juancwu/authkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
authkit/service_seed.go
juancwu d3c5367492 Rebuild for v1.0.0: postgres-only, slug-keyed authz, predicate API 
Drops the Dialect/Queries abstraction in favor of a single PostgreSQL 16+
implementation collapsed into the root authkit package, removes the
public store interfaces, and reshapes the authorization model around
seeded slugs (roles, permissions, abilities) with optional labels.

Schema is now squashed into one migrations/0001_init.sql and applied
automatically on authkit.New (opt-out via Config.SkipAutoMigrate). A
schema verifier checks tables/columns/types/nullability on startup,
tolerates extra columns, and falls back to default table names when a
configured override is missing.

Auth API: CreateUser + SetPassword replace Register; password is
nullable. Email OTP (RequestEmailOTP/ConsumeEmailOTP) joins magic links
and password reset, all with anti-enumeration silent-success defaults
and a Config.RevealUnknownEmail opt-in. Service tokens drop owner
columns and validate ability slugs against authkit_abilities at issue.
Direct user permissions live alongside role-derived ones; queries
return their UNION.

Predicate API: HasRole/HasPermission/HasAbility leaves with
AnyLogin/AllLogin/AnyServiceKey/AllServiceKey combinators. Validate
runs at middleware construction, panicking on unknown slugs.

Middleware collapses to RequireLogin (cookie + JWT), RequireGuest
(configurable OnAuthenticated), and RequireServiceKey. UserIDFromCtx /
UserFromCtx (lazy) / RefreshUserInCtx provide request-lifetime user
caching. Cookie defaults flip to Secure=true and HttpOnly=true via
*bool with BoolPtr opt-out.

CLIs ship under cmd/perms, cmd/roles, cmd/abilities for seeding the
authorization vocabulary; the library never seeds rows itself.

Tests cover unit-level (slug validation + fuzz, opaque secrets, email
normalization, extractors, predicates, OTP generator) and integration
flows gated on AUTHKIT_TEST_DATABASE_URL (every Auth method, schema
drift detection, migration idempotency, lazy user cache, all middleware
paths).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 23:27:30 +00:00

