Package app connections to applications over a reverse tunnel and forwards HTTP requests to them.

BuildDeviceWebRedirectPath constructs the redirect path for device web authorization.

CheckResourceUpsert checks if the resource can be created or updated, depending on the http method.

ConstructSSHResponse creates a special SSH response for SSH login method that encodes everything using the client's secret key.

CreateResource is a helper function for POST requests from the UI to create a new resource.

ExtractResourceAndValidate extracts resource information from given string and validates basic fields.

GetWebCfgEntitlements takes a cloud entitlement set and returns a modules Entitlement set.

NewDebugFileSystem returns the HTTP file system implementation.

NewHandler returns a new instance of web proxy handler.

NewServer constructs a [Server] from the provided [ServerConfig].

NewTerminal creates a web-based terminal based on WebSockets and returns a new TerminalHandler.

NewXForwardedForMiddleware is an HTTP middleware that overwrites client source address if X-Forwarded-For is set.

OK is a response that indicates request was successful.

ParseSSORequestParams extracts the SSO request parameters from an http.Request, returning them in an SSORequestParams struct.

ProcessDefaultConnector returns the default connector type and validates that the provided connectors list contains the default connector that is set in the auth preference.

QueryLimit returns the limit parameter with the specified name from the query string.

queryLimitAsInt32 returns the limit parameter with the specified name from the query string.

RedirectURLWithError adds an err query parameter to the given redirect URL with the given errReply message and returns the new URL.

SetClock sets the clock on a handler.

SSOSetWebSessionAndRedirectURL validates the CSRF token in the response against that in the request, validates that the callback URL in the response can be parsed, and sets a session cookie with the username and session name from the response.

UpdateResource is a helper function for PUT requests from the UI to update an existing resource.

DefaultAgentUpdateJitterSeconds is the default jitter agents should wait before updating.

DefaultFeatureWatchInterval is the default time in which the feature watcher should ping the auth server to check for updated features.

IncludedResourceModeAll describes that all resources, requestable and available, should be returned.

IncludedResourceModeAll describes that only requestable resources should be returned.

KubeExecDataWaitTimeout is how long server would wait for user to send pod exec data (namespace, pod name etc) on websocket connection, after user initiated the exec into pod flow.

OIDCJWKWURI is the relative path where the OIDC IdP JWKS is located.

OktaJWKSWellknownURI is the relative path where the Okta JWKS is located.

SNISuffix is the server name suffix used during SNI to specify the target desktop to connect to.

SSOLoginFailureInvalidRedirect is a slightly specific error message for SSO failures related to the use of an invalid or disallowed login callback URL in tsh login.

SSOLoginFailureMessage is a generic error message to avoid disclosing sensitive SSO failure messages.

AccessGraphPreferencesResponse is the JSON response for Access Graph preferences.

AssistUserPreferencesResponse is the JSON response for the assist user preferences.

AuthParams are used to construct redirect URL containing auth information back to tsh login.

ClusterUserPreferencesResponse is the JSON response for the user's cluster preferences.

Config represents web handler configuration parameters.

CreateAppSessionResponse is a request to POST /v1/webapi/sessions/app.

CreateAppSessionResponse is a response to POST /v1/webapi/sessions/app.

CreateBotJoinTokenRequest represents a client request to create a bot join token.

CreateSessionReq is a request to create session from username, password and second factor token.

CreateSessionResponse returns OAuth compabible data about access token: https://tools.ietf.org/html/rfc6749.

DatabaseSessionRequest describes a request to create a web-based terminal database session.

DiscoverGuidePreferences defines preferences related to discover guides.

DiscoverResourcePreferencesResponse is the JSON response for discover resource preference as part of the user preference request.

GetTokensResponse returns a list of JoinTokens.

Handler is HTTP web proxy handler.

PodExecRequest describes a request to create a web-based terminal to exec into a pod.

ProxySettings is a helper type that allows to fetch the current proxy configuration.

Server serves the web api.

ServerConfig provides dependencies required to create a [Server].

SessionContext is a context associated with a user's web session.

SSOCallbackResponse holds the parameters for validating and executing an SSO callback URL.

SSORequestParams holds parameters parsed out of a HTTP request initiating an SSO login.

TerminalHandler connects together an SSH session with a web-based terminal via a web socket.

TerminalHandlerConfig contains the configuration options necessary to correctly set up the TerminalHandler.

TerminalRequest describes a request to create a web-based terminal to a remote SSH server.

UserPreferencesResponse is the JSON response for the user preferences.

ClusterClientProvider is an interface for a type which can provide authenticated clients to remote clusters.

NetworkConfigGetter is a helper interface that allows to fetch the current proxy configuration.

SessionController restricts creation of sessions based on cluster session control configuration(locks, connection limits, etc).

UserAuthClient is a subset of the Auth API that performs operations on behalf of the user so that the correct RBAC is applied.

ClusterClientHandler is an authenticated handler which can get a client for any remote cluster.

ClusterHandler is a authenticated handler that is called for some existing remote cluster.

ClusterWebsocketHandler is a authenticated websocket handler that is called for some existing remote cluster.

ConnectionHandler defines a function for serving incoming connections.

ContextHandler is a handler called with the auth context, what means it is authenticated and ready to work.

HandlerOption is a functional argument - an option that can be passed to NewHandler function.

PresenceChecker is a function that executes an MFA prompt to enforce that a user is present.

ProvisionTokenHandler is a authenticated handler that is called for some existing Token.

SessionControllerFunc type is an adapter to allow the use of ordinary functions a [SessionController].