postgres

package
v0.0.0-...-a502854 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 13, 2025 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MigrateDown 

func MigrateDown(databaseURL string) error

MigrateDown rolls back the most recent migration (use with caution)

func MigrateUp 

func MigrateUp(databaseURL string) error

MigrateUp applies all pending database schema migrations

func MigrateVersion 

func MigrateVersion(databaseURL string) (uint, bool, error)

MigrateVersion returns the current migration version

Types

type DB 

type DB struct {
	// contains filtered or unexported fields
}

DB wraps the pgx connection pool

func NewDB 

func NewDB(ctx context.Context, databaseURL string, logger logger) (*DB, error)

NewDB creates a new database connection pool

func (*DB) Close 

func (d *DB) Close()

Close closes the database connection pool

func (*DB) Health 

func (d *DB) Health(ctx context.Context) error

Health checks if the database is healthy

func (*DB) Pool 

func (d *DB) Pool() *pgxpool.Pool

Pool returns the underlying pgx connection pool

func (*DB) Queries 

func (d *DB) Queries() *sqlc.Queries

Queries returns a new Queries instance for executing SQL queries

func (*DB) WithTenantContext 

func (d *DB) WithTenantContext(ctx context.Context, fn func(*sqlc.Queries) error) error

WithTenantContext executes a function within a tenant-scoped transaction. Sets app.current_tenant_id for Row Level Security policies to enforce automatic tenant isolation

func (*DB) WithTransaction 

func (d *DB) WithTransaction(ctx context.Context, fn func(*sqlc.Queries) error) error

WithTransaction executes a function within a database transaction. Use for pre-authentication operations (registration, email verification) where tenant context is unavailable

type LoginAttemptsDB 

type LoginAttemptsDB struct {
	// contains filtered or unexported fields
}

LoginAttemptsDB tracks failed login attempts for progressive lockout and audit trail

func NewLoginAttemptsDB 

func NewLoginAttemptsDB(db *DB) *LoginAttemptsDB

func (*LoginAttemptsDB) DeleteOldLoginAttempts 

func (r *LoginAttemptsDB) DeleteOldLoginAttempts(ctx context.Context, olderThan time.Time) error

DeleteOldLoginAttempts cleans up old audit data (recommended: retain 30-90 days for compliance)

func (*LoginAttemptsDB) GetMostRecentLockout 

func (r *LoginAttemptsDB) GetMostRecentLockout(ctx context.Context, email string) (*time.Time, error)

GetMostRecentLockout returns latest lockout expiry time (nil if no active lockouts)

func (*LoginAttemptsDB) GetRecentFailedAttempts 

func (r *LoginAttemptsDB) GetRecentFailedAttempts(ctx context.Context, email string, since time.Time) (int64, error)

GetRecentFailedAttempts counts failed login attempts since specified time (for lockout calculation)

func (*LoginAttemptsDB) RecordAttempt 

func (r *LoginAttemptsDB) RecordAttempt(ctx context.Context, email string, userID *uuid.UUID, ipAddress *string, lockedUntil *time.Time) error

RecordAttempt logs failed login attempt with calculated lockout expiry (pre-authentication operation)

type OIDCLinksDB 

type OIDCLinksDB struct {
	// contains filtered or unexported fields
}

OIDCLinksDB manages user-to-provider links for SSO (tracks by provider's sub claim)

func NewOIDCLinksDB 

func NewOIDCLinksDB(db *DB) *OIDCLinksDB
func (o *OIDCLinksDB) CreateOIDCLink(ctx context.Context, link *auth.OIDCLink) (*auth.OIDCLink, error)

CreateOIDCLink creates link between user and provider (tracks by immutable sub claim) 

func (o *OIDCLinksDB) DeleteOIDCLink(ctx context.Context, userID uuid.UUID, providerID uuid.UUID) error

DeleteOIDCLink deletes an OIDC link by user ID and provider ID

func (*OIDCLinksDB) GetOIDCLinkByProvider 

func (o *OIDCLinksDB) GetOIDCLinkByProvider(ctx context.Context, providerID uuid.UUID, providerUserID string) (*auth.OIDCLink, error)

GetOIDCLinkByProvider retrieves link by provider's sub claim (allows email reassignment)

func (*OIDCLinksDB) GetOIDCLinkByUser 

func (o *OIDCLinksDB) GetOIDCLinkByUser(ctx context.Context, userID uuid.UUID, providerID uuid.UUID) (*auth.OIDCLink, error)

GetOIDCLinkByUser retrieves an OIDC link by user ID and provider ID

func (*OIDCLinksDB) ListOIDCLinksByUser 

func (o *OIDCLinksDB) ListOIDCLinksByUser(ctx context.Context, userID uuid.UUID) ([]*auth.OIDCLink, error)

