206

For those building RESTful APIs and JS front-end apps in Go, how are you managing authentication? Are you using any particular libraries or techniques?

I'm surprised to find so little discussion about this. I keep in mind answers like the following, and am trying to avoid developing my own implementation:

Authentication Form in ASP.Net

Is everybody coding their own solution, separately?

Community
  • 1
  • 1
SexxLuthor
  • 4,460
  • 3
  • 18
  • 25
  • 6
    Authentication depends a great deal on the type of application you are after. There is no one-size-fits-all solution. Additionally, it is a hard problem to solve. This is likely why you won't find any conclusive documentation. – jimt Aug 09 '14 at 13:20
  • 25
    Hey, thanks for the quick response. Understood, but most languages and frameworks have come up with authentication solutions that cover the most common authentication requirements shared by the majority of apps, and have broad community participation and support. I agree that it's a hard problem. Don't those benefit most from cooperative effort? (This isn't a complaint, because this is open source, but more of an observation that we're all reinventing the wheel. :) – SexxLuthor Aug 09 '14 at 13:33
  • 15
    @jimt The fact that it's a hard problem makes it even more important to supply us mortals with a cononical solution that we cannot get wrong. – tymtam Aug 22 '16 at 03:11
  • I'm voting to close this question as off-topic because it is a poll question. – Jonathan Hall Mar 10 '17 at 22:23

7 Answers7

123

This question gets a ton of views--and has a Popular Question badge--so I know there is a lot of latent interest in this topic, and many people are asking exactly the same thing and not finding answers on the Interwebs.

Most of the available information results in the textual equivalent of the hand wavy thing, left as an "exercise for the reader." ;)

However I've finally located one concrete example, (generously) provided by a member of the golang-nuts mailing list:

https://groups.google.com/forum/#!msg/golang-nuts/GE7a_5C5kbA/fdSnH41pOPYJ

This provides a suggested schema and server-side implementation as a basis for custom authentication. The client-side code is still up to you.

(I hope the author of the post sees this: Thanks!)

Excerpted (and reformatted):

"I would suggest something like the following design:

create table User (
 ID int primary key identity(1,1),
 Username text,
 FullName text,
 PasswordHash text,
 PasswordSalt text,
 IsDisabled bool
)

create table UserSession (
 SessionKey text primary key,
 UserID int not null, -- Could have a hard "references User"
 LoginTime <time type> not null,
 LastSeenTime <time type> not null
)
  • When a user logs in to your site via a POST under TLS, determine if the password is valid.
  • Then issue a random session key, say 50 or more crypto rand characters and stuff in a secure Cookie.
  • Add that session key to the UserSession table.
  • Then when you see that user again, first hit the UserSession table to see if the SessionKey is in there with a valid LoginTime and LastSeenTime and User is not deleted. You could design it so a timer automatically clears out old rows in UserSession."
SexxLuthor
  • 4,460
  • 3
  • 18
  • 25
  • 8
    We tend to like a self-contained site here at SO, so would you mind posting the solution here as well? Just in case the link changes in due time (link rot and what else...) Future visitors might be glad about this. – topskip Dec 14 '14 at 18:24
  • That's a fair question, respectfully put. Thank you. I've included the solution; do you think the author's name should also be included? (It's public, but I wonder about the etiquette of either option.) – SexxLuthor Dec 14 '14 at 18:57
  • I think it's good as it is. You don't claim to be the "owner" of this snippet, and I can't see that the original author of this snippet requires that every copy needs an attribution. (Only my two cents). – topskip Dec 14 '14 at 20:29
  • 40
    There should be no "PasswordSalt" field in your database, because you should use bcrypt as your hashing algorithm, which automatically creates a salt and includes it in the returned hash. Also use a constant time comparison function. – 0xdabbad00 Apr 22 '15 at 21:49
  • 4
    +1 for bcrypt. Also, gorilla sessions with its 'encryption' and 'authentication' keys would allow you securely store session information without using a DB table. – crantok Jun 29 '16 at 11:21
  • This pattern is essentially what asp.net membership has been since 2002 and .net 1.1. one difference is it doesnt use DB for user sessions (common performance bottleneck in most other Langs, like Python and PHP sessions). Instead, it relies on the decryption of the cookie to hold a valid state for the user. If running more than 1 web server, you have the option of sharing server-side stateful info with a Shared TCP port, or database. The latter being the major bottleneck at scale while the former had a single point of failure. – eduncan911 Jun 06 '17 at 16:08
21

Another possible solution is Authboss, recently announced on the mailing list.

