kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
85454737036b24f28ccb8271d857e017eaef552f
mcias/clients/go
History
Kyle Isom 8545473703 Fix SEC-01: require password for TOTP enroll 
- REST handleTOTPEnroll now requires password field in request body
- gRPC EnrollTOTP updated with password field in proto message
- Both handlers check lockout status and record failures on bad password
- Updated Go, Python, and Rust client libraries to pass password
- Updated OpenAPI specs with new requestBody schema
- Added TestTOTPEnrollRequiresPassword with no-password, wrong-password,
  and correct-password sub-tests

Security: TOTP enrollment now requires the current password to prevent
session-theft escalation to persistent account takeover. Lockout and
failure recording use the same Argon2id constant-time path as login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 00:48:31 -07:00
..
client_test.go
Fix SEC-01: require password for TOTP enroll
2026-03-13 00:48:31 -07:00
client.go
Fix SEC-01: require password for TOTP enroll
2026-03-13 00:48:31 -07:00
go.mod
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00
go.sum
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00
README.md
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00

README.md

mcias-client (Go)

Go client library for the MCIAS identity and access management API.

Requirements

  • Go 1.21+

Installation

go get git.wntrmute.dev/kyle/mcias/clients/go

Quick Start

import mciasgoclient "git.wntrmute.dev/kyle/mcias/clients/go"

// Connect to the MCIAS server.
client, err := mciasgoclient.New("https://auth.example.com", mciasgoclient.Options{})
if err != nil {
    log.Fatal(err)
}

// Authenticate.
token, expiresAt, err := client.Login("alice", "s3cret", "")
if err != nil {
    log.Fatal(err)
}
fmt.Printf("token expires at %s\n", expiresAt)

// The token is stored in the client automatically.
// Call authenticated endpoints...
accounts, err := client.ListAccounts()

// Revoke the token when done.
if err := client.Logout(); err != nil {
    log.Fatal(err)
}

Custom CA Certificate

client, err := mciasgoclient.New("https://auth.example.com", mciasgoclient.Options{
    CACertPath: "/etc/mcias/ca.pem",
})

Error Handling

All methods return typed errors:

_, _, err := client.Login("alice", "wrongpass", "")
switch {
case errors.Is(err, new(mciasgoclient.MciasAuthError)):
    // 401 — wrong credentials or token invalid
case errors.Is(err, new(mciasgoclient.MciasForbiddenError)):
    // 403 — insufficient role
case errors.Is(err, new(mciasgoclient.MciasNotFoundError)):
    // 404 — resource not found
case errors.Is(err, new(mciasgoclient.MciasInputError)):
    // 400 — malformed request
case errors.Is(err, new(mciasgoclient.MciasConflictError)):
    // 409 — conflict (e.g. duplicate username)
case errors.Is(err, new(mciasgoclient.MciasServerError)):
    // 5xx — unexpected server error
}

All error types embed MciasError which carries StatusCode int and Message string.

Thread Safety

Client is safe for concurrent use from multiple goroutines. The internal token is protected by sync.RWMutex.

Running Tests

go test -race ./...
Reference in New Issue View Git Blame Copy Permalink