diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index 0dd5289..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,13 +0,0 @@ -# These are supported funding model platforms - -github: Jaro-c # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] -# patreon: # Replace with a single Patreon username -# open_collective: # Replace with a single Open Collective username -# ko_fi: # Replace with a single Ko-fi username -# tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel -# community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry -# liberapay: # Replace with a single Liberapay username -# issuehunt: # Replace with a single IssueHunt username -# otechie: # Replace with a single Otechie username -# lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry -# custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml deleted file mode 100644 index 21dfd02..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ /dev/null @@ -1,88 +0,0 @@ -name: Bug Report -description: Report a bug to help us improve authcore -labels: ["bug", "needs-triage"] -body: - - type: markdown - attributes: - value: | - Thank you for taking the time to report a bug. - **Do not use this form for security vulnerabilities.** See [SECURITY.md](../../SECURITY.md) instead. - - - type: textarea - id: description - attributes: - label: Description - description: A clear and concise description of the bug. - validations: - required: true - - - type: textarea - id: reproduction - attributes: - label: Minimal reproduction - description: | - The smallest possible Go snippet or steps that reproduce the issue. - Wrap code in triple backticks. **Do not include real keys, tokens, or secrets.** - placeholder: | - ```go - cfg := authcore.DefaultConfig() - auth, err := authcore.New(cfg) - // ... - ``` - validations: - required: true - - - type: textarea - id: expected - attributes: - label: Expected behaviour - description: What did you expect to happen? - validations: - required: true - - - type: textarea - id: actual - attributes: - label: Actual behaviour - description: What happened instead? - validations: - required: true - - - type: input - id: authcore-version - attributes: - label: authcore version - description: Output of `go list -m github.com/Jaro-c/authcore` - placeholder: "github.com/Jaro-c/authcore v0.1.0" - validations: - required: true - - - type: input - id: go-version - attributes: - label: Go version - description: Output of `go version` - placeholder: "go1.26.0 linux/amd64" - validations: - required: true - - - type: input - id: os - attributes: - label: Operating system - placeholder: "Ubuntu 24.04 / macOS 15 / Windows 11" - validations: - required: true - - - type: textarea - id: logs - attributes: - label: Relevant logs or stack trace - description: Paste any error output or stack traces here. Remove any sensitive values before posting. - render: text - - - type: textarea - id: additional - attributes: - label: Additional context - description: Anything else that might help diagnose the issue. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml deleted file mode 100644 index 96ccdf8..0000000 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: Feature Request -description: Suggest an idea or enhancement for authcore -labels: ["enhancement"] -body: - - type: markdown - attributes: - value: | - Thank you for suggesting an improvement to authcore. - Since this is a security library, please consider whether your request has any cryptographic or security implications and describe them in your proposal. - - - type: textarea - id: problem - attributes: - label: Problem or motivation - description: What problem does this solve? What use case is currently not covered? - placeholder: "I'm building a multi-tenant API and need to..." - validations: - required: true - - - type: textarea - id: solution - attributes: - label: Proposed solution - description: Describe what you'd like to see added or changed. If it involves a new API, sketch the function signatures. - placeholder: | - ```go - // Example of what the new API might look like - ``` - validations: - required: true - - - type: textarea - id: security - attributes: - label: Security considerations - description: | - Does this feature touch token generation, key management, hashing, or any other security boundary? - If so, describe the threat model and any risks you are aware of. - placeholder: "This does not affect security / This changes how refresh tokens are hashed because..." - - - type: textarea - id: alternatives - attributes: - label: Alternatives considered - description: Any alternative solutions or workarounds you have already tried? - - - type: textarea - id: additional - attributes: - label: Additional context - description: Links to relevant RFCs, prior art, or related issues. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index c8bc934..0000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,37 +0,0 @@ -## Description - -Summarize the change and link the related issue. - -Fixes # (issue) - -## Type of change - -- [ ] Bug fix (non-breaking) -- [ ] New feature (non-breaking) -- [ ] Breaking change -- [ ] Security fix -- [ ] Documentation update - -## Security impact - -Does this change affect cryptographic operations, token handling, key management, or any security boundary? - -- [ ] No security impact -- [ ] Yes — describe below - - - -## Testing - -- [ ] `go test -race ./...