auth library

Classes

AuthAccount

Provider account metadata linked to an AuthUser.

AuthAdapter

Base adapter for persisting auth data.

AuthCallbacks

Container for auth callbacks.

AuthCreateUserEvent

Event emitted when a new user is created.

AuthCredentials

Credential input for username/password flows.

AuthEmailRequest

Email verification payload shared with provider callbacks.

AuthJwtCallbackContext

Context passed to JWT callbacks.

AuthLinkAccountEvent

Event emitted when a provider account is linked.

AuthManager

High-level auth coordinator for routed.

AuthOptions

High-level auth coordinator for routed.

AuthPrincipal

Represents an authenticated user or entity.

AuthProvider

Base metadata for a routed auth provider.

AuthRedirectCallbackContext

Context passed to redirect callbacks.

AuthResult

Result returned by sign-in flows.

AuthRoutes

Auth HTTP routes for routed.

AuthServiceProvider

Service provider that boots routed auth infrastructure.

AuthSession

Session data returned by auth endpoints.

AuthSessionCallbackContext

Context passed to session callbacks.

AuthSessionEvent

Event emitted when a session payload is produced.

AuthSignInCallbackContext

Context passed to sign-in callbacks.

AuthSignInEvent

Event emitted after a successful sign-in.

AuthSignInResult

Result of a sign-in callback decision.

AuthSignOutEvent

Event emitted after a sign-out flow completes.

AuthUpdateUserEvent

Event emitted when a user is updated.

AuthUser

Authenticated user profile used by auth flows and sessions.

AuthVerificationToken

Verification token for email sign-in.

AuthVerificationTokenStore

CallbackAuthAdapter

Adapter implementation backed by callbacks.

CredentialsProvider

Credentials provider configuration.

EmailProvider

Email (magic link) provider configuration.

GateEvaluation

Represents the result of a gate evaluation.

GateEvaluationContext

Context provided during the evaluation of a gate.

GateRegistry

A registry for managing gate callbacks.

GuardRegistry

GuardResult

Haigate

InMemoryAuthAdapter

In-memory adapter for testing and prototypes.

InMemoryAuthVerificationTokenStore

InMemoryRememberTokenStore

JwtIssuer

Issues signed JWTs for auth sessions.

JwtOptions

Configuration options for JWT verification.

JwtPayload

Represents the payload of a verified JWT, including its claims and headers.

JwtSessionOptions

JWT configuration used for auth session issuance.

JwtVerifier

OAuth2Client

OAuthIntrospectionOptions

OAuthIntrospectionResult

OAuthProvider<TProfile extends Object>

OAuth 2.0 provider configuration.

OAuthTokenResponse

Represents the response from an OAuth2 token endpoint.

Policy<T extends Object>

Policy-based authorization built on top of Haigate.

PolicyBinding<T extends Object>

Binds a policy to a Haigate ability prefix.

PolicyOptions

Options that configure policy bindings.

RbacAbility

Role-based access control helpers built on top of Haigate.

RbacOptions

Role-based access control helpers built on top of Haigate.

RememberTokenStore

SessionAuth

SessionAuthService

Enums

AuthProviderType

Base metadata for a routed auth provider.

AuthSessionStrategy

Session storage strategy for auth.

PolicyAction

Policy-based authorization built on top of Haigate.

Constants

jwtClaimsAttribute → const String

Attribute key for JWT claims in the request context.

jwtHeadersAttribute → const String

Attribute key for JWT headers in the request context.

jwtSubjectAttribute → const String

Attribute key for the JWT subject in the request context.

oauthClaimsAttribute → const String

Attribute key for storing OAuth2 claims in the request context.

oauthScopeAttribute → const String

Attribute key for storing OAuth2 scopes in the request context.

oauthTokenAttribute → const String

Attribute key for storing the OAuth2 access token in the request context.

Functions

basicAuth(AuthAccounts accounts, {String realm = 'Restricted Area'}) → Middleware

Middleware function for basic authentication.

csrfMiddleware() → Middleware

generateCsrfToken() → String

guardMiddleware(List<String> guardNames, {GuardRegistry? registry}) → Middleware

jwtAuthentication(JwtOptions options, {JwtOnVerified? onVerified, Client? httpClient}) → Middleware

jwtSecretKey(String secret) → JsonWebKey

Builds a symmetric JsonWebKey from a secret.

oauth2Introspection(OAuthIntrospectionOptions options, {OAuthOnValidated? onValidated, Client? httpClient}) → Middleware

Creates a middleware for OAuth2 token introspection.

policyGate<T extends Object>(Policy<T> policy, PolicyAction action) → GateCallback

Builds a gate callback for a specific policy action.

rbacGate(RbacAbility ability) → GateCallback

Builds a gate callback for an RBAC ability.

