password

package
v0.0.0-...-4dfee84 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2026 License: Apache-2.0 Imports: 26 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	CharListLowercase    = "abcdefghijklmnopqrstuvwxyz"
	CharListUppercase    = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
	CharListAlphabet     = CharListLowercase + CharListUppercase
	CharListDigit        = "0123456789"
	CharListAlphanumeric = CharListAlphabet + CharListDigit
	// Referenced from "special" character class in Apple's Password Autofill rules.
	// https://developer.apple.com/documentation/security/password_autofill/customizing_password_autofill_rules
	CharListSymbol = "-~!@#$%^&*_+=`|(){}[:;\"'<>,.?]"
)

Character list for each category.

View Source 
const (
	// Max trials to generate a password that satisfies the checker.
	DefaultMaxTrials MaxTrials = 10
	// Default minimum length of a password, overrides min length in the policy if less than it.
	DefaultMinLength = 8
	// When min guessable level is > 0, the minimum length of a password.
	GuessableEnabledMinLength = 32
)

Variables

View Source 
var DependencySet = wire.NewSet(
	wire.Struct(new(Provider), "*"),
	wire.Struct(new(Store), "*"),
	wire.Struct(new(Housekeeper), "*"),
	ProvideChecker,
	wire.Struct(new(HistoryStore), "*"),
	wire.Bind(new(CheckerHistoryStore), new(*HistoryStore)),
	ProvideExpiry,
	NewRandSource,
	wire.Value(DefaultMaxTrials),
	wire.Struct(new(Generator), "*"),
)
View Source 
var ErrPasswordGenerateFailed = apierrors.InternalError.WithReason("PasswordGenerateError").New("failed to generate password")
View Source 
var HousekeeperLogger = slogutil.NewLogger("password-housekeeper")
View Source 
var InvalidBcryptHash = apierrors.Invalid.WithReason("InvalidBcryptHash")
View Source 
var PasswordExpiryForceChange apierrors.Kind = apierrors.Invalid.WithReason("PasswordExpiryForceChange")
View Source 
var PasswordPolicyViolated apierrors.Kind = apierrors.Invalid.WithReason("PasswordPolicyViolated")
View Source 
var ProviderLogger = slogutil.NewLogger("password")

Functions

func IsSamePassword 

func IsSamePassword(hashedPassword []byte, password string) bool

func TranslateBcryptError 

func TranslateBcryptError(err error) error

Types

type Checker 

type Checker struct {
	PwMinLength            int
	PwUppercaseRequired    bool
	PwLowercaseRequired    bool
	PwAlphabetRequired     bool
	PwDigitRequired        bool
	PwSymbolRequired       bool
	PwMinGuessableLevel    int
	PwExcludedKeywords     []string
	PwHistorySize          int
	PwHistoryDays          config.DurationDays
	PasswordHistoryEnabled bool
	PasswordHistoryStore   CheckerHistoryStore
}

func ProvideChecker 

func ProvideChecker(
	cfg *config.AuthenticatorPasswordConfig,
	featureCfg *config.AuthenticatorFeatureConfig,
	s CheckerHistoryStore,
) *Checker

func (*Checker) PasswordPolicy 

func (pc *Checker) PasswordPolicy() (out []Policy)

PasswordPolicy outputs a list of PasswordPolicy to reflect the password policy.

func (*Checker) PasswordRules 

func (pc *Checker) PasswordRules() string

func (*Checker) ValidateCurrentPassword 

func (pc *Checker) ValidateCurrentPassword(plainPassword string) error

ValidateCurrentPassword should be used when the user authenticates.

func (*Checker) ValidateNewPassword 

func (pc *Checker) ValidateNewPassword(ctx context.Context, userID string, plainPassword string) error

ValidateNewPassword should be used when the user changes their password.

type CheckerHistoryStore 

type CheckerHistoryStore interface {
	GetPasswordHistory(ctx context.Context, userID string, historySize int, historyDays config.DurationDays) ([]History, error)
}

type Expiry 

type Expiry struct {
	ForceChangeEnabled         bool
	ForceChangeSinceLastUpdate config.DurationString
	Clock                      clock.Clock
}

func ProvideExpiry 

func ProvideExpiry(
	cfg *config.AuthenticatorPasswordConfig,
	c clock.Clock,
) *Expiry

func (*Expiry) Validate 

func (pe *Expiry) Validate(authenticator *authenticator.Password) error

type Generator 

type Generator struct {
	MaxTrials      MaxTrials
	Checker        *Checker
	Rand           Rand
	PasswordConfig *config.AuthenticatorPasswordConfig
}

func (*Generator) Generate 

func (g *Generator) Generate() (string, error)

type History 

type History struct {
	ID             string
	UserID         string
	HashedPassword []byte
	CreatedAt      time.Time
}

