forked from volatiletech/authboss
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.go
272 lines (229 loc) · 9.58 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
package authboss
import (
"net/http"
"time"
"golang.org/x/crypto/bcrypt"
)
// Config holds all the configuration for both authboss and it's modules.
type Config struct {
Customized struct {
LoginFailedNotice string
MicrosoftClientID string
GoogleClientID string
}
Paths struct {
// Mount is the path to mount authboss's routes at (eg /auth).
Mount string
// NotAuthorized is the default URL to kick users back to when
// they attempt an action that requires them to be logged in and
// they're not auth'd
NotAuthorized string
// AuthLoginOK is the redirect path after a successful authentication.
AuthLoginOK string
// ConfirmOK once a user has confirmed their account
// this says where they should go
ConfirmOK string
// ConfirmNotOK is used by the middleware, when a user is still supposed
// to confirm their account, this is where they should be redirected to.
ConfirmNotOK string
// LockNotOK is a path to go to when the user fails
LockNotOK string
// LogoutOK is the redirect path after a log out.
LogoutOK string
// OAuth2LoginOK is the redirect path after a successful oauth2 login
OAuth2LoginOK string
// OAuth2LoginNotOK is the redirect path after
// an unsuccessful oauth2 login
OAuth2LoginNotOK string
// RecoverOK is the redirect path after a successful recovery of a
// password.
RecoverOK string
// RegisterOK is the redirect path after a successful registration.
RegisterOK string
// RootURL is the scheme+host+port of the web application
// (eg https://www.happiness.com:8080) for url generation.
// No trailing slash.
RootURL string
// TwoFactorEmailAuthNotOK is where a user is redirected when
// the user attempts to add 2fa to their account without verifying
// their e-mail OR when they've completed the first step towards
// verification and need to check their e-mail to proceed.
TwoFactorEmailAuthNotOK string
}
Modules struct {
// BCryptCost is the cost of the bcrypt password hashing function.
BCryptCost int
// ConfirmMethod IS DEPRECATED! See MailRouteMethod instead.
//
// ConfirmMethod controls which http method confirm expects.
// This is because typically this is a GET request since it's a link
// from an e-mail, but in api-like cases it needs to be able to be a
// post since there's data that must be sent to it.
ConfirmMethod string
// ExpireAfter controls the time an account is idle before being
// logged out by the ExpireMiddleware.
ExpireAfter time.Duration
// LockAfter this many tries.
LockAfter int
// LockWindow is the waiting time before the number of attemps are reset.
LockWindow time.Duration
// LockDuration is how long an account is locked for.
LockDuration time.Duration
// LogoutMethod is the method the logout route should use
// (default should be DELETE)
LogoutMethod string
// MailRouteMethod is used to set the type of request that's used for
// routes that require a token from an e-mail link's query string.
// This is things like confirm and two factor e-mail auth.
//
// You should probably set this to POST if you are building an API
// so that the user goes to the frontend with their link & token
// and the front-end calls the API with the token in a POST JSON body.
//
// This configuration setting deprecates ConfirmMethod.
// If ConfirmMethod is set to the default value (GET) then
// MailRouteMethod is used. If ConfirmMethod is not the default value
// then it is used until Authboss v3 when only MailRouteMethod will be
// used.
MailRouteMethod string
// RegisterPreserveFields are fields used with registration that are
// to be rendered when post fails in a normal way
// (for example validation errors), they will be passed back in the
// data of the response under the key DataPreserve which
// will be a map[string]string.
//
// All fields that are to be preserved must be able to be returned by
// the ArbitraryValuer.GetValues()
//
// This means in order to have a field named "address" you would need
// to have that returned by the ArbitraryValuer.GetValues() method and
// then it would be available to be whitelisted by this
// configuration variable.
RegisterPreserveFields []string
// RecoverTokenDuration controls how long a token sent via
// email for password recovery is valid for.
RecoverTokenDuration time.Duration
// RecoverLoginAfterRecovery says for the recovery module after a
// user has successfully recovered the password, are they simply
// logged in, or are they redirected to the login page with an
// "updated password" message.
RecoverLoginAfterRecovery bool
// OAuth2Providers lists all providers that can be used. See
// OAuthProvider documentation for more details.
OAuth2Providers map[string]OAuth2Provider
// TwoFactorEmailAuthRequired forces users to first confirm they have
// access to their e-mail with the current device by clicking a link
// and confirming a token stored in the session.
TwoFactorEmailAuthRequired bool
// TOTP2FAIssuer is the issuer that appears in the url when scanning
// a qr code for google authenticator.
