security

package
v0.4.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 14, 2026 License: MIT Imports: 25 Imported by: 3

Documentation

Overview

Package security includes encryption and decryption with AES-GCM, secure key generation, HMAC hashing, bcrypt-based password handling, and a preconfigured secure HTTP(S) server with liveness and readiness probes for robust application security.

Index

Constants

This section is empty.

Variables

View Source 
var IdentityProvider = NewIdentityProvider()

IdentityProvider is a singleton instance of the identity provider.

Functions

func Decrypt 

func Decrypt(ciphertext []byte, key [32]byte) (plaintext []byte, err error)

Decrypt takes an encrypted byte slice (ciphertext) and a 256-bit AES key, and decrypts the ciphertext using AES-GCM.

func Encrypt 

func Encrypt(plaintext []byte, key [32]byte) (ciphertext []byte)

Encrypt takes an input byte slice (plaintext) and encrypts it using AES-GCM. It returns the encrypted data (ciphertext) and the key used for encryption.

func GenerateID added in v0.1.71 

func GenerateID() string

GenerateID generates a unique ID using a secure random key.

func GenerateKey 

func GenerateKey() [32]byte

GenerateKey generates a 256-bit (32-byte) random key for AES encryption. It uses a cryptographically secure random number generator.

func GeneratePKCE added in v0.1.87 

func GeneratePKCE() (codeVerifier, challenge string)

GeneratePKCE generates a OAuth 2.0 PKCE challenge by using a random string.

func Getenv added in v0.1.7 

func Getenv(key string) (out [32]byte)

Getenv retrieves an environment variable by the given key, interprets its value as a hexadecimal string, and decodes it into a 32-byte array. If the environment variable is not set, the value is not a valid hex string, or the decoded byte length is not 32, the function returns an empty array.

func Hash 

func Hash(tag string, data []byte) (sum []byte)

Hash generates an HMAC hash using the SHA-512/256 algorithm.

func IsPasswordValid 

func IsPasswordValid(ciphertext, plaintext []byte) bool

IsPasswordValid checks if a given plaintext password matches a hashed password.

func NewClient added in v0.1.25 

func NewClient() *http.Client

NewClient creates and returns a new *http.Client with a default timeout of 5 seconds. The timeout can be adjusted by setting the CLIENT_TIMEOUT environment variable.

func NewClientWithTLS added in v0.1.39 

func NewClientWithTLS(certFile, keyFile, caFile string) *http.Client

NewClientWithTLS creates and returns a new *http.Client with mutual TLS authentication.

func NewIdentityProvider added in v0.1.89 

func NewIdentityProvider() *identityProvider

NewIdentityProvider creates a new identity provider.

func NewServer 

func NewServer(mux *http.ServeMux) *http.Server

NewServer creates and returns a configured HTTP server. It uses the PORT environment variable or defaults to port 8080. The server has a default timeout of 5 seconds for read, write, and idle connections. The timeout can be adjusted by setting the SERVER_*_TIMEOUT environment variables.

func ParseBoolOrDefault added in v0.2.37 

func ParseBoolOrDefault(key string, def bool) bool

ParseBoolOrDefault parses the value of the environment variable with the given key as a boolean. If the value is not set or cannot be parsed, the default boolean is returned.

func ParseDurationOrDefault added in v0.2.36 

func ParseDurationOrDefault(key string, def time.Duration) time.Duration

ParseDurationOrDefault parses the value of the environment variable with the given key as a duration. If the value is not set or cannot be parsed, the default duration is returned.

func ParseFloatOrDefault added in v0.2.37 

func ParseFloatOrDefault(key string, def float64) float64

ParseFloatOrDefault parses the value of the environment variable with the given key as a float. If the value is not set or cannot be parsed, the default float is returned.

func ParseIntOrDefault added in v0.2.36 

func ParseIntOrDefault(key string, def int) int

ParseIntOrDefault parses the value of the environment variable with the given key as an integer. If the value is not set or cannot be parsed, the default integer is returned.

func ParseStringOrDefault added in v0.2.37 

func ParseStringOrDefault(key string, def string) string

ParseStringOrDefault parses the value of the environment variable with the given key as a string. If the value is not set or cannot be parsed, the default string is returned.

func Password 

func Password(plaintext []byte) ([]byte, error)

Password hashes a plaintext password using bcrypt with a cost of 14.

func TLSClientConfig added in v0.2.12 

func TLSClientConfig(certFile, keyFile, caFile string) *tls.Config

TLSClientConfig creates and returns a *tls.Config configured for mutual TLS authentication. It loads client specific certificates and adds server specific root CA certificates.

func WithAuth added in v0.1.96 

func WithAuth(sessions *ServerSessions, next http.HandlerFunc) http.HandlerFunc

WithAuth adds authentication information to the context.

func WithAuthenticatedSecurityHeaders deprecated added in v0.4.6 

func WithAuthenticatedSecurityHeaders(next http.HandlerFunc) http.HandlerFunc

WithAuthenticatedSecurityHeaders applies server-side security headers that MUST be present on authenticated pages.

Deprecated: use WithNoStoreNoReferrer.

func WithNoStoreNoReferrer added in v0.4.6 

func WithNoStoreNoReferrer(next http.HandlerFunc) http.HandlerFunc

WithNoStoreNoReferrer applies response headers that reduce data leakage.

It sets: - Cache-Control: no-store - Referrer-Policy: no-referrer

Types

type ContextKey added in v0.1.93 

type ContextKey string
const (
	ContextSessionID ContextKey = "session_id"
	ContextEmail     ContextKey = "email"
	ContextIssuer    ContextKey = "issuer"
	ContextName      ContextKey = "name"
	ContextSubject   ContextKey = "subject"
	ContextVerified  ContextKey = "verified"
)

type IdentityTokenClaims added in v0.1.89 

type IdentityTokenClaims struct {
	Email    string `json:"email"`
	Issuer   string `json:"iss"`
	Name     string `json:"name"`
	Subject  string `json:"sub"`
	Verified bool   `json:"email_verified"`
}

IdentityTokenClaims represents the claims of an identity token.

type ServerSession added in v0.1.35 

type ServerSession struct {
	Data any    `json:"value"`
	ID   string `json:"id"`
}

ServerSession is a session for a user.

type ServerSessions added in v0.1.35 

type ServerSessions struct {
	// contains filtered or unexported fields
}

ServerSessions is a thread-safe map of session IDs to sessions.

func NewServeMux added in v0.1.44 

func NewServeMux(ctx context.Context, efs fs.FS) (mux *http.ServeMux, serverSessions *ServerSessions)

NewServeMux creates a new mux with the liveness check endpoint (/liveness) and the readiness check endpoint (/readiness). The mux is returned along with a new ServerSessions instance.

func NewServerSessions added in v0.1.35 

func NewServerSessions() *ServerSessions

NewServerSessions creates a new serverSessions.

func (*ServerSessions) Create added in v0.1.48 

func (a *ServerSessions) Create(id string, data any) (s ServerSession)

Create adds a new session to the serverSessions.

func (*ServerSessions) Delete added in v0.1.48 

func (a *ServerSessions) Delete(id string)

Delete removes the session with the given sessionID.

func (*ServerSessions) Read added in v0.1.48 

func (a *ServerSessions) Read(id string) (*ServerSession, bool)

Read returns the session for the given sessionID.

func (*ServerSessions) Update added in v0.1.35 

func (a *ServerSessions) Update(s ServerSession)

Update adds a new session to the serverSessions.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.