[DEPRECATED] authentication API for Go web applications
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples
oauth1
oauth2
.gitignore
LICENSE
README.md
auth.go
bitbucket.go
cookie.go
oauth1.go
oauth2.go
oauth2_github.go
oauth2_google.go
openid.go
twitter.go

README.md

go.auth

an http authentication API for the Go programming language. Integrates with 3rd party auth providers to add security to your web application.

go get github.com/dchest/authcookie
go get github.com/bradrydzewski/go.auth

Python's Tornado framework, specifically their auth module, was the main inspiration for this library.

THIS LIBRARY IS BEING ACTIVELY DEVELOPED. THE API IS CHANGING WEEKLY.

Providers

The following auth providers are supported:

  • Github OAuth 2.0 demo
  • Google OAuth 2.0 demo
  • Google OpenId 2.0 demo
  • Twitter OAuth 1.0a demo
  • Bitbucket OAuth 1.0a demo

See the multi-provider demo application to provide your users multiple login options.

We plan to add support for the following providers:

  • Facebook
  • LinkedIn

Sample Code

Example program using the Github OAuth auth provider:

// Set the default authentication configuration parameters
auth.Config.CookieSecret         = []byte("asdfasdfasfasdfasdfafsd")
auth.Config.LoginRedirect        = "/auth/login" // send user here to login
auth.Config.LoginSuccessRedirect = "/private"    // send user here post-login
auth.Config.CookieSecure         = false         // for local-testing only

// Create your login handler
githubHandler := auth.Github(githubAccessKey, githubSecretKey)
http.Handle("/auth/login", githubHandler)

// Example of a public http handler
http.HandleFunc("/public", Public)

// Example of a secured http handler
http.HandleFunc("/private", auth.SecureFunc(Private))

It is important to note that we have set auth.Config.CookieSecure to false because we are testing locally, without using SSL. In production this flag should ALWAYS be set to true and used in conjunction with SSL.

User data

The auth.SecureFunc wraps a standard http.HandlerFunc and injects the username into the http request's r.URL.User.Username() field:

func Private(w http.ResponseWriter, r *http.Request) {
	user := r.URL.User.Username()
}

If you want additional user data you must implement our custom handler, and wrap it with the auth.SecureUserFunc. This adds an additional User parameter to your method signature that provides the full set of available user data:

func Private(w http.ResponseWriter, r *http.Request, u auth.User) {
	username := u.Id()
	fullname := u.Name()
	avatar := u.Picture()
	email := u.Email()
	...
}

http.HandleFunc("/foo", auth.SecureUserFunc(Private))

Configuration

go.auth uses the following default parameters which can be configured:

Variable Description Default Value
auth.Config.CookieName name of the secure cookie "UID"
auth.Config.CookieSecret key used to encrypt the cookie value nil
auth.Config.CookieSecure set the cookie's secure flag (true/false) true
auth.Config.CookieHttpOnly set the cookie's HttpOnly flag (true/false) true
auth.Config.CookieExp amount of time before cookie expires time.Hour * 24 * 14
auth.Config.LoginRedirect where to re-direct a user that is not authenticated "/auth/login"
auth.Config.LoginSuccessRedirect where to re-direct a user once authenticated "/"

Example:

auth.Config.LoginRedirect = "/auth/login/google"