auth

package
v0.0.0-...-c426b00 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 7, 2026 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const MaxSessionsPerUser = 5

MaxSessionsPerUser limits concurrent sessions to prevent credential stuffing

View Source 
const SessionTokenBytes = 48

SessionTokenBytes is the entropy for session tokens (384 bits = quantum resistant)

Variables

View Source 
var DummyHash string

DummyHash is used for constant-time auth to prevent username enumeration

Functions

func CheckPassword 

func CheckPassword(encodedHash, password string) (bool, error)

CheckPassword is an alias for VerifyPassword for API compatibility

func CreateSession 

func CreateSession(db *sql.DB, userID int) (string, error)

func Decrypt 

func Decrypt(encoded string) (string, error)

Decrypt decrypts data using AES-256-GCM and the master key.

func EnableMFA 

func EnableMFA(db *sql.DB, userID int, secret string) error

EnableMFA stores the TOTP secret for a user

func Encrypt 

func Encrypt(plaintext string) (string, error)

Encrypt encrypts data using AES-256-GCM and the master key.

func GenerateTOTPCode 

func GenerateTOTPCode(secret string) (string, error)

GenerateTOTPCode generates the current TOTP code for a secret

func GenerateTOTPSecret 

func GenerateTOTPSecret() (string, error)

TOTPSecret generates a new TOTP secret for a user

func GenerateWireGuardKeys 

func GenerateWireGuardKeys() (privateKey, publicKey string, err error)

GenerateWireGuardKeys generates a Curve25519 key pair for WireGuard

func GetMasterKey 

func GetMasterKey() ([]byte, error)

GetMasterKey loads or generates the master key with file locking to prevent race conditions. Uses atomic write pattern: write to temp file, then rename.

func GetPublicKeyFromPrivate 

func GetPublicKeyFromPrivate(privateKeyB64 string) (string, error)

GetPublicKeyFromPrivate derives the WireGuard public key from a base64 encoded private key

func GetTOTPProvisioningURI 

func GetTOTPProvisioningURI(username, secret, issuer string) string

GetTOTPProvisioningURI generates an otpauth:// URI for QR code generation

func GetUserMFAStatus 

func GetUserMFAStatus(db *sql.DB, userID int) (bool, string, error)

GetUserMFAStatus checks if user has MFA enabled and returns the secret

func HashPassword 

func HashPassword(password string) (string, error)

func HashToken 

func HashToken(token string) string

func InvalidateAllSessions 

func InvalidateAllSessions(db *sql.DB, userID int) error

InvalidateAllSessions clears all sessions for a user (for password change, logout everywhere)

func VerifyPassword 

func VerifyPassword(encodedHash, password string) (bool, error)

func VerifyPasswordConstantTime 

func VerifyPasswordConstantTime(encodedHash, password string, userExists bool) (bool, error)

VerifyPasswordConstantTime always runs Argon2id verification to prevent timing attacks. Call this even when user doesn't exist to prevent username enumeration.

func VerifyTOTP 

func VerifyTOTP(secret, code string) bool

VerifyTOTP checks if the provided code matches the current or adjacent windows

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.