How are people managing authentication in Go? [closed]
This question gets a ton of views--and has a Popular Question badge--so I know there is a lot of latent interest in this topic, and many people are asking exactly the same thing and not finding answers on the Interwebs.
Most of the available information results in the textual equivalent of the hand wavy thing, left as an "exercise for the reader." ;)
However I've finally located one concrete example, (generously) provided by a member of the golang-nuts mailing list:
https://groups.google.com/forum/#!msg/golang-nuts/GE7a_5C5kbA/fdSnH41pOPYJ
This provides a suggested schema and server-side implementation as a basis for custom authentication. The client-side code is still up to you.
(I hope the author of the post sees this: Thanks!)
Excerpted (and reformatted):
"I would suggest something like the following design:
create table User (
ID int primary key identity(1,1),
Username text,
FullName text,
PasswordHash text,
PasswordSalt text,
IsDisabled bool
)
create table UserSession (
SessionKey text primary key,
UserID int not null, -- Could have a hard "references User"
LoginTime <time type> not null,
LastSeenTime <time type> not null
)
- When a user logs in to your site via a POST under TLS, determine if the password is valid.
- Then issue a random session key, say 50 or more crypto rand characters and stuff in a secure Cookie.
- Add that session key to the UserSession table.
- Then when you see that user again, first hit the UserSession table to see if the SessionKey is in there with a valid LoginTime and LastSeenTime and User is not deleted. You could design it so a timer automatically clears out old rows in UserSession."
Another possible solution is Authboss, recently announced on the mailing list.
(I haven't tried using this library.)
Also see Best way to make a webapp with user auth?
You would use middleware to do the authentication.
You can try go-http-auth for basic and digest authentication and gomniauth for OAuth2.
But how to authenticate really depends on your app.
Authentication introduces state/context into your http.Handlers and there have been some discussion about that lately.
Well known solutions to the context problem are gorilla/context and google context described here.
I made a more general solution without the need of global state in go-on/wrap that may be used together or without the other two and nicely integrates with context free middleware.
wraphttpauth provides integration of go-http-auth with go-on/wrap.
Answering this in 2018. I suggest using JWT(JSON Web Token). The answer you marked solved has drawback, which is the trip it did front(user) and back(server/db). What is worse if user did frequent request that need auth, will result in bloated request from/to server and database. To solve this use JWT which store the token in user end which can be used by user anytime it needs access/request. No need trip to database and server processing to check the token validity take short time.