRI

func NewIndieAuthActor 

func NewIndieAuthActor(storage FullStorage, clientURL *url.URL, actor vocab.Item) (*vocab.Person, error)

func SearchActorsIRI 

func SearchActorsIRI(baseIRI vocab.IRI, searchParams ...url.Values) vocab.IRI

func ValidateClientRegistrationRequest 

func ValidateClientRegistrationRequest(req ClientRegistrationRequest) error

ValidateClientRegistrationRequest When an OAuth 2.0 error condition occurs, such as the client presenting an invalid initial access token, the authorization server returns an error response appropriate to the OAuth 2.0 token type. When a registration error condition occurs, the authorization server returns an HTTP 400 status code (unless otherwise specified) with content type "application/json" consisting of a JSON object [RFC7159] describing the error in the response body. Two members are defined for inclusion in the JSON object:

Types

type ActorLoader 

type ActorLoader interface {
	Load(vocab.IRI, ...filters.Check) (vocab.Item, error)
}

type ClientLister 

type ClientLister interface {
	GetClient(id string) (osin.Client, error)
}

type ClientRegistrationError 

type ClientRegistrationError struct {
	// ErrorCode  Single ASCII error code string.
	ErrorCode ClientRegistrationErrorCode `json:"error"`
	// ErrorDescription Human-readable ASCII text description of the error used for debugging.
	ErrorDescription string `json:"error_description"`
}

func (ClientRegistrationError) Error 

func (e ClientRegistrationError) Error() string

type ClientRegistrationErrorCode 

type ClientRegistrationErrorCode string
const (
	// InvalidRedirectURI The value of one or more redirection URIs is invalid.
	InvalidRedirectURI ClientRegistrationErrorCode = "invalid_redirect_uri"
	// InvalidClientMetadata The value of one of the client metadata fields is invalid and the
	// server has rejected this request.  Note that an authorization
	// server MAY choose to substitute a valid value for any requested
	// parameter of a client's metadata.
	InvalidClientMetadata ClientRegistrationErrorCode = "invalid_client_metadata"
	// InvalidSoftwareStatement The software statement presented is invalid.
	InvalidSoftwareStatement ClientRegistrationErrorCode = "invalid_software_statement"
	// UnapprovedSoftwareStatement The software statement presented is not approved for use by this
	// authorization server.
	UnapprovedSoftwareStatement ClientRegistrationErrorCode = "unapproved_software_statement"
)

type ClientRegistrationRequest 

type ClientRegistrationRequest struct {
	// RedirectUris Array of redirection URI strings for use in redirect-based flows
	// such as the authorization code and implicit flows.  As required by
	// Section 2 of OAuth 2.0 [RFC6749], clients using flows with
	// redirection MUST register their redirection URI values.
	// Authorization servers that support dynamic registration for
	// redirect-based flows MUST implement support for this metadata
	// value.
	RedirectUris []string `json:"redirect_uris"`

	// ClientName
	// Human-readable string name of the client to be presented to the
	// end-user during authorization.  If omitted, the authorization
	// server MAY display the raw "client_id" value to the end-user
	// instead.  It is RECOMMENDED that clients always send this field.
	// The value of this field MAY be internationalized, as described in
	// Section 2.2.
	ClientName string `json:"client_name"`

	// TokenEndpointAuthMethod
	// String indicator of the requested authentication method for the
	// token endpoint.  Values defined by this specification are:
	// *  "none": The client is a public client as defined in OAuth 2.0,
	//    Section 2.1, and does not have a client secret.
	// *  "client_secret_post": The client uses the HTTP POST parameters
	//    as defined in OAuth 2.0, Section 2.3.1.
	// *  "client_secret_basic": The client uses HTTP Basic as defined in
	//    OAuth 2.0, Section 2.3.1.
	// Additional values can be defined via the IANA "OAuth Token
	// Endpoint Authentication Methods" registry established in
	// Section 4.2.  Absolute URIs can also be used as values for this
	// parameter without being registered.  If unspecified or omitted,
	// the default is "client_secret_basic", denoting the HTTP Basic
	// authentication scheme as specified in Section 2.3.1 of OAuth 2.0.
	TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"`

