auth

package

v0.0.0-...-1e0776f Latest Latest Go to latest Published: Jan 20, 2026 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/mantonx/viewra

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func GenerateSecret() ([]byte, error)
type AccessClaims
type Argon2Params
- func DefaultArgon2Params() *Argon2Params
type PasswordHasher
- func NewPasswordHasher(params *Argon2Params) *PasswordHasher
- func (h *PasswordHasher) Hash(password string) (string, error)
- func (h *PasswordHasher) Verify(password, encodedHash string) error
type TokenConfig
- func DefaultTokenConfig(secret []byte) *TokenConfig
type TokenService
- func NewTokenService(config *TokenConfig) *TokenService

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidToken         = errors.New("invalid token")
	ErrTokenExpired         = errors.New("token has expired")
	ErrInvalidSigningMethod = errors.New("invalid signing method")
)

Token errors

View Source

var ErrInvalidHash = errors.New("invalid hash format")

ErrInvalidHash is returned when the hash format is invalid.

View Source

var ErrPasswordMismatch = errors.New("password does not match")

ErrPasswordMismatch is returned when password verification fails.

Functions ¶

func GenerateSecret ¶

func GenerateSecret() ([]byte, error)

GenerateSecret generates a random secret for JWT signing. Should be called once and stored persistently.

Types ¶

type AccessClaims ¶

type AccessClaims struct {
	jwt.RegisteredClaims
	UserID  int64 `json:"uid"` // Internal user ID for efficient database lookups
	IsAdmin bool  `json:"adm"`
}

AccessClaims represents the claims in an access token.

type Argon2Params ¶

type Argon2Params struct {
	Memory      uint32 // Memory in KiB
	Iterations  uint32 // Number of iterations
	Parallelism uint8  // Number of parallel threads
	SaltLength  uint32 // Salt length in bytes
	KeyLength   uint32 // Output key length in bytes
}

Argon2Params holds the parameters for Argon2id hashing. Based on OWASP recommendations.

func DefaultArgon2Params ¶

func DefaultArgon2Params() *Argon2Params

DefaultArgon2Params returns OWASP-recommended Argon2id parameters. These provide a good balance of security and performance.

type PasswordHasher ¶

type PasswordHasher struct {
	// contains filtered or unexported fields
}

PasswordHasher handles password hashing and verification using Argon2id.

func NewPasswordHasher ¶

func NewPasswordHasher(params *Argon2Params) *PasswordHasher

NewPasswordHasher creates a new password hasher with the given parameters. If params is nil, default parameters are used.

func (*PasswordHasher) Hash ¶

func (h *PasswordHasher) Hash(password string) (string, error)

Hash generates an Argon2id hash of the password. Returns a string in the format: $argon2id$v=19$m=65536,t=3,p=4$<salt>$<hash>

func (*PasswordHasher) Verify ¶

func (h *PasswordHasher) Verify(password, encodedHash string) error

Verify checks if the password matches the hash. Returns nil if the password is correct, ErrPasswordMismatch otherwise.

type TokenConfig ¶

type TokenConfig struct {
	// Secret is the signing key for JWTs
	Secret []byte
	// AccessTokenTTL is the access token lifetime
	AccessTokenTTL time.Duration
	// RefreshTokenTTL is the refresh token lifetime
	RefreshTokenTTL time.Duration
	// Issuer is the JWT issuer claim
	Issuer string
}

TokenConfig holds configuration for the token service.

func DefaultTokenConfig ¶

func DefaultTokenConfig(secret []byte) *TokenConfig

DefaultTokenConfig returns default token configuration.

type TokenService ¶

type TokenService struct {
	// contains filtered or unexported fields
}

TokenService handles JWT generation and validation.

func NewTokenService ¶

func NewTokenService(config *TokenConfig) *TokenService

NewTokenService creates a new token service.

func (*TokenService) GenerateAccessToken ¶

func (s *TokenService) GenerateAccessToken(userID int64, publicID string, isAdmin bool) (string, error)

GenerateAccessToken creates a new access token for a user. The publicID is used in the Subject claim for external representation. The userID (int64) is stored in the uid claim for efficient internal lookups.

func (*TokenService) GenerateRefreshToken ¶

func (s *TokenService) GenerateRefreshToken() (string, error)

GenerateRefreshToken creates a new cryptographically secure refresh token. Returns the raw token (to be sent to client) and should be hashed before storage.

func (*TokenService) GetAccessTokenTTL ¶

func (s *TokenService) GetAccessTokenTTL() time.Duration

GetAccessTokenTTL returns the access token time-to-live.

func (*TokenService) GetRefreshTokenTTL ¶

func (s *TokenService) GetRefreshTokenTTL() time.Duration

GetRefreshTokenTTL returns the refresh token time-to-live.

func (*TokenService) HashRefreshToken ¶

func (s *TokenService) HashRefreshToken(token string) string

HashRefreshToken creates a SHA-256 hash of a refresh token for storage.

func (*TokenService) ValidateAccessToken ¶

func (s *TokenService) ValidateAccessToken(tokenString string) (*AccessClaims, error)

ValidateAccessToken validates an access token and returns its claims.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL