auth

package

v1.3.6 Latest Latest Go to latest Published: Feb 4, 2026 License: AGPL-3.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/MohamedElashri/snipo

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func GenerateAPIToken() (string, error)
func GetSessionFromRequest(r *http.Request) string
func HashPassword(password string) (string, error)
func VerifyPasswordHash(password, encodedHash string) bool
type Config
type FailedLoginTracker
- func NewFailedLoginTracker() *FailedLoginTracker
type Service
- func NewService(db *sql.DB, masterPassword, sessionSecret string, ...) *Service

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidCredentials = errors.New("invalid credentials")
	ErrSessionExpired     = errors.New("session expired")
	ErrInvalidToken       = errors.New("invalid token")
)

Common errors

Functions ¶

func GenerateAPIToken ¶

func GenerateAPIToken() (string, error)

GenerateAPIToken creates a secure random API token

func GetSessionFromRequest ¶

func GetSessionFromRequest(r *http.Request) string

GetSessionFromRequest extracts the session token from the request

func HashPassword ¶

func HashPassword(password string) (string, error)

HashPassword creates an Argon2id hash of a password

func VerifyPasswordHash ¶

func VerifyPasswordHash(password, encodedHash string) bool

VerifyPasswordHash checks password against an Argon2id hash

Types ¶

type Config ¶

type Config struct {
	MasterPasswordHash string
	SessionSecret      string
	SessionDuration    time.Duration
}

Config holds authentication configuration

type FailedLoginTracker ¶ added in v1.1.3

type FailedLoginTracker struct {
	// contains filtered or unexported fields
}

FailedLoginTracker tracks failed login attempts per IP for progressive delays

func NewFailedLoginTracker ¶ added in v1.1.3

func NewFailedLoginTracker() *FailedLoginTracker

NewFailedLoginTracker creates a new tracker

func (*FailedLoginTracker) GetDelay ¶ added in v1.1.3

func (t *FailedLoginTracker) GetDelay(ip string) time.Duration

GetDelay returns the delay duration before next login attempt is allowed Progressive delays: 0s, 1s, 2s, 4s, 8s, 16s, 30s (max)

func (*FailedLoginTracker) RecordFailure ¶ added in v1.1.3

func (t *FailedLoginTracker) RecordFailure(ip string)

RecordFailure records a failed login attempt

func (*FailedLoginTracker) RecordSuccess ¶ added in v1.1.3

func (t *FailedLoginTracker) RecordSuccess(ip string)

RecordSuccess clears failed attempts for an IP

func NewService ¶

func NewService(db *sql.DB, masterPassword, sessionSecret string, sessionDuration time.Duration, logger *slog.Logger, authDisabled bool) *Service

NewService creates a new authentication service The master password is hashed at startup using Argon2id for secure storage in memory If a pre-hashed password is provided, it's used directly without re-hashing If authDisabled is true, authentication is completely bypassed (use with external auth)

func (*Service) CleanupExpiredSessions ¶

func (s *Service) CleanupExpiredSessions() error

CleanupExpiredSessions removes all expired sessions

func (*Service) ClearSessionCookie ¶

func (s *Service) ClearSessionCookie(w http.ResponseWriter)

ClearSessionCookie clears the session cookie

func (*Service) CreateSession ¶

func (s *Service) CreateSession() (string, error)

CreateSession creates a new session and returns the session token

func (*Service) InvalidateSession ¶

func (s *Service) InvalidateSession(token string) error

InvalidateSession removes a session MIGRATION STRATEGY: Supports both hash formats to ensure old sessions can be properly invalidated

func (*Service) IsAuthDisabled ¶ added in v1.2.2

func (s *Service) IsAuthDisabled() bool

IsAuthDisabled returns whether authentication is disabled

func (*Service) SetSessionCookie ¶

func (s *Service) SetSessionCookie(w http.ResponseWriter, token string)

SetSessionCookie sets the session cookie on the response

func (*Service) UpdatePassword ¶

func (s *Service) UpdatePassword(newPassword string) error

UpdatePassword updates the master password (in-memory only, resets on restart) For persistent password storage, this would need to be stored in the database

func (*Service) ValidateSession ¶

func (s *Service) ValidateSession(token string) bool

ValidateSession checks if a session token is valid MIGRATION STRATEGY: Supports both HMAC-SHA256 (new) and SHA256 (legacy) for backward compatibility - Tries HMAC-SHA256 first (all new sessions) - Falls back to SHA256 only for old sessions - Automatically upgrades old sessions to HMAC-SHA256 on first use

func (*Service) VerifyPassword ¶

func (s *Service) VerifyPassword(password string) bool

VerifyPassword checks if the provided password matches the master password

func (*Service) VerifyPasswordWithDelay ¶ added in v1.1.3

func (s *Service) VerifyPasswordWithDelay(password, clientIP string) (bool, time.Duration)

VerifyPasswordWithDelay checks password and enforces progressive delays Returns: valid bool, remainingDelay time.Duration

Source Files ¶

View all Source files

auth.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL