0

I am building a reservation system in Google App Engine using Go. I need 2 forms of authentication in my program.

  1. Public Form -- form built in Angular that is on our public website. I want my front-end to have some sort of credentials.json file to use when requesting the book and getOpenDates endpoints in my RESTful API running in Go on Google App Engine.
  2. Private Companion App -- protected by username and password that the user supplies in my app built in Flutter. The app is requesting many endpoints in App Engine. I would like to use JWT to authenticate this portion, but I'm not 100% sure JWT is what I need.

I'm not sure if this tutorial on Identity Platform is what I want. I'm very new to App Engine and authentication in general, so I am a bit lost.

Please describe how I could implement these authentication methods in my RESTful API in Go running on Google's App Engine. I think I may be able to implement the username/password method using a tutorial like this but I'm very lost on the 1st form of authentication with just a credentials file as authentication. If I'm going in the complete wrong direction to accomplish what I want please tell me, but what I'm looking for is code or a tutorial describing how to authenticate using these 2 methods. Thanks for any help.

Gabe
  • 5,643
  • 3
  • 26
  • 54

1 Answers1

1

From what I understand, you want to have a golang backend API in App Engine that serves both your web frontend (1.) and your users app (2.).

I am going to suppose that any user with username/password can use both your frontends: the web app and the mobile app with these credentials.

The credentials.jsons are not designed to authenticate users of your services, but rather server to server communication.

With that in mind, I have found the guide Session based authentication in golang, that could help you to set up your backend to accept only authenticated requests over HTTPS. The web browser will automatically save the cookie, however you need to store the cookie in your mobile app.

For much more complicated scenarios for authenticating from different webpages, it is required to use OAuth2 as you can see in this thread. If you don't find any of your requirements listed in here it is probably overkill to use Auth0 nor OAuth2.

Juancki
  • 1,793
  • 1
  • 14
  • 21
  • Thanks for your info, though I'm confused about one part. Your session-based authentication link is good, but I don't want the user to login. This web application is just a form on a public website, similar to a "Contact Us" form. I want to prevent other people from finding the URL for the endpoint of my API and spamming it or getting other data, so only my form can access the backend. How would I accomplish this? Thanks again for your input! – Gabe Feb 26 '20 at 15:50
  • I do not understand how are trying to hide the URL of the API, nor how is it related to the original question `Please describe how I could implement these authentication methods in my RESTful API in Go running on Google's App Engine.` Could you elaborate more please? – Juancki Feb 26 '20 at 16:38
  • Sorry for the late response, I'm not necessarily trying to hide the URL of the API, but I'm trying to limit who can access it. So what I would like to do is make it so only my web page can access the API through some credential system – Gabe Feb 29 '20 at 18:08
  • Then you need to follow OAuth method linked in the above answer. – Waelmas Mar 06 '20 at 14:48
  • @Juancki and @Waelmas , I noticed you the link you sent me for Session based authentication in golang uses `Redigo` as a cache. I'm wondering what is `Redigo`, and what do I set it two when I run it in GAE? – Gabe Mar 14 '20 at 18:21