ListOIDCLinksByUser lists all OIDC links for a user

func (*OIDCLinksDB) UpdateOIDCLinkLastUsed 

func (o *OIDCLinksDB) UpdateOIDCLinkLastUsed(ctx context.Context, id uuid.UUID) error

UpdateOIDCLinkLastUsed updates the last_used_at timestamp

type OIDCProvidersDB 

type OIDCProvidersDB struct {
	// contains filtered or unexported fields
}

OIDCProvidersDB manages tenant-specific OIDC provider configs with encrypted secrets

func NewOIDCProvidersDB 

func NewOIDCProvidersDB(db *DB, cipher *aes.Cipher) *OIDCProvidersDB

func (*OIDCProvidersDB) CreateOIDCProvider 

func (o *OIDCProvidersDB) CreateOIDCProvider(ctx context.Context, provider *auth.OIDCProviderConfig) (*auth.OIDCProviderConfig, error)

CreateOIDCProvider stores provider config with AES-256-GCM encrypted client secret

func (*OIDCProvidersDB) DeleteOIDCProviderByID 

func (o *OIDCProvidersDB) DeleteOIDCProviderByID(ctx context.Context, id uuid.UUID) error

DeleteOIDCProviderByID deletes an OAuth provider by ID

func (*OIDCProvidersDB) GetOIDCProviderByID 

func (o *OIDCProvidersDB) GetOIDCProviderByID(ctx context.Context, id uuid.UUID) (*auth.OIDCProviderConfig, error)

GetOIDCProviderByID retrieves provider by ID with tenant isolation

func (*OIDCProvidersDB) GetOIDCProvidersByDomain 

func (o *OIDCProvidersDB) GetOIDCProvidersByDomain(ctx context.Context, domain string) ([]*auth.OIDCProviderConfig, error)

GetOIDCProvidersByDomain retrieves all OAuth providers configured for an email domain This is used for SSO discovery during login (cross-tenant, pre-authentication)

func (*OIDCProvidersDB) ListOIDCProviders 

func (o *OIDCProvidersDB) ListOIDCProviders(ctx context.Context) ([]*auth.OIDCProviderConfig, error)

ListOIDCProviders lists all enabled OAuth providers for the tenant

func (*OIDCProvidersDB) UpdateOIDCProvider 

func (o *OIDCProvidersDB) UpdateOIDCProvider(ctx context.Context, params *auth.UpdateOIDCProviderParams) (*auth.OIDCProviderConfig, error)

UpdateOIDCProvider updates an OAuth provider Fields in params that are pointers (nil) or empty slices will not be updated (COALESCE in SQL)

type OIDCSessionsDB 

type OIDCSessionsDB struct {
	// contains filtered or unexported fields
}

OIDCSessionsDB manages OAuth flow sessions (state, PKCE, provider tracking)

func NewOIDCSessionsDB 

func NewOIDCSessionsDB(db *DB) *OIDCSessionsDB

func (*OIDCSessionsDB) CreateOIDCSession 

func (o *OIDCSessionsDB) CreateOIDCSession(ctx context.Context, session *auth.OIDCSession) (*auth.OIDCSession, error)

CreateOIDCSession creates temporary session for OAuth flow (CSRF protection via state)

func (*OIDCSessionsDB) DeleteExpiredOIDCSessions 

func (o *OIDCSessionsDB) DeleteExpiredOIDCSessions(ctx context.Context) error

DeleteExpiredOIDCSessions deletes all expired OAuth sessions

func (*OIDCSessionsDB) DeleteOIDCSession 

func (o *OIDCSessionsDB) DeleteOIDCSession(ctx context.Context, id uuid.UUID) error

DeleteOIDCSession deletes an OAuth session by ID

func (*OIDCSessionsDB) GetOIDCSessionByState 

func (o *OIDCSessionsDB) GetOIDCSessionByState(ctx context.Context, state string) (*auth.OIDCSession, error)

GetOIDCSessionByState retrieves session by state parameter (validates CSRF token)

type PasswordResetTokensDB 

type PasswordResetTokensDB struct {
	// contains filtered or unexported fields
}

PasswordResetTokensDB manages password reset tokens (pre-authentication operation)

func NewPasswordResetTokensDB 

func NewPasswordResetTokensDB(db *DB) *PasswordResetTokensDB

func (*PasswordResetTokensDB) CreateToken 

func (r *PasswordResetTokensDB) CreateToken(ctx context.Context, userID uuid.UUID, token string, expiresAt time.Time) (*auth.Token, error)