` passes locally -- [ ] New tests added for this change -- [ ] Existing tests updated where necessary -- [ ] Tested with the race detector (`-race`) - -## Checklist - -- [ ] Code follows the project style (`go fmt`, `go vet`, `golangci-lint`) -- [ ] All exported symbols have godoc comments -- [ ] `README.md` updated if public API changed -- [ ] No sensitive data (keys, tokens, secrets) is logged or exposed in tests -- [ ] Dependent changes merged and published upstream (if any) diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index c013cd5..0000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,96 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -We as members, contributors, and leaders pledge to make participation in our community -a harassment-free experience for everyone, regardless of age, body size, visible or -invisible disability, ethnicity, sex characteristics, gender identity and expression, -level of experience, education, socio-economic status, nationality, personal appearance, -race, caste, color, religion, or sexual identity and orientation. - -We pledge to act and interact in ways that contribute to an open, welcoming, diverse, -inclusive, and healthy community. - -## Our Standards - -Examples of behavior that contributes to a positive environment: - -- Demonstrating empathy and kindness toward other people -- Being respectful of differing opinions, viewpoints, and experiences -- Giving and gracefully accepting constructive feedback -- Accepting responsibility and apologizing to those affected by our mistakes -- Focusing on what is best for the overall community, not just ourselves - -Examples of unacceptable behavior: - -- The use of sexualized language or imagery, and unwelcome sexual attention or advances -- Trolling, insulting or derogatory comments, and personal or political attacks -- Public or private harassment -- Publishing others' private information without their explicit permission -- Other conduct which could reasonably be considered inappropriate in a professional setting - -## Enforcement Responsibilities - -Community leaders are responsible for clarifying and enforcing our standards of -acceptable behavior and will take appropriate and fair corrective action in response to -any behavior that they deem inappropriate, threatening, offensive, or harmful. - -Community leaders have the right and responsibility to remove, edit, or reject comments, -commits, code, wiki edits, issues, and other contributions that are not aligned to this -Code of Conduct. - -## Scope - -This Code of Conduct applies within all project spaces, and also when an individual is -officially representing the project in public spaces. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior should be -reported **confidentially** to the maintainers. Two channels are available: - -- **Preferred:** contact the maintainer directly using the address listed on the - [maintainer's GitHub profile](https://github.com/Jaro-c). This keeps - Code-of-Conduct reports entirely separate from the repository's issue tracker - and security-advisory workflow. -- **Fallback:** if you cannot reach out privately, you may open a - [GitHub private advisory](https://github.com/Jaro-c/authcore/security/advisories/new). - Despite its "security" framing, this is the repository's only built-in - private communication channel; note clearly in the title that the report is - a Code-of-Conduct matter rather than a vulnerability. - -Do not open a public issue or discussion for Code-of-Conduct reports — that -exposes the reporter and the accused before the report can be triaged. - -All reports will be reviewed and investigated promptly and fairly. -Community leaders are obligated to respect the privacy and security of the reporter. - -## Enforcement Guidelines - -### 1. Correction - -**Impact**: Inappropriate language or unprofessional behavior. -**Consequence**: A private written warning explaining the violation. A public apology may be requested. - -### 2. Warning - -**Impact**: A single incident or series of violations. -**Consequence**: A warning with consequences for continued behavior. No interaction with -the people involved for a specified period, including in community spaces and external channels. -Violating these terms may lead to a temporary or permanent ban. - -### 3. Temporary Ban - -**Impact**: Serious violation of community standards, including sustained harassing behavior. -**Consequence**: A temporary ban from any interaction or public communication with the -community. No public or private interaction is allowed during this period. - -### 4. Permanent Ban - -**Impact**: A pattern of violations, including sustained harassment of individuals or -aggression toward classes of people. -**Consequence**: A permanent ban from any interaction within the community. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 5f3c03e..