TOTP2FAIssuer string
// DEPRECATED: See ResponseOnUnauthed
// RoutesRedirectOnUnauthed controls whether or not a user is redirected
// or given a 404 when they are unauthenticated and attempting to access
// a route that's login-protected inside Authboss itself.
// The otp/twofactor modules all use authboss.Middleware to protect
// their routes and this is the redirectToLogin parameter in that
// middleware that they pass through.
RoutesRedirectOnUnauthed bool
// ResponseOnUnauthed controls how a user is responded to when
// attempting to access a route that's login-protected inside Authboss
// itself. The otp/twofactor modules all use authboss.Middleware2 to
// protect their routes and this is the failResponse parameter in that
// middleware that they pass through.
//
// This deprecates RoutesRedirectOnUnauthed. If RoutesRedirectOnUnauthed
// is true, the value of this will be set to RespondRedirect until
// authboss v3.
ResponseOnUnauthed MWRespondOnFailure
}
Mail struct {
// RootURL is a full path to an application that is hosting a front-end
// Typically using a combination of Paths.RootURL and Paths.Mount
// MailRoot will be assembled if not set.
// Typically looks like: https://our-front-end.com/authenication
// No trailing slash.
RootURL string
// From is the email address authboss e-mails come from.
From string
// FromName is the name authboss e-mails come from.
FromName string
// SubjectPrefix is used to add something to the front of the authboss
// email subjects.
SubjectPrefix string
}
Storage struct {
// CookieName used to clean cookie when it is invalid.
CookieName string
// Storer is the interface through which Authboss accesses the web apps
// database for user operations.
Server ServerStorer
// CookieState must be defined to provide an interface capapable of
// storing cookies for the given response, and reading them from the
// request.
CookieState ClientStateReadWriter
// SessionState must be defined to provide an interface capable of
// storing session-only values for the given response, and reading them
// from the request.
SessionState ClientStateReadWriter
// SessionStateWhitelistKeys are set to preserve keys in the session
// when authboss.DelAllSession is called. A correct implementation
// of ClientStateReadWriter will delete ALL session key-value pairs
// unless that key is whitelisted here.
SessionStateWhitelistKeys []string
}
Core struct {
// Router is the entity that controls all routing to authboss routes
// modules will register their routes with it.
Router Router
// ErrorHandler wraps http requests with centralized error handling.
ErrorHandler ErrorHandler
// Responder takes a generic response from a controller and prepares
// the response, uses a renderer to create the body, and replies to the
// http request.
Responder HTTPResponder
// Redirector can redirect a response, similar to Responder but
// responsible only for redirection.
Redirector HTTPRedirector
// BodyReader reads validatable data from the body of a request to
// be able to get data from the user's client.
BodyReader BodyReader
// ViewRenderer loads the templates for the application.
ViewRenderer Renderer
// MailRenderer loads the templates for mail. If this is nil, it will
// fall back to using the Renderer created from the ViewLoader instead.
MailRenderer Renderer
// Mailer is the mailer being used to send e-mails out via smtp
Mailer Mailer
// Logger implies just a few log levels for use, can optionally
// also implement the ContextLogger to be able to upgrade to a
// request specific logger.
Logger Logger
}
}
// Defaults sets the configuration's default values.
func (c *Config) Defaults() {
c.Paths.Mount = "/auth"
c.Paths.NotAuthorized = "/"
c.Paths.AuthLoginOK = "/"
c.Paths.ConfirmOK = "/"
c.Paths.ConfirmNotOK = "/"
c.Paths.LockNotOK = "/"
c.Paths.LogoutOK = "/"
c.Paths.OAuth2LoginOK = "/"
c.Paths.OAuth2LoginNotOK = "/"
c.Paths.RecoverOK = "/"
c.Paths.RegisterOK = "/"
c.Paths.RootURL = "http://localhost:8080"
c.Paths.TwoFactorEmailAuthNotOK = "/"
c.Modules.BCryptCost = bcrypt.DefaultCost
c.Modules.ConfirmMethod = http.MethodGet
c.Modules.ExpireAfter = time.Hour
c.Modules.LockAfter = 3
c.Modules.LockWindow = 5 * time.Minute
c.Modules.LockDuration = 12 * time.Hour
c.Modules.LogoutMethod = "DELETE"
c.Modules.MailRouteMethod = http.MethodGet
c.Modules.RecoverLoginAfterRecovery = false
c.Modules.RecoverTokenDuration = 24 * time.Hour
}