Documentation ¶
Overview ¶
Package account provides support for creating email-keyed user accounts, checking their credentials, and safely performing changes to them in a transactionally consistent way.
Index ¶
- Variables
- func ChangeEmail(ctx context.Context, oldEmail, newEmail string) error
- func Get(ctx context.Context, email string, account *Account) error
- func HasChanged(ctx context.Context, account *Account) (bool, error)
- func Remove(ctx context.Context, account *Account) error
- func Save(ctx context.Context, account *Account) error
- type Account
- func (a *Account) CheckPassword(proposedPassword string) error
- func (a *Account) HasRole(role string) bool
- func (a *Account) IsZero() bool
- func (a *Account) Key(ctx context.Context) *datastore.Key
- func (a *Account) Nobody() bool
- func (a *Account) SetPassword(plaintextPassword string) (err error)
- func (a *Account) Super() bool
Constants ¶
This section is empty.
Variables ¶
var ( // Super is a special account that represents the superuser, // i.e., the user authenticated by knowing the auth secret itself. // With great power comes great responsibility; DO NOT USE Super // EXCEPT DURING INITIAL API SETUP AND DEPLOYMENT. Super = Account{ Email: "super@", Roles: []string{}, // contains filtered or unexported fields } // Nobody is a special account that represents an unauthenticated // user, i.e., a user with no particular access privileges. Nobody = Account{ Email: "nobody@", Roles: []string{}, // contains filtered or unexported fields } )
var Entity = "APIAccount"
Entity is the name of the Datastore entity used to store API accounts.
var ErrAccountExists = errors.New(http.StatusConflict, "An account with that email already exists")
var ErrConflict = errors.New(http.StatusConflict, "A competing change to the account has already been made")
var ErrPasswordTooShort = errors.New(http.StatusBadRequest, "Password is too short")
var ErrUnsaveableAccount = errors.New(http.StatusBadRequest, "This is a special account that cannot be saved")
Functions ¶
func ChangeEmail ¶
ChangeEmail changes the email address of an account from oldEmail to newEmail. It performs this operation atomically.
func Get ¶
Get retrieves the account identified by email and stores it in the value pointed to by account.
func HasChanged ¶
HasChanged checks the current state of an account in the datastore. It returns true if the saved version of the account has diverged from the state of the account as described in account.
func Remove ¶
Remove safely deletes an account and all its associated information in the datastore. This includes any objects that are descendants of the Account (i.e., a cascading delete).
func Save ¶
Save saves the account pointed to by account to the datastore. It modifies account.LastUpdatedAt for convenience. It returns an error if the account cannot be saved because it was not obtained through the API methods, or if the state of the account in the datastore has changed in the interim.
Types ¶
type Account ¶
type Account struct { // CreatedAt stores the time at which this account was originally created. CreatedAt time.Time `json:"createdAt,omitempty"` // LastUpdatedAt represents the last time at which this account was modified. LastUpdatedAt time.Time `json:"lastUpdatedAt,omitempty"` // Email is the email address associated with this account. It is also used // to generate the key for the account, which is the 128-bit FNV-1a hash of // the email address. Do not modify this value directly; instead, use ChangeEmail. Email string `json:"email,omitempty"` // Roles is a list of semantic privileges the account may have // access to. For instance, having a role of "admin" may entitle // a user to access to restricted portions of your API, whereas // a role of "event_manager" may allow a user permission to change // a hypothetical "event" object. It is recommended to use Roles // in conjunction with auth.Check. Roles []string `json:"roles,omitempty"` // SecurePassword is a bcrypt hash of the account's password. // Do not read or modify this variable yourself; use // CheckPassword and SetPassword instead. SecurePassword []byte `json:"-" datastore:",noindex"` // contains filtered or unexported fields }
Account represents an account to access the API. It handles all logic to do with authentication and password checking.
func New ¶
New creates and returns a new blank account. It returns an error if an account with the specified email address already exists.
func (*Account) CheckPassword ¶
CheckPassword securely compares account's SecurePassword with the bcrypt hash of proposedPassword. See the documentation of bcrypt.CompareHashAndPassword for more information.
func (*Account) IsZero ¶
IsZero returns true if the account object is the zero value for the Account type.
func (*Account) SetPassword ¶
SetPassword changes SecurePassword to the bcrypt hash of plaintextPassword. It returns an error if the password is insufficiently entropic. See the documentation of bcrypt.GenerateFromPassword for more information.
Directories ¶
Path | Synopsis |
---|---|
Package auth provides middleware and support for working with accounts within the context of an HTTP request, including getting accounts based on JWTs.
|
Package auth provides middleware and support for working with accounts within the context of an HTTP request, including getting accounts based on JWTs. |