	// GrantTypes
	// Array of OAuth 2.0 grant type strings that the client can use at
	// the token endpoint.  These grant types are defined as follows:
	// *  "authorization_code": The authorization code grant type defined
	//    in OAuth 2.0, Section 4.1.
	// *  "implicit": The implicit grant type defined in OAuth 2.0,
	//    Section 4.2.
	// *  "password": The resource owner password credentials grant type
	//    defined in OAuth 2.0, Section 4.3.
	// *  "client_credentials": The client credentials grant type defined
	//    in OAuth 2.0, Section 4.4.
	// *  "refresh_token": The refresh token grant type defined in OAuth
	//    2.0, Section 6.
	// *  "urn:ietf:params:oauth:grant-type:jwt-bearer": The JWT Bearer
	//    Token Grant Type defined in OAuth JWT Bearer Token Profiles
	//    [RFC7523].
	// *  "urn:ietf:params:oauth:grant-type:saml2-bearer": The SAML 2.0
	//    Bearer Assertion Grant defined in OAuth SAML 2 Bearer Token
	//    Profiles [RFC7522].
	// If the token endpoint is used in the grant type, the value of this
	// parameter MUST be the same as the value of the "grant_type"
	// parameter passed to the token endpoint defined in the grant type
	// definition.  Authorization servers MAY allow for other values as
	// defined in the grant type extension process described in OAuth
	// 2.0, Section 4.5.  If omitted, the default behavior is that the
	// client will use only the "authorization_code" Grant Type.
	GrantTypes []string `json:"grant_types"`

	// ResponseTypes
	// Array of the OAuth 2.0 response type strings that the client can
	// use at the authorization endpoint.  These response types are
	// defined as follows:
	// *  "code": The authorization code response type defined in OAuth
	//    2.0, Section 4.1.
	// *  "token": The implicit response type defined in OAuth 2.0,
	//    Section 4.2.
	//  If the authorization endpoint is used by the grant type, the value
	// of this parameter MUST be the same as the value of the
	// "response_type" parameter passed to the authorization endpoint
	// defined in the grant type definition.  Authorization servers MAY
	// allow for other values as defined in the grant type extension
	// process is described in OAuth 2.0, Section 4.5.  If omitted, the
	// default is that the client will use only the "code" response type.
	ResponseTypes []string `json:"response_types,omitempty"`

	// ClientURI
	// URL string of a web page providing information about the client.
	// If present, the server SHOULD display this URL to the end-user in
	// a clickable fashion.  It is RECOMMENDED that clients always send
	// this field.  The value of this field MUST point to a valid web
	// page.  The value of this field MAY be internationalized, as
	// described in Section 2.2.
	ClientURI string `json:"client_uri,omitempty"`

	// LogoURI
	// URL string that references a logo for the client.  If present, the
	// server SHOULD display this image to the end-user during approval.
	// The value of this field MUST point to a valid image file.  The
	// value of this field MAY be internationalized, as described in
	// Section 2.2.
	LogoURI string `json:"logo_uri,omitempty"`

	// Scope
	// String containing a space-separated list of scope values (as
	// described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
	// can use when requesting access tokens.  The semantics of values in
	// this list are service specific.  If omitted, an authorization
	// server MAY register a client with a default set of scopes.
	Scope string `json:"scope,omitempty"`

	// Contacts
	// Array of strings representing ways to contact people responsible
	// for this client, typically email addresses.  The authorization
	// server MAY make these contact addresses available to end-users for
	// support requests for the client.  See Section 6 for information on
	// Privacy Considerations.
	Contacts []string `json:"contacts,omitempty"`

	// TosURI
	// URL string that points to a human-readable terms of service
	// document for the client that describes a contractual relationship
	// between the end-user and the client that the end-user accepts when
	// authorizing the client.  The authorization server SHOULD display
	// this URL to the end-user if it is provided.  The value of this
	// field MUST point to a valid web page.  The value of this field MAY
	// be internationalized, as described in Section 2.2.
	TosURI string `json:"tos_uri,omitempty"`

	// PolicyURI
	// URL string that points to a human-readable privacy policy document
	// that describes how the deployment organization collects, uses,
	// retains, and discloses personal data.  The authorization server
	// SHOULD display this URL to the end-user if it is provided.  The
	// value of this field MUST point to a valid web page.  The value of
	// this field MAY be internationalized, as described in Section 2.2.
	PolicyURI string `json:"policy_uri,omitempty"`

	// JwksURI
	// URL string referencing the client's JSON Web Key (JWK) Set
	// [RFC7517] document, which contains the client's public keys.  The
	// value of this field MUST point to a valid JWK Set document.  These
	// keys can be used by higher-level protocols that use signing or
	// encryption.  For instance, these keys might be used by some
	// applications for validating signed requests made to the token
	// endpoint when using JWTs for client authentication [RFC7523].  Use
	// of this parameter is preferred over the "jwks" parameter, as it
	// allows for easier key rotation.  The "jwks_uri" and "jwks"
	// parameters MUST NOT both be present in the same request or
	// response.
	JwksURI string `json:"jwks_uri,omitempty"`