History contains a password history of a user

type HistoryStore 

type HistoryStore struct {
	Clock       clock.Clock
	SQLBuilder  *appdb.SQLBuilderApp
	SQLExecutor *appdb.SQLExecutor
}

func (*HistoryStore) CreatePasswordHistory 

func (p *HistoryStore) CreatePasswordHistory(ctx context.Context, userID string, hashedPassword []byte, createdAt time.Time) error

func (*HistoryStore) GetPasswordHistory 

func (p *HistoryStore) GetPasswordHistory(ctx context.Context, userID string, historySize int, historyDays config.DurationDays) ([]History, error)

func (*HistoryStore) RemovePasswordHistory 

func (p *HistoryStore) RemovePasswordHistory(ctx context.Context, userID string, historySize int, historyDays config.DurationDays) error

func (*HistoryStore) ResetPasswordHistory 

func (p *HistoryStore) ResetPasswordHistory(ctx context.Context, userID string) error

type Housekeeper 

type Housekeeper struct {
	Store  *HistoryStore
	Config *config.AuthenticatorPasswordConfig
}

func (*Housekeeper) Housekeep 

func (p *Housekeeper) Housekeep(ctx context.Context, authID string) (err error)

type MaxTrials 

type MaxTrials int

type Policy 

type Policy struct {
	Name PolicyName
	Info map[string]interface{} `json:",omitempty"`
}

func (Policy) Kind 

func (v Policy) Kind() string

type PolicyName 

type PolicyName string
const (
	// PasswordTooShort is self-explanatory
	PasswordTooShort PolicyName = "PasswordTooShort"
	// PasswordUppercaseRequired means the password does not contain ASCII uppercase character
	PasswordUppercaseRequired PolicyName = "PasswordUppercaseRequired"
	// PasswordLowercaseRequired means the password does not contain ASCII lowercase character
	PasswordLowercaseRequired PolicyName = "PasswordLowercaseRequired"
	// PasswordAlphabetRequired means the password does not contain ASCII alphabet character
	PasswordAlphabetRequired PolicyName = "PasswordAlphabetRequired"
	// PasswordDigitRequired means the password does not contain ASCII digit character
	PasswordDigitRequired PolicyName = "PasswordDigitRequired"
	// PasswordSymbolRequired means the password does not contain ASCII non-alphanumeric character
	PasswordSymbolRequired PolicyName = "PasswordSymbolRequired"
	// PasswordContainingExcludedKeywords means the password contains configured excluded keywords
	PasswordContainingExcludedKeywords PolicyName = "PasswordContainingExcludedKeywords"
	// PasswordBelowGuessableLevel means the password's guessable level is below configured level.
	// The current implementation uses Dropbox's zxcvbn.
	PasswordBelowGuessableLevel PolicyName = "PasswordBelowGuessableLevel"
	// PasswordReused is self-explanatory
	PasswordReused PolicyName = "PasswordReused"
)

type Provider 

type Provider struct {
	Store           *Store
	Config          *config.AuthenticatorPasswordConfig
	Clock           clock.Clock
	PasswordHistory *HistoryStore
	PasswordChecker *Checker
	Expiry          *Expiry
	Housekeeper     *Housekeeper
}

func (*Provider) Authenticate 

func (p *Provider) Authenticate(ctx context.Context, a *authenticator.Password, password string) (verifyResult *VerifyResult, err error)

func (*Provider) Create 

func (p *Provider) Create(ctx context.Context, a *authenticator.Password) error

func (*Provider) Delete 

func (p *Provider) Delete(ctx context.Context, a *authenticator.Password) error

func (*Provider) Get 

func (p *Provider) Get(ctx context.Context, userID string, id string) (*authenticator.Password, error)

func (*Provider) GetMany 

func (p *Provider) GetMany(ctx context.Context, ids []string) ([]*authenticator.Password, error)

func (*Provider) List 

func (p *Provider) List(ctx context.Context, userID string) ([]*authenticator.Password, error)

func (*Provider) New 

func (p *Provider) New(ctx context.Context, id string, userID string, passwordSpec *authenticator.PasswordSpec, isDefault bool, kind string) (*authenticator.Password, error)

func (*Provider) Update 

func (p *Provider) Update(ctx context.Context, a *authenticator.Password) error

func (*Provider) UpdatePassword 

func (p *Provider) UpdatePassword(ctx context.Context, a *authenticator.Password, options *UpdatePasswordOptions) (bool, *authenticator.Password, error)

UpdatePassword return new authenticator pointer if password or expireAfter is changed Otherwise original authenticator will be returned

type Rand 

type Rand interface {
	Intn(n int) int
	Shuffle(n int, swap func(i, j int))
}

func NewRandSource 

func NewRandSource() Rand

type RandRand 

type RandRand struct {
	*rand.Rand
}

type Store 

type Store struct {
	SQLBuilder  *appdb.SQLBuilderApp
	SQLExecutor *appdb.SQLExecutor
}

func (*Store) Create 

func (s *Store) Create(ctx context.Context, a *authenticator.Password) (err error)

func (*Store) Delete 

func (s *Store) Delete(ctx context.Context, id string) error

func (*Store) Get 

func (s *Store) Get(ctx context.Context, userID string, id string) (*authenticator.Password, error)

func (*Store) GetMany 

func (s *Store) GetMany(ctx context.Context, ids []string) ([]*authenticator.Password, error)

func (*Store) List 

func (s *Store) List(ctx context.Context, userID string) ([]*authenticator.Password, error)

func (*Store) UpdatePasswordHash 

func (s *Store) UpdatePasswordHash(ctx context.Context, a *authenticator.Password) error

type UpdatePasswordOptions 

type UpdatePasswordOptions struct {
	SetPassword    bool
	PlainPassword  string
	SetExpireAfter bool
	ExpireAfter    *time.Time
}

type VerifyResult 

type VerifyResult struct {
	PolicyForceChange bool
	ExpiryForceChange bool
}

func (*VerifyResult) RequireUpdate 

func (r *VerifyResult) RequireUpdate() bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.