Skip to content

webserver.auth #

Session Authentication

The session authentication module provides functionality for apps to keep, authenticate, and moderate user sessions. After a successful login, the session authenticator can be used to register session tokens to user id's. These session tokens can then be stored in client devices, verified by the session authenticator, and used to implement user authentication and access control.

Terminology

  • Refresh token: long lived (default 30 days) session token kept by client. It can be used to generate access tokens or revoke users other refresh tokens.
  • Access token:
  • signed token:
  • decoded token:

Authentication Flow

  1. User registers to application with user data.
  2. Application assigns user a unique user id
  3. Application requests session authenticator (can be remote) to generate refresh token for the uuid.
  4. Application requests session authenticator to generate access token from the refresh token.
  5. Application stores refresh and access tokens on the client device.
  6. User requests to view user data with access token (if token is expired user first generates a new access token)
  7. Application requests session authenticator to verify access token
  8. Application

Using auth.session

The session authentication module provides functionality for apps to keep, authenticate, and moderate user sessions. After a successful login, the session authenticator can be used to register session tokens to user id's. These session tokens can then be stored in client devices, verified by the session authenticator, and used to implement user authentication and access control.

Authenticator Keys

The Authenticator uses a secret key to sign and verify tokens. Both access and refresh tokens require a separate secret key. By default, the secret keys of the Authenticator is generated upon struct creation. For in memory applications this is sufficient, however applications storing user session tables in permanent memory should also store their secret keys safely in permanent ways, and create the authenticator with the correct keys.

Registering User Session

The session authenticator identifies users from a unique string. This unique identifier is passed to the session authenticator when registering a user session. This allows the session authenticator to associate multiple session tokens with a unique identifier. As such separate mobile session and browser session tokens can persist and be used to authenticate the same unique identifier. This also allows for applications to revoke and thus invalidate multiple session tokens belonging to a unique identifier.

The session authenticator does not associate the unique identifier with a user, the implementation of that is decided by the application logic. The session authenticator solely verifies the association of an access token with a specific unique identifier, thus authenticating that the unique identifier belongs to the user possessing the token.

User sessions

To use the vweb controller in the module, you need to create a session.Controller and add it to your vweb application as a controller. While it is not necessary, using session.Client, the client for the controller is recommended.

By doing so, you are able to run session controller endpoints in your vweb app, which embeds all of the essential session authentication functions into your application. You can then make client calls to interact with the session controller. The client is added to the application the following way

fn new #

fn new(config AuthenticatorConfig) !Authenticator

fn new_client #

fn new_client(config ClientConfig) Client

fn new_server #

fn new_server(config AuthenticatorConfig) !AuthServer

struct AccessRequest #

struct AccessRequest {
	asset_id    string
	access_type authorization.AccessType
}

struct AuthServer #

struct AuthServer {
	vweb.Context
mut:
	auth Authenticator @[vweb_global]
}

fn (AuthServer) index #

fn (mut server AuthServer) index() vweb.Result

fn (AuthServer) register #

fn (mut ctrl AuthServer) register() vweb.Result

fn (AuthServer) login_challenge #

fn (mut ctrl AuthServer) login_challenge() vweb.Result

fn (AuthServer) login #

fn (mut ctrl AuthServer) login() vweb.Result

fn (AuthServer) authenticate #

fn (mut ctrl AuthServer) authenticate() vweb.Result

fn (AuthServer) get_user #

fn (mut ctrl AuthServer) get_user() vweb.Result

struct Authenticator #

struct Authenticator {
	// vweb.Context
	refresh_secret string = jwt.create_secret() // secret used for signing/verifying refresh tokens
	access_secret  string = jwt.create_secret() // secret used for signing/verifying refresh tokens
pub mut:
	identity identity.IdentityManager
	email    ?email.Authenticator
	// analytics  analytics.Analyzer
	authorizer authorization.Authorizer
	session    session.SessionAuth
	tokens     tokens.Tokens
	route      string
	// backend   DatabaseBackend
	logger &log.Logger = &log.Logger(&log.Log{
	level: .debug
})
}

Authenticator deals and authenticates refresh and access tokens

fn (Authenticator) authenticate #

fn (mut auth Authenticator) authenticate(access_token string) !

fn (Authenticator) authorize #

fn (mut app Authenticator) authorize(params AuthorizeParams) !bool

TODO

fn (Authenticator) get_access_token #

fn (mut app Authenticator) get_access_token(context vweb.Context) ?SignedJWT

fn (Authenticator) get_user #

fn (mut auth Authenticator) get_user(token_ string) !identity.User

fn (Authenticator) log_analytics #

fn (mut app Authenticator) log_analytics(token string) !

TODO log_analytics logs analytic related logs

fn (Authenticator) login #

fn (mut auth Authenticator) login(identifier string) !Registration

fn (Authenticator) login_challenge #

fn (mut auth Authenticator) login_challenge(config email.SendMailConfig) !

fn (Authenticator) register #

fn (mut auth Authenticator) register(identifier string) !Registration

fn (Authenticator) register_admin #

fn (mut auth Authenticator) register_admin(email string)

struct Authenticator2 #

struct Authenticator2 {
	// vweb.Context
	refresh_secret string = jwt.create_secret() // secret used for signing/verifying refresh tokens
	access_secret  string = jwt.create_secret() // secret used for signing/verifying refresh tokens
pub mut:
	identity identity.IdentityManager
	email    ?email.Authenticator
	// analytics  analytics.Analyzer
	authorizer authorization.Authorizer
	session    session.SessionAuth
	tokens     tokens.Tokens
	route      string
	// backend   DatabaseBackend
	logger &log.Logger = &log.Logger(&log.Log{
	level: .debug
})
}

Authenticator deals and authenticates refresh and access tokens

struct AuthenticatorConfig #

@[params]
struct AuthenticatorConfig {
	email.AuthenticatorConfig
	refresh_secret string = jwt.create_secret() // secret used for signing/verifying refresh tokens
	access_secret  string = jwt.create_secret() // secret used for signing/verifying refresh tokens
	authorizer     authorization.Authorizer
	// backend        DatabaseBackend [required]
	logger &log.Logger = &log.Logger(&log.Log{
	level: .debug
})
}

struct AuthorizeParams #

struct AuthorizeParams {
	asset_id     string
	access_type  authorization.AccessType
	access_token string
}

struct Client #

struct Client {
	url string @[required]
mut:
	identity      identity.Client
	tokens        tokens.Tokens
	session       session.Client
	authorization authorization.Client
}

// session controller that be be added to vweb projects

fn (Client) authorize #

fn (mut c Client) authorize(params AuthorizeParams) !bool

fn (Client) assign_admin #

fn (c Client) assign_admin(user identity.User) !

fn (Client) create_group #

fn (c Client) create_group(group identity.Group) !

fn (Client) register #

fn (mut c Client) register(user identity.User) !string

struct ClientConfig #

struct ClientConfig {
	url string
}

struct Registration #

struct Registration {
	user   identity.User
	tokens tokens.AuthTokens
}
Powered by vdoc.