	// Jwks
	// Client's JSON Web Key Set [RFC7517] document value, which contains
	// the client's public keys.  The value of this field MUST be a JSON
	// object containing a valid JWK Set.  These keys can be used by
	// higher-level protocols that use signing or encryption.  This
	// parameter is intended to be used by clients that cannot use the
	// "jwks_uri" parameter, such as native clients that cannot host
	// public URLs.  The "jwks_uri" and "jwks" parameters MUST NOT both
	// be present in the same request or response.
	Jwks json.RawMessage `json:"jwks,omitempty"`

	// SoftwareID
	// A unique identifier string (e.g., a Universally Unique Identifier
	// (UUID)) assigned by the client developer or software publisher
	// used by registration endpoints to identify the client software to
	// be dynamically registered.  Unlike "client_id", which is issued by
	// the authorization server and SHOULD vary between instances, the
	// "software_id" SHOULD remain the same for all instances of the
	// client software.  The "software_id" SHOULD remain the same across
	SoftwareID uuid.UUID `json:"software_id,omitempty"`
}

type ClientRegistrationResponse 

type ClientRegistrationResponse struct {
	// ClientID REQUIRED. OAuth 2.0 client identifier string.  It SHOULD NOT be
	//	currently valid for any other registered client, though an
	//	authorization server MAY issue the same client identifier to
	//	multiple instances of a registered client at its discretion.
	ClientID string `json:"client_id"`

	// ClientSecret
	// OPTIONAL.  OAuth 2.0 client secret string.  If issued, this MUST
	// be unique for each "client_id" and SHOULD be unique for multiple
	// instances of a client using the same "client_id".  This value is
	// used by confidential clients to authenticate to the token
	// endpoint, as described in OAuth 2.0 [RFC6749], Section 2.3.1.
	ClientSecret string `json:"client_secret"`

	// IssuedAt OPTIONAL.  Time at which the client identifier was issued.  The
	// time is represented as the number of seconds from
	// 1970-01-01T00:00:00Z as measured in UTC until the date/time of
	// issuance.
	IssuedAt int64 `json:"client_id_issued_at"`

	// Expires REQUIRED if "client_secret" is issued.  Time at which the client
	// secret will expire or 0 if it will not expire.  The time is
	// represented as the number of seconds from 1970-01-01T00:00:00Z as
	// measured in UTC until the date/time of expiration.
	Expires int64 `json:"client_secret_expires_at"`
}

type ClientSaver 

type ClientSaver interface {
	// CreateClient stores the client in the database and returns an error, if something went wrong.
	CreateClient(c osin.Client) error
}

type FullStorage 

type FullStorage interface {
	Open() error
	ClientSaver
	ClientLister
	Storage
	PasswordChanger
	osin.Storage
}

type MetadataLoader 

type MetadataLoader interface {
	LoadMetadata(vocab.IRI, any) error
	SaveMetadata(vocab.IRI, any) error
}

type MetadataStorage 

type MetadataStorage interface {
	LoadMetadata(vocab.IRI, any) error
	SaveMetadata(vocab.IRI, any) error
}

type PasswordChanger 

type PasswordChanger interface {
	PasswordSet(vocab.IRI, []byte) error
	PasswordCheck(vocab.IRI, []byte) error
}

type Service 

type Service struct {
	Stores []FullStorage
	Client auth.Client
	Logger lw.Logger
}

func (*Service) Authorize 

func (s *Service) Authorize(w http.ResponseWriter, r *http.Request)

func (*Service) ClientRegistration 

func (s *Service) ClientRegistration(w http.ResponseWriter, r *http.Request)

func (*Service) HandleChangePw 

func (s *Service) HandleChangePw(w http.ResponseWriter, r *http.Request)

HandleChangePw

func (*Service) HandleError 

func (s *Service) HandleError(e error) http.HandlerFunc

func (*Service) IsValidRequest 

func (s *Service) IsValidRequest(r *http.Request) bool

func (*Service) OutOfOrderMw 

func (s *Service) OutOfOrderMw(next http.Handler) http.Handler

func (*Service) ShowChangePw 

func (s *Service) ShowChangePw(w http.ResponseWriter, r *http.Request)

ShowChangePw

func (*Service) Token 

func (s *Service) Token(w http.ResponseWriter, r *http.Request)

func (*Service) ValidateClient 

func (s *Service) ValidateClient(r *http.Request) (*vocab.Actor, error)

type Storage 

type Storage interface {
	Load(vocab.IRI, ...filters.Check) (vocab.Item, error)
	Save(vocab.Item) (vocab.Item, error)
	Delete(vocab.Item) error
	Create(vocab.CollectionInterface) (vocab.CollectionInterface, error)
	AddTo(vocab.IRI, ...vocab.Item) error
	RemoveFrom(vocab.IRI, ...vocab.Item) error
}

Source Files

View all Source files

Directories

Path Synopsis
cmd
auth command
internal
assets
config

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.