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,76 +0,0 @@ -# Contributing to authcore - -Thank you for taking the time to contribute! Security-focused libraries need careful, -thoughtful contributions — the guidelines below keep the bar high for everyone's benefit. - -## Code of Conduct - -By participating you agree to abide by our [Code of Conduct](CODE_OF_CONDUCT.md). - -## Security First - -If you find a security vulnerability, **do not open a public issue**. -Follow the process in our [Security Policy](SECURITY.md) instead. - -## Ways to Contribute - -### Reporting Bugs - -1. Search [existing issues](https://github.com/Jaro-c/authcore/issues) first. -2. If none matches, [open a new issue](https://github.com/Jaro-c/authcore/issues/new/choose) using the **Bug Report** template. -3. Include: Go version, OS, steps to reproduce, and any relevant logs. - -### Suggesting Enhancements - -1. Search [existing issues](https://github.com/Jaro-c/authcore/issues) to avoid duplicates. -2. Open an issue using the **Feature Request** template. -3. Explain the use case — why would most users benefit? - -### Pull Requests - -> **Branch model.** `main` only ever contains released code — what you see on -> [pkg.go.dev](https://pkg.go.dev/github.com/Jaro-c/authcore). All work lands on -> `develop` first and is promoted to `main` together with a release tag. Always -> branch from `develop` and target `develop` in your PR. Pull requests against -> `main` will be redirected. - -1. **Fork** the repository and branch from `develop` (not `main`). -2. **Run `go mod download`** to fetch dependencies. -3. **Write tests.** Every change must include tests. Security-critical paths need - table-driven tests that cover both the happy path and all error cases. -4. **Follow Go standards:** - - `go fmt ./...` - - `go vet ./...` - - `golangci-lint run` (if installed) - - Export everything with [godoc-style comments](https://go.dev/doc/effective_go#commentary). -5. **Keep PRs small.** Smaller, focused PRs are reviewed faster. -6. **Update docs.** If a public API changes, update `README.md` and affected examples. -7. **Sign commits** for auditability (preferred, not required). - -## Development Setup - -Requires **Go 1.26+**. - -```bash -# Clone your fork -git clone https://github.com/YOUR_USERNAME/authcore.git -cd authcore - -# Fetch dependencies -go mod download - -# Run all tests with the race detector -go test -v -race ./... - -# Run linting (requires golangci-lint) -golangci-lint run -``` - -## Pull Request Process - -1. Ensure all CI checks pass (tests + lint). -2. A maintainer will review within a few days. -3. Once approved it will be squash-merged into `develop`. The maintainer - later promotes `develop` to `main` together with a release tag. - -Thank you for your contribution! diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 57e8251..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,63 +0,0 @@ -# Security Policy - -## Supported Versions - -Security fixes are backported to the latest minor line of each supported major version. Older lines are expected to upgrade to the current minor. - -| Major line | Supported | Notes | -|------------|-----------|-------| -| `v1.x` | ✅ | Current. Latest minor receives all security fixes. | -| `< v1.0` | ❌ | Pre-release; no longer supported. | - -Upgrading within `v1.x` is non-breaking by semver guarantee. Patch releases may tighten validation (e.g. `v1.2.0` added TTL caps, `kid` matching, and other defence-in-depth checks) — review the [CHANGELOG](CHANGELOG.md) for behaviour that is now stricter. - -A formal long-term support window for specific minor lines will be defined if usage patterns make it necessary; until then, always upgrade to the latest tagged `v1.x` release. - -## Reporting a Vulnerability - -**Do not open a public GitHub issue for security vulnerabilities.** - -Please report security issues via [GitHub private vulnerability reporting](https://github.com/Jaro-c/authcore/security/advisories/new). -This keeps the details confidential until a patch is released. - -Include as much of the following as possible: - -- A clear description of the vulnerability and its potential impact. -- Steps to reproduce or a minimal proof-of-concept (PoC). -- The affected version(s) — output of `go list -m github.com/Jaro-c/authcore`. -- Any known mitigations or workarounds. - -You will receive an acknowledgement within **72 hours**. -We aim to release a patch within **14 days** for confirmed critical issues and **30 days** for non-critical ones. -Reporters will be credited in the release notes unless you prefer to remain anonymous. - -## Scope - -This policy covers the `github.com/Jaro-c/authcore` module and all published sub-packages in this repository, including: - -- `auth/jwt` -- `auth/password` -- `auth/email` -- `auth/username` - -Planned modules listed in the README roadmap join this scope as soon as they are published. - -Third-party dependencies are out of scope — please report those issues to their respective maintainers. - -## Disclosure Policy - -We follow coordinated disclosure: - -1. Reporter submits the vulnerability privately. -2. Maintainers confirm and reproduce the issue within 72 hours. -3. A fix is developed in a private branch. -4. A patched release is published. -5. A public security advisory is opened with full details. - -## Security Best Practices for Users - -- Always use the latest published version of authcore. -- Pin your dependency with `go.sum` and verify checksums via the Go module proxy. -- Never store raw refresh tokens — always store only the `RefreshTokenHash` value. -- Protect your `KeysDir` (default `.authcore`) with filesystem permissions; never commit it. -- Set `ClockSkewLeeway` to the minimum value needed for your deployment — larger windows reduce the security margin of short-lived tokens.