201 lines
5.8 KiB
Go
Raw Permalink Blame History

package authkit
import (
"context"
"git.juancwu.dev/juancwu/errx"
)
// CreateRole inserts a new role. Slug must be a valid normalized slug;
// returns ErrSlugInvalid otherwise. Returns ErrSlugTaken if the slug is
// already in use.
func (a *Auth) CreateRole(ctx context.Context, slug, label string) (*Role, error) {
const op = "authkit.Auth.CreateRole"
if err := validateSlug(op, slug); err != nil {
return nil, err
}
r := &Role{Slug: slug, Label: label}
if err := a.storeCreateRole(ctx, r); err != nil {
return nil, errx.Wrap(op, err)
}
return r, nil
}
// GetRoleBySlug fetches a role by its slug.
func (a *Auth) GetRoleBySlug(ctx context.Context, slug string) (*Role, error) {
const op = "authkit.Auth.GetRoleBySlug"
r, err := a.storeGetRoleBySlug(ctx, slug)
if err != nil {
return nil, errx.Wrap(op, err)
}
return r, nil
}
// ListRoles returns every role ordered by slug.
func (a *Auth) ListRoles(ctx context.Context) ([]*Role, error) {
const op = "authkit.Auth.ListRoles"
out, err := a.storeListRoles(ctx)
if err != nil {
return nil, errx.Wrap(op, err)
}
return out, nil
}
// DeleteRole removes a role by its slug. Cascades to user_roles and
// role_permissions. Returns ErrRoleNotFound if absent.
func (a *Auth) DeleteRole(ctx context.Context, slug string) error {
const op = "authkit.Auth.DeleteRole"
r, err := a.storeGetRoleBySlug(ctx, slug)
if err != nil {
return errx.Wrap(op, err)
}
if err := a.storeDeleteRole(ctx, r.ID); err != nil {
return errx.Wrap(op, err)
}
return nil
}
// CreatePermission inserts a new permission.
func (a *Auth) CreatePermission(ctx context.Context, slug, label string) (*Permission, error) {
const op = "authkit.Auth.CreatePermission"
if err := validateSlug(op, slug); err != nil {
return nil, err
}
p := &Permission{Slug: slug, Label: label}
if err := a.storeCreatePermission(ctx, p); err != nil {
return nil, errx.Wrap(op, err)
}
return p, nil
}
// GetPermissionBySlug fetches a permission by its slug.
func (a *Auth) GetPermissionBySlug(ctx context.Context, slug string) (*Permission, error) {
const op = "authkit.Auth.GetPermissionBySlug"
p, err := a.storeGetPermissionBySlug(ctx, slug)
if err != nil {
return nil, errx.Wrap(op, err)
}
return p, nil
}
// ListPermissions returns every permission ordered by slug.
func (a *Auth) ListPermissions(ctx context.Context) ([]*Permission, error) {
const op = "authkit.Auth.ListPermissions"
out, err := a.storeListPermissions(ctx)
if err != nil {
return nil, errx.Wrap(op, err)
}
return out, nil
}
// DeletePermission removes a permission by its slug. Cascades to
// role_permissions and user_permissions.
func (a *Auth) DeletePermission(ctx context.Context, slug string) error {
const op = "authkit.Auth.DeletePermission"
p, err := a.storeGetPermissionBySlug(ctx, slug)
if err != nil {
return errx.Wrap(op, err)
}
if err := a.storeDeletePermission(ctx, p.ID); err != nil {
return errx.Wrap(op, err)
}
return nil
}
// CreateAbility inserts a new ability for service tokens.
func (a *Auth) CreateAbility(ctx context.Context, slug, label string) (*Ability, error) {
const op = "authkit.Auth.CreateAbility"
if err := validateSlug(op, slug); err != nil {
return nil, err
}
ab := &Ability{Slug: slug, Label: label}
if err := a.storeCreateAbility(ctx, ab); err != nil {
return nil, errx.Wrap(op, err)
}
return ab, nil
}
// GetAbilityBySlug fetches an ability by its slug.
func (a *Auth) GetAbilityBySlug(ctx context.Context, slug string) (*Ability, error) {
const op = "authkit.Auth.GetAbilityBySlug"
ab, err := a.storeGetAbilityBySlug(ctx, slug)
if err != nil {
return nil, errx.Wrap(op, err)
}
return ab, nil
}
// ListAbilities returns every ability ordered by slug.
func (a *Auth) ListAbilities(ctx context.Context) ([]*Ability, error) {
const op = "authkit.Auth.ListAbilities"
out, err := a.storeListAbilities(ctx)
if err != nil {
return nil, errx.Wrap(op, err)
}
return out, nil
}
// DeleteAbility removes an ability by its slug. Cascades to
// service_key_abilities.
func (a *Auth) DeleteAbility(ctx context.Context, slug string) error {
const op = "authkit.Auth.DeleteAbility"
ab, err := a.storeGetAbilityBySlug(ctx, slug)
if err != nil {
return errx.Wrap(op, err)
}
if err := a.storeDeleteAbility(ctx, ab.ID); err != nil {
return errx.Wrap(op, err)
}
return nil
}
// GrantPermissionToRole adds permSlug to roleSlug's permission set.
// Idempotent.
func (a *Auth) GrantPermissionToRole(ctx context.Context, roleSlug, permSlug string) error {
const op = "authkit.Auth.GrantPermissionToRole"
r, err := a.storeGetRoleBySlug(ctx, roleSlug)
if err != nil {
return errx.Wrap(op, err)
}
p, err := a.storeGetPermissionBySlug(ctx, permSlug)
if err != nil {
return errx.Wrap(op, err)
}
if err := a.storeAssignPermissionToRole(ctx, r.ID, p.ID); err != nil {
return errx.Wrap(op, err)
}
return nil
}
// RevokePermissionFromRole removes permSlug from roleSlug's permission set.
// Idempotent.
func (a *Auth) RevokePermissionFromRole(ctx context.Context, roleSlug, permSlug string) error {
const op = "authkit.Auth.RevokePermissionFromRole"
r, err := a.storeGetRoleBySlug(ctx, roleSlug)
if err != nil {
return errx.Wrap(op, err)
}
p, err := a.storeGetPermissionBySlug(ctx, permSlug)
if err != nil {
return errx.Wrap(op, err)
}
if err := a.storeRemovePermissionFromRole(ctx, r.ID, p.ID); err != nil {
return errx.Wrap(op, err)
}
return nil
}
// ListRolePermissions returns permissions granted to a role through the
// role-permission link only (not direct user grants).
func (a *Auth) ListRolePermissions(ctx context.Context, roleSlug string) ([]*Permission, error) {
const op = "authkit.Auth.ListRolePermissions"
r, err := a.storeGetRoleBySlug(ctx, roleSlug)
if err != nil {
return nil, errx.Wrap(op, err)
}
out, err := a.storeGetRolePermissions(ctx, r.ID)
if err != nil {
return nil, errx.Wrap(op, err)
}
return out, nil
}
Reference in a new issue View git blame Copy permalink