Simple golang auth templates
This post is somehwat similar to the kefei post in that is was motivated by a very common developer process that I felt was unecessarilly complicated. However, in this case, that process was not a database connection, but protecting your API.
There are a number of ways you might choose to do this, and two common choices, for which I have written application
templates for are:
- Oauth 2.0 (template-v2)
- Simple Token authentication (template-v1)
OAuth 2.0
OAuth 2.0 is in essence not an authorisation protocol, but actually a delegation protocol, that delegates authenticating a user with your service to another service (typically Facebook, Google, Twitter, Github). OAuth 2.0 is widly regarded as one of the highest security standards, and the main benefits from a user perspective is increased security, as you never have to create or share any credentials for or with the service you are trying to access.
Previously, when I have wanted to set up OAuth2.0 on an app, it has been a fiddly process to say the least, and Im sure others had a similar experience. While OAuth 2.0 provides a strong foundation for secure authorization, the overall security of any system utilizing OAuth 2.0 depends on the implementation and the surrounding security measures.
Therefore, to both consolidate my own knowledge and provoide a useful starting point to others, I have written this application template with the following features.
-
Simple REST API using the popular gin framework for golang.
- OAuth2.0 authentication provided by Auth0
- Obviously this requires you to setup an account on Auth0, akthough I was able to setup a free one which allowed me to generate up to 1000 tokens a month,
- Token providers:
- Apple
- (Username, email) DB
-
All endpoints /api/(host|exhibition|artist|user) require JWT authentication
- Additionally, the GET /api/host endpoint requires a token with the
read:hostpermission.
More information, including my particular Auth0 Account setup, is given in the repository README
Simple token authentication
Another relatively simple golang API server application template:
- An HTTP server using JSON over REST
- API token authentication with scoped tokens
- Each endpoint can be configured to require a given scope
- A user can request a token with a given scope with their username/email and password
- The token is only granted if the user’s scope encompasses the requested token scope
- Lazy expired token cleanup
- When a request is sent using an expired token, the token is deleted from the database
- When the app starts, it looks for an environemnt variable
APP_ENV$APP_ENVmust be set manually before running the app- e.g
APP_ENV=dev go run . - As opposed to other environment variables, which are loaded on app startup by godotenv
- e.g
- If this is set, it attempts to load the environment variables in the file
.env.${APP_ENV}- If file does not exist, it attempts to load the environment variables in the default file
.env
- If file does not exist, it attempts to load the environment variables in the default file
- If this is not set, it attempts to load the environment variables in the default file
.env - Connection to the db instance from the app is set via the
$POSTGRESQL_URLenvironment variable
- Database migrtations managed by the golang-migrate module
- All up migrations are run on startup if
RUN_MIGRAGTIONS=true
- All up migrations are run on startup if
- Zerolog for structured JSON logging
- Tokens and users persisted in a postgresql database
- Passwords are hashed and salted using bcrypt before persisting
- Tokens are hashed using SHA-256 before persisting
- Request validation using the github.com/go-playground/validator/v10 module
- Postgresql db intstance runs in a docker container
- start with
docker-compose up
- start with
More information is given in the repository README