I am starting Golang and I am looking for a example to Login, Logout, Signup..
267 views
Skip to first unread message
henri...@gmail.com
Mar 19, 2019, 7:50:19 PM3/19/19
to golang-nuts
Let me first tell you I am new to Golang.
I am looking for the code of an example web application with a simple Login, Logout, Signup page (With or without social network login). I tried google and nothing conclusive came out.
Obviously I need something to protect against CSRF, hashed password, ect).
I am surprise I have trouble finding this since any one starting a project needs this now a days.
anyone knows where I can find this?
Marcin Romaszewicz
Mar 19, 2019, 11:12:11 PM3/19/19
to henri...@gmail.com, golang-nuts
I build these kinds of things for a living, and sadly, there isn't very much in pure Go that I'm aware of to do this. I have a bunch of Go code which I use to do this, but sadly, I can't share it yet, as I'm working on getting approval to open source it.
The quickest way might be to put a SAML or Oauth2 proxy in front of your service, for example, this is a good one despite being abandoned: https://github.com/bitly/oauth2_proxy. You would run this as your internet facing service, which would authenticate your users, then it would proxy the requests to your actual API server once they pass auth. You can look through their code for inspiration. It's really subtle to get a proper identity provider workflow going, so it's best to borrow someone else's work if you can. It's inefficient to proxy like this, but it could let you get something up and running, and punt the problem of actual secure signup to your ID provider.
Your signup workflow would go through your identity provider, and assuming it's Oauth2 compliant, you could use this proxy to authenticate. I also came across this tutorial, which is pretty good: https://tutorialedge.net/golang/go-oauth2-tutorial/
Session token workflows are generally pretty custom to their application, so writing general purpose tools is pretty tricky, particularly given that secure login is fraught with many non-obvious security holes. Every identity provider, Google, Facebook, Okta, and friends do their own "special" thing which makes you write a custom login flow for each of them. You will have to decide on the login flow to support, and find libraries which implement their spec, for Google Oidc, for example, you could use https://github.com/coreos/go-oidc
If I could make a recommendation, use a standard SAML login process, which produces JWT's as session tokens, which you control. Authenticate the session tokens using a JWT library, https://github.com/lestrrat-go/jwx being one of the best from a usability standpoint. When you control your own session JWT's, you can put whatever you want in them without having to hit the DB to check access permissions, and if you stick to known secure signatures, like HMAC256 or ES256, you'll be pretty secure (assuming everything is running on top of TLS).
Anyhow, good luck. You're off the well beaten path here, and into custom craftsmanship territory.
If I could make a recommendation, use a standard SAML login process, which produces JWT's as session tokens, which you control. Authenticate the session tokens using a JWT library, https://github.com/lestrrat-go/jwx being one of the best from a usability standpoint. When you control your own session JWT's, you can put whatever you want in them without having to hit the DB to check access permissions, and if you stick to known secure signatures, like HMAC256 or ES256, you'll be pretty secure (assuming everything is running on top of TLS).
Anyhow, good luck. You're off the well beaten path here, and into custom craftsmanship territory.
-- Marcin
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
gran...@gmail.com
Mar 20, 2019, 7:36:19 PM3/20/19
to golang-nuts
Have you checked this? https://gist.github.com/mschoebel/9398202
Josh Kamau
Mar 21, 2019, 2:12:17 AM3/21/19
to gran...@gmail.com, golang-nuts
In golang you have to mix and match various libraries.
- For CSRF, I use http://www.gorillatoolkit.org/pkg/csrf
- For password encryption, I use https://godoc.org/golang.org/x/crypto/bcrypt
I like using golang without a comprehensive web framework because I understand all the pieces involved in my web app and how each work.
Thanks
Josh
On Thu, Mar 21, 2019 at 2:36 AM <gran...@gmail.com> wrote:
Have you checked this? https://gist.github.com/mschoebel/9398202
--
henri...@gmail.com
Mar 21, 2019, 8:54:21 AM3/21/19
to golang-nuts
Thanks
anderson....@gmail.com
Mar 24, 2019, 12:55:26 AM3/24/19
to golang-nuts
Hi, I have few examples that I developed.
Here is the link: https://github.com/sandeepkalra/mv-backend/
The auth module shows what you are looking for
Thanks,
Sandeep Kalra
HENRI KNAFO
Mar 25, 2019, 11:47:30 PM3/25/19
to anderson....@gmail.com, golang-nuts
Hi Sandeep,
This is awesome! That is what I was looking for to start.
Many thanks for sharing.
Henri
--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/Kl2pKcBb3TA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Henri Knafo
364 Dufferin,
H3X 2Y3
Montreal, Quebec
364 Dufferin,
H3X 2Y3
Montreal, Quebec
Reply all
Reply to author
Forward
0 new messages