Categorygithub.com/fragmenta/auth
modulepackage
1.5.6
Repository: https://github.com/fragmenta/auth.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
18
Dependents
19
Files
473 SLOC

# README

Package Auth

Package auth provides helpers for encryption, hashing and encoding.

Setup

Setup the package on startup

  auth.HMACKey = auth.HexToBytes("myhmac_key_from_config")
  auth.SecretKey = auth.HexToBytes("my_secret_key_from_config")
  auth.SessionName = "my_cookie_name"
  auth.SecureCookies = true

Hashed Passwords

Use auth.HashPassword to encrypt and auth.CheckPassword to check hashed passwords (with bcrypt)

  user.HashedPassword, err = auth.HashPassword(params.Get("password")
  if err != nil {
    return err
  }
  err = auth.CheckPassword(params.Get("password"), user.HashedPassword)

Encrypted Sessions

Use auth.Session to set and get values from cookies, encrypted with AES GCM.

  // Build the session from the secure cookie, or create a new one
  session, err := auth.Session(writer, request)
  if err != nil {
    return err
  }
  
  // Store something in the session
  session.Set("my_key","my_value")
  session.Save(writer)

Random Tokens

Generate and compare random tokens in constant time using the crypto/rand and crypto/subtle packages.

// Generate a new token
token := auth.RandomToken(32)

// Check tokens
if auth.CheckRandomToken(tok1,tok2) {
  // Tokens match
}

Authorisation

You can use auth/can (separately) to authorise access to resources.

To authorise actions:

// Add an authorisation for admins to manage the pages resource
can.Authorise(role.Admin, can.ManageResource, "pages")

To check authorisation in handlers:

// Check whether resource (conforming to can.Resource)
// can be managed by user (conforming to can.User) 
can.Manage(resource,user)

// Interfaces for Users and Resources

// User defines the interface for users which must have numeric roles
type User interface {
	RoleID() int64 // for role check
	UserID() int64 // for ownership check
}

// Resource defines the interface for resources
type Resource interface {
	OwnedBy(int64) bool // for ownership check, passed a UserID
	ResourceID() string // for check against abilities registered on this resource
}

# Packages

Package can implements basic role-based permissions for golang - controlling who can.Do certain actions for a given database table.

# Functions

AuthenticityToken returns a new token for a request, and if necessary sets the cookie with our secret.
AuthenticityTokenWithSecret generates a new authenticity token from the secret by xoring a new random token with it and prepending the random bytes See https://github.com/rails/rails/pull/16570 or gorilla/csrf for justification.
Base64ToBytes converts from a b64 string to bytes.
BytesToBase64 converts bytes to a base64 string representation.
BytesToHex converts bytes to a hex string representation of bytes.
CheckAuthenticityToken checks the token against that stored in a session cookie, and returns an error if the check fails.
CheckAuthenticityTokenWithSecret checks an auth token against a secret.
CheckCSRFToken DEPRECATED this function will be removed in 2.0.
CheckPassword compares a password hashed with bcrypt.
CheckRandomToken performs a comparison of two tokens resistant to timing attacks.
ClearSession clears the current session cookie.
CreateMAC creates a MAC.
CSRFToken DEPRECATED this function will be removed in 2.0.
Decrypt decrypts data using 256-bit AES-GCM.
Encrypt encrypts data using 256-bit AES-GCM.
EncryptPassword renamed and DEPRECATED this function will be removed in 2.0.
HashPassword hashes a password with a random salt using bcrypt.
HexToBytes converts a hex string representation of bytes to a byte representation.
RandomToken generates a random token 32 bytes long, or at a specified length if arguments are provided.
Session loads the current sesions or returns a new blank session.
SessionGet loads the current session (if any).
VerifyMAC verifies the MAC is valid with ConstantTimeCompare.

# Constants

HashCost sets the cost of bcrypt hashes - if this changes hashed passwords would need to be recalculated.
TokenLength sets the length of random tokens used for authenticity tokens.

# Variables

HMACKey is a 32 byte key for generating HMAC distinct from SecretKey.
MaxAge is the age in seconds of a cookie before it expires, default 60 days.
MaxCookieSize is the maximum length of a cookie in bytes, defaults to 4096.
SecretKey is a 32 byte key for encrypting content with AES-GCM.
SecureCookies is true if we use secure https cookies.
SessionName is the name of the ssions.
SessionTokenKey is the session token key.
SessionUserKey is the session user key.

# Structs

CookieSessionStore is a concrete version of SessionStore, which stores the information encrypted in cookies.

# Interfaces

SessionStore is the interface for a session store.