CreateToken creates or replaces reset token (user_id is PK, enforces one token per user)

func (*PasswordResetTokensDB) DeleteExpiredTokens 

func (r *PasswordResetTokensDB) DeleteExpiredTokens(ctx context.Context) error

DeleteExpiredTokens cleans up expired tokens (should be called periodically via cleanup job)

func (*PasswordResetTokensDB) DeleteToken 

func (r *PasswordResetTokensDB) DeleteToken(ctx context.Context, userID uuid.UUID) error

DeleteToken removes reset token after successful password change

func (*PasswordResetTokensDB) GetToken 

func (r *PasswordResetTokensDB) GetToken(ctx context.Context, token string) (*auth.Token, error)

GetToken retrieves token by token string (pre-authentication, no tenant context)

type UsersDB 

type UsersDB struct {
	// contains filtered or unexported fields
}

UsersDB handles user database operations with tenant isolation

func NewUsersDB 

func NewUsersDB(db *DB) *UsersDB

NewUsersDB creates a new UsersDB instance

func (*UsersDB) CreateUser 

func (u *UsersDB) CreateUser(ctx context.Context, user *auth.User) (*auth.User, error)

CreateUser creates a new user Uses WithTransaction (not WithTenantContext) because registration happens pre-authentication

func (*UsersDB) DeleteOldUnverifiedUsers 

func (u *UsersDB) DeleteOldUnverifiedUsers(ctx context.Context, days int32) error

DeleteOldUnverifiedUsers deletes unverified users older than the specified number of days Cross-tenant cleanup operation runs via scheduled job, not user request

func (*UsersDB) DeleteUser 

func (u *UsersDB) DeleteUser(ctx context.Context, id uuid.UUID) error

DeleteUser deletes a user with tenant isolation

func (*UsersDB) GetUser 

func (u *UsersDB) GetUser(ctx context.Context, id uuid.UUID) (*auth.User, error)

GetUser retrieves a user by ID with tenant isolation

func (*UsersDB) GetUserByEmail 

func (u *UsersDB) GetUserByEmail(ctx context.Context, email string) (*auth.User, error)

GetUserByEmail retrieves a user by email without tenant isolation Pre-authentication operation: emails are globally unique for password users, but may duplicate for SSO users

func (*UsersDB) UpdateLastLogin 

func (u *UsersDB) UpdateLastLogin(ctx context.Context, id uuid.UUID) error

UpdateLastLogin updates a user's last login timestamp with tenant isolation

func (*UsersDB) UpdatePassword 

func (u *UsersDB) UpdatePassword(ctx context.Context, id uuid.UUID, passwordHash string) error

UpdatePassword updates a user's password without tenant isolation Password reset tokens contain user ID, so tenant context is unnecessary

func (*UsersDB) UpdateUser 

func (u *UsersDB) UpdateUser(ctx context.Context, id uuid.UUID, email string, status auth.UserStatus) (*auth.User, error)

UpdateUser updates a user with tenant isolation

func (*UsersDB) UpdateUserPassword 

func (u *UsersDB) UpdateUserPassword(ctx context.Context, id uuid.UUID, passwordHash string) error

UpdateUserPassword updates a user's password with tenant isolation

func (*UsersDB) UpdateUserStatus 

func (u *UsersDB) UpdateUserStatus(ctx context.Context, id uuid.UUID, status auth.UserStatus) (*auth.User, error)

UpdateUserStatus updates a user's status without tenant isolation and returns the updated user Email verification tokens contain user ID, so tenant context is unnecessary for this operation

type VerificationTokensDB 

type VerificationTokensDB struct {
	// contains filtered or unexported fields
}

VerificationTokensDB manages email verification tokens (pre-authentication operation)

func NewVerificationTokensDB 

func NewVerificationTokensDB(db *DB) *VerificationTokensDB

func (*VerificationTokensDB) CreateToken 

func (r *VerificationTokensDB) CreateToken(ctx context.Context, userID uuid.UUID, token string, expiresAt time.Time) (*auth.Token, error)

CreateToken creates or replaces verification token (user_id is PK, enforces one token per user)

func (*VerificationTokensDB) DeleteExpiredTokens 

func (r *VerificationTokensDB) DeleteExpiredTokens(ctx context.Context) error

DeleteExpiredTokens cleans up expired tokens (should be called periodically via cleanup job)

func (*VerificationTokensDB) DeleteToken 

func (r *VerificationTokensDB) DeleteToken(ctx context.Context, userID uuid.UUID) error

DeleteToken removes verification token after successful email confirmation

func (*VerificationTokensDB) GetToken 

func (r *VerificationTokensDB) GetToken(ctx context.Context, token string) (*auth.Token, error)

GetToken retrieves token by token string (pre-authentication, no tenant context)

Source Files

View all Source files

Directories

Path Synopsis
internal
sqlc

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.