(I haven't tried using this library.)

Also see Best way to make a webapp with user auth?

SexxLuthor
  • 4,460
  • 3
  • 18
  • 25
14

You would use middleware to do the authentication.

You can try go-http-auth for basic and digest authentication and gomniauth for OAuth2.

But how to authenticate really depends on your app.

Authentication introduces state/context into your http.Handlers and there have been some discussion about that lately.

Well known solutions to the context problem are gorilla/context and google context described here.

I made a more general solution without the need of global state in go-on/wrap that may be used together or without the other two and nicely integrates with context free middleware.

wraphttpauth provides integration of go-http-auth with go-on/wrap.

metakeule
  • 3,724
  • 2
  • 23
  • 29
  • There are so many new things with beginners. I wonder what kind of thing that a beginner should get started with it. `go-http-auth` or `gomniauth` or both of them? – Casper Jun 30 '16 at 02:29
  • Anyone here implemented OAuth 1.0 in golang? ConsumerKey and Secret based authentication? – user2888996 Jun 02 '20 at 11:55
  • How can i implement oAuth 1.0? Using Consumer Key and secret? Please help. I am not getting any library for same. – user2888996 Jun 02 '20 at 12:04
13

Answering this in 2018. I suggest using JWT(JSON Web Token). The answer you marked solved has drawback, which is the trip it did front(user) and back(server/db). What is worse if user did frequent request that need auth, will result in bloated request from/to server and database. To solve this use JWT which store the token in user end which can be used by user anytime it needs access/request. No need trip to database and server processing to check the token validity take short time.

mfathirirhas
  • 2,169
  • 5
  • 23
  • 35
  • The article here points out some flaws with this strategy: https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens. Essentially: a cookie is 6 bytes. JWTs require 300 bytes on the line. You're already hitting your database anyway. JWTs become (interesting? necessary?) when passing credentials to multiple microservices. – Dan Esparza Apr 20 '23 at 15:19
10

Honestly, there's a lot of authentication methods and techniques that you can mount into your application and that depends on applications business logic and requirements.
For example Oauth2, LDAP, local authentication, etc.
My answer assumes you are looking for local authentication which means you manage the user's identities in your application. The server must expose a set of external API allow users and admins Managing the accounts and how they want to identify themselves to Server to achieve trustable communication. you will end up creating a DB table holding the user's information. where the password is hashed for security purposes See How to store the password in the database

let assume app requirements to authenticate users based on one of the following methods:

  • basic authentication (username, password):
    This auth method depends on user credentials sets in Authorization header encoded in base64 and defined inrfc7617, basically when the app receives the user requests its decodes the authorization and re-hash the password to compare it within DB hash if it's matched the user authenticated otherwise return 401 status code to the user.

  • certificate-based authentication:
    This auth method depends on a Digital Certificate to identify a user, and it's known as x509 auth, so when the app receives the user requests it reads the client's certificate and verifies it that matches the CA Root certificate that is provided to the APP.

  • bearer token:
    This auth method depends on short-lived Access tokens, The bearer token is a cryptic string, usually generated by the server in response to a login request. so when the app receives the user requests it reads the authorization and validates the token to authenticate the user.

However, I'd recommend go-guardian for authentication library which it does through an extensible set of authentication methods known as strategies. basically Go-Guardian does not mount routes or assume any particular database schema, which maximizes flexibility and allows decisions to be made by the developer.

Setting up a go-guardian authenticator is straightforward.

