Logging in to web services

[Денис Мухортов]

Hi, I have a question that is difficult for me to describe, but at the level of fundamental questions about creating a web service. I have a problem that if a user logs into a profile, then another user will also get into his profile. Generally speaking, this is the property of any person who visits the site. I see a solution to the problem in two ways. I do not know if it is possible to somehow track connections and give each IP its own routine in which it worked. Or dynamic pages that can only be accessed if the request is successful. But again, some data in the structures may change due to another user logged into the profile. Maybe there is some other solution to this problem. I want to understand how it works on the web.

My project just in case: https://github.com/MukhortovDenis/goproject

[Brian Candler]

The problem is that you have a global variable giving "the currently logged in user":

userDefault = checkUser

Hence everyone sees the same user.

The way to deal with this is generally that when a user authenticates, you set a cookie in their session.  For every request, the cookie gives their identity.  Either the cookie is a long, unguessable string that's used as a key into a sessions table; or the cookie itself contains the identity (but in that case it needs to be cryptographically signed so that the user cannot modify the cookie to pretend to be another user).

Beware that multiple incoming HTTP requests can occur *concurrently*.  You will have race conditions if you try to access any global state during a web request, unless it's protected against concurrent access: go is not like python, there are genuine threads and no global interpreter lock, and concurrent accesses can cause your program to crash.

A simplistic way is to use sync.Map instead of a regular map, but you'll probably need to do quite a bit of reading around this topic if it's new to you.

[snmed]

Hi Denis,

I'm not sure if I understand your question correctly, but it seems to me that you need a context with user specific data. Therefore, I would create a handler that will add the current user to the context and then you can access it in every handler where you need it. User of your site must be identified by a token or cookie, normally this also known as session handling. There are several libraries that can be used for such kind of task see:

- https://pkg.go.dev/github.com/gorilla/sessions

- https://github.com/alexedwards/scs

Keep in mind that you do not store sensitive data in cookies, user identities must be kept on server and stored in a save manner.
One can use signed JWT tokens to store an users identity within the clients browser. 

Hope this helps

Cheers

[Brian Candler]

Oh I forgot: there's another, rather old-fashioned way to do this, called "HTTP Basic Authentication". With this, your application doesn't provide a login form at all: the browser itself prompts the user for their username and password.  The browser then sends the username and password with *every single request* in a header, and your application has to validate it, for every single request.

It's not something I'd recommend for new applications, but it's simple to implement.  Googling "go http basic authentication" should turn up some useful results.