Documentation
¶
Overview ¶
Package jwt manages access-token issuance and verification using configured signing keys and strict validation semantics suitable for low-latency authentication paths.
Supported algorithms ¶
Ed25519 (default, recommended) and HS256. Algorithm selection is immutable after construction via NewManager.
Architecture boundaries ¶
This package owns token encoding/decoding and claim construction. It does NOT manage sessions, refresh tokens, or permission evaluation. The parent Engine is responsible for coordinating JWT issuance with session creation.
What this package must NOT do ¶
- Access Redis or any network resource.
- Import the parent goAuth package (to avoid import cycles).
- Cache tokens — callers control caching policy.
- Embed sensitive data (passwords, MFA secrets) in claims.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AccessClaims ¶
type AccessClaims struct {
UID string `json:"uid"`
TID string `json:"tid,omitempty"`
SID string `json:"sid"`
Mask []byte `json:"mask,omitempty"`
PermVersion uint32 `json:"pv,omitempty"`
RoleVersion uint32 `json:"rv,omitempty"`
AccountVersion uint32 `json:"av,omitempty"`
jwt.RegisteredClaims
}
AccessClaims represents the decoded claims from a JWT access token, including user ID, tenant, session ID, permission mask, and version counters.
Docs: docs/jwt.md
func (*AccessClaims) UnmarshalJSON ¶ added in v0.2.0
func (c *AccessClaims) UnmarshalJSON(data []byte) error
UnmarshalJSON accepts both the current string tenant claim and legacy numeric tenant claims so access tokens minted before the migration remain parseable during rollout.
type Config ¶
type Config struct {
AccessTTL time.Duration
SigningMethod SigningMethod
PrivateKey []byte
PublicKey []byte
Issuer string
Audience string
Leeway time.Duration
RequireIAT bool
MaxFutureIAT time.Duration
KeyID string
VerifyKeys map[string][]byte
}
Config holds JWT manager initialization parameters: TTLs, signing keys, issuer, audience, leeway, and IAT validation options.
Docs: docs/jwt.md
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles JWT access token creation and parsing. It holds the signing key, parser, and claim validation options. Safe for concurrent use.
Docs: docs/jwt.md
func NewManager ¶
NewManager creates a JWT Manager from the given Config. It initializes the signing key, parser, and claim validation options.
Docs: docs/jwt.md
func (*Manager) CreateAccess ¶
func (j *Manager) CreateAccess( uid string, tid string, sid string, mask []byte, permVersion uint32, roleVersion uint32, accountVersion uint32, includeMask bool, includePermVersion bool, includeRoleVersion bool, includeAccountVersion bool, isRoot bool, ) (string, error)
CreateAccess mints a signed JWT access token with the given claims (userID, tenantID, sessionID, permission mask, version counters).
Performance: single ECDSA/RSA/HMAC sign operation. Docs: docs/jwt.md
func (*Manager) ParseAccess ¶
func (j *Manager) ParseAccess(tokenStr string) (*AccessClaims, error)
ParseAccess verifies and parses a JWT access token, returning the embedded claims. Returns an error if the signature, expiry, issuer, or audience checks fail.
Performance: single signature verify + claim decode. Docs: docs/jwt.md
type SigningMethod ¶
type SigningMethod string
SigningMethod identifies the JWT signing algorithm (e.g., ES256, RS256, HS256).
Docs: docs/jwt.md
const ( // MethodEd25519 is an exported constant or variable used by the authentication engine. MethodEd25519 SigningMethod = "ed25519" // MethodHS256 is an exported constant or variable used by the authentication engine. MethodHS256 SigningMethod = "hs256" )
Source Files