Here the full example of the above methods.

package main

import (
    "context"
    "crypto/x509"
    "encoding/pem"
    "fmt"
    "io/ioutil"
    "log"
    "net/http"
    "sync"

    "github.com/golang/groupcache/lru"
    "github.com/gorilla/mux"
    "github.com/shaj13/go-guardian/auth"
    "github.com/shaj13/go-guardian/auth/strategies/basic"
    "github.com/shaj13/go-guardian/auth/strategies/bearer"
    gx509 "github.com/shaj13/go-guardian/auth/strategies/x509"
    "github.com/shaj13/go-guardian/store"
)

var authenticator auth.Authenticator
var cache store.Cache

func middleware(next http.Handler) http.HandlerFunc {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        log.Println("Executing Auth Middleware")
        user, err := authenticator.Authenticate(r)
        if err != nil {
            code := http.StatusUnauthorized
            http.Error(w, http.StatusText(code), code)
            return
        }
        log.Printf("User %s Authenticated\n", user.UserName())
        next.ServeHTTP(w, r)
    })
}

func Resource(w http.ResponseWriter, r *http.Request) {
    w.Write([]byte("Resource!!\n"))
}

func Login(w http.ResponseWriter, r *http.Request) {
    token := "90d64460d14870c08c81352a05dedd3465940a7"
    user := auth.NewDefaultUser("admin", "1", nil, nil)
    cache.Store(token, user, r)
    body := fmt.Sprintf("token: %s \n", token)
    w.Write([]byte(body))
}

func main() {
    opts := x509.VerifyOptions{}
    opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
    opts.Roots = x509.NewCertPool()
    // Read Root Ca Certificate
    opts.Roots.AddCert(readCertificate("<root-ca>"))

    cache = &store.LRU{
        lru.New(100),
        &sync.Mutex{},
    }

    // create strategies
    x509Strategy := gx509.New(opts)
    basicStrategy := basic.New(validateUser, cache)
    tokenStrategy := bearer.New(bearer.NoOpAuthenticate, cache)

    authenticator = auth.New()
    authenticator.EnableStrategy(gx509.StrategyKey, x509Strategy)
    authenticator.EnableStrategy(basic.StrategyKey, basicStrategy)
    authenticator.EnableStrategy(bearer.CachedStrategyKey, tokenStrategy)

    r := mux.NewRouter()
    r.HandleFunc("/resource", middleware(http.HandlerFunc(Resource)))
    r.HandleFunc("/login", middleware(http.HandlerFunc(Login)))

    log.Fatal(http.ListenAndServeTLS(":8080", "<server-cert>", "<server-key>", r))
}

func validateUser(ctx context.Context, r *http.Request, userName, password string) (auth.Info, error) {
    // here connect to db or any other service to fetch user and validate it.
    if userName == "stackoverflow" && password == "stackoverflow" {
        return auth.NewDefaultUser("stackoverflow", "10", nil, nil), nil
    }

    return nil, fmt.Errorf("Invalid credentials")
}

func readCertificate(file string) *x509.Certificate {
    data, err := ioutil.ReadFile(file)

    if err != nil {
        log.Fatalf("error reading %s: %v", file, err)
    }

    p, _ := pem.Decode(data)
    cert, err := x509.ParseCertificate(p.Bytes)
    if err != nil {
        log.Fatalf("error parseing certificate %s: %v", file, err)
    }

    return cert
}

Usage:

  • Obtain token:
curl  -k https://127.0.0.1:8080/login -u stackoverflow:stackoverflow
token: 90d64460d14870c08c81352a05dedd3465940a7
  • Authenticate with a token:
curl  -k https://127.0.0.1:8080/resource -H "Authorization: Bearer 90d64460d14870c08c81352a05dedd3465940a7"

Resource!!
  • Authenticate with a user credential:
curl  -k https://127.0.0.1:8080/resource -u stackoverflow:stackoverflow

Resource!!
  • Authenticate with a user certificate:
curl --cert client.pem --key client-key.pem --cacert ca.pem https://127.0.0.1:8080/resource

Resource!!

You can enable multiple authentication methods at once. You should usually use at least two methods

Community
  • 1
  • 1
shaj13
  • 101
  • 1
  • 3
6

Another open source package for handling authentication with cookies is httpauth.

(written by me, by the way)

Cameron Little
  • 3,487
  • 23
  • 35
1

Take a look at Labstack Echo - it wraps authentication for RESTful APIs and frontend applications into middleware that you can use to protect specific API routes.

Setting up basic authentication, for example, is as straightforward as creating a new subrouter for the /admin route:

e.Group("/admin").Use(middleware.BasicAuth(func(username, password string, c echo.Context) (bool, error) {
    if username == "joe" && password == "secret" {
        return true, nil
    }
    return false, nil
}))

See all of Labstack's middleware authentication options here.

Adil B
  • 14,635
  • 11
  • 60
  • 78