registerPoliciesWithHaigate(List<PolicyBinding<Object>> bindings) → Set<String>

Helper to apply policy bindings to the global Haigate registry.

registerPolicyBindings(GateRegistry registry, List<PolicyBinding<Object>> bindings) → Set<String>

Registers policy abilities into a GateRegistry.

registerPolicyBindingsSafely(GateRegistry registry, List<PolicyBinding<Object>> bindings, {Set<String> managed = const <String>{}}) → Set<String>

Registers policy abilities without overriding existing entries.

registerRbacAbilities(GateRegistry registry, Map<String, RbacAbility> abilities) → Set<String>

Registers RBAC abilities into a GateRegistry.

registerRbacAbilitiesSafely(GateRegistry registry, Map<String, RbacAbility> abilities, {Set<String> managed = const <String>{}}) → Set<String>

Safely registers RBAC abilities without overriding existing entries.

registerRbacWithHaigate(Map<String, RbacAbility> abilities) → Set<String>

Helper to apply RBAC abilities to the global Haigate registry.

requireAuthenticated({String realm = 'Restricted', SessionAuthService? sessionAuth}) → AuthGuard

requireRoles(List<String> roles, {SessionAuthService? sessionAuth, bool any = false}) → AuthGuard

Typedefs

AuthAccounts = Map<String, String>

A typedef for a map that holds authentication accounts. The key is the username and the value is the password.

AuthGuard = FutureOr<GuardResult> Function(EngineContext ctx)

AuthJwtCallback = FutureOr<Map<String, dynamic>?> Function(AuthJwtCallbackContext context)

Callback invoked to customize JWT claims.

AuthProfileMapper<TProfile extends Object> = AuthUser Function(TProfile profile)

Maps a provider profile payload to an AuthUser.

AuthRedirectCallback = FutureOr<String?> Function(AuthRedirectCallbackContext context)

Callback invoked to resolve redirect targets.

AuthSessionCallback = FutureOr<Map<String, dynamic>?> Function(AuthSessionCallbackContext context)

Callback invoked to customize session payloads.

AuthSignInCallback = FutureOr<AuthSignInResult> Function(AuthSignInCallbackContext context)

Callback invoked before completing a sign-in flow.

CredentialsAuthorize = FutureOr<AuthUser?> Function(EngineContext context, CredentialsProvider provider, AuthCredentials credentials)

Authorizes credential-based sign-in.

CredentialsRegister = FutureOr<AuthUser?> Function(EngineContext context, CredentialsProvider provider, AuthCredentials credentials)

Registers a new user from credential input.

EmailSendCallback = FutureOr<void> Function(EngineContext context, EmailProvider provider, AuthEmailRequest request)

Sends a verification token for email flows.

GateCallback = FutureOr<bool> Function(GateEvaluationContext context)

A callback function used to evaluate whether a specific ability is allowed in the given GateEvaluationContext.

GateDeniedHandler = FutureOr<Response?> Function(GateViolation violation, EngineContext ctx)

A handler function that is called when a gate denies access.

GateObserver = void Function(GateEvaluation evaluation)

A function that observes the result of a gate evaluation.

GatePayloadProvider = Object? Function(EngineContext ctx, String ability)

A function that provides a payload for a specific ability in the given EngineContext.

JwtOnVerified = FutureOr<void> Function(JwtPayload payload, EngineContext context)

Callback type for handling a verified JWT.

OAuthOnValidated = FutureOr<void> Function(OAuthIntrospectionResult result, EngineContext context)

OAuthProfileCallback<TProfile extends Object> = FutureOr<AuthUser?> Function(EngineContext context, OAuthProvider<TProfile> provider, TProfile profile)

Called after the OAuth profile is loaded.

OAuthProfileParser<TProfile extends Object> = TProfile Function(Map<String, dynamic> profile)

Parses a raw OAuth profile payload into a typed profile.

OAuthProfileRequest<TProfile extends Object> = FutureOr<TProfile> Function(EngineContext context, OAuthProvider<TProfile> provider, OAuthTokenResponse token, Client httpClient, TProfile profile)

Called to enrich or replace the OAuth profile data.

OAuthProfileSerializer<TProfile extends Object> = Map<String, dynamic> Function(TProfile profile)

Serializes a typed profile into a JSON-friendly map.

OAuthStateCallback<TProfile extends Object> = FutureOr<void> Function(EngineContext context, OAuthProvider<TProfile> provider, String state)

Called after OAuth state is generated.

Exceptions / Errors

AuthFlowException

GateRegistrationException

Exception thrown when there is an error during gate registration.

GateViolation

Exception thrown when a gate denies access to a specific ability.

JwtAuthException

Exception thrown when JWT authentication fails.

OAuth2Exception

Represents an exception that occurs during OAuth2 operations.