HTTP Authentication middlewares
Go

README.md

goji/httpauth GoDoc Build Status

httpauth currently provides HTTP Basic Authentication middleware for Go. It is compatible with Go's own net/http, goji, Gin & anything that speaks the http.Handler interface.

Example

httpauth provides a SimpleBasicAuth function to get you up and running. Particularly ideal for development servers.

Note that HTTP Basic Authentication credentials are sent over the wire "in the clear" (read: plaintext!) and therefore should not be considered a robust way to secure a HTTP server. If you're after that, you'll need to use SSL/TLS ("HTTPS") at a minimum.

Install It

$ go get github.com/goji/httpauth

Goji v2

Simple Usage

The fastest and simplest way to get started using httpauth is to use the SimpleBasicAuth function.

package main

import(
    "net/http"

    "goji.io"
)

func main() {
    mux := goji.NewMux()

    mux.Use(httpauth.SimpleBasicAuth("dave", "somepassword"))
    mux.Use(SomeOtherMiddleware)

    // YourHandler now requires HTTP Basic Auth
    mux.Handle(pat.Get("/some-route"), YourHandler))

    log.Fatal(http.ListenAndServe("localhost:8000", mux))
}

Advanced Usage

For more control over the process, pass a AuthOptions struct to BasicAuth instead. This allows you to:

  • Configure the authentication realm.
  • Provide your own UnauthorizedHandler (anything that satisfies http.Handler) so you can return a better looking 401 page.
  • Define a custom authentication function, which is discussed in the next section.
func main() {

    authOpts := httpauth.AuthOptions{
        Realm: "DevCo",
        User: "dave",
        Password: "plaintext!",
        UnauthorizedHandler: myUnauthorizedHandler,
    }

    mux := goji.NewMux()

    mux.Use(BasicAuth(authOpts))
    mux.Use(SomeOtherMiddleware)

    mux.Handle(pat.Get("/some-route"), YourHandler))

    log.Fatal(http.ListenAndServe("localhost:8000", mux))
}

Custom Authentication Function

httpauth will accept a custom authentication function. Normally, you would not set AuthOptions.User nor AuthOptions.Password in this scenario. You would instead validate the given credentials against an external system such as a database. The contrived example below is for demonstration purposes only.

func main() {

    authOpts := httpauth.AuthOptions{
        Realm: "DevCo",
        AuthFunc: myAuthFunc,
        UnauthorizedHandler: myUnauthorizedHandler,
    }

    mux := goji.NewMux()

    mux.Use(BasicAuth(authOpts))
    mux.Use(SomeOtherMiddleware)

    mux.Handle(pat.Get("/some-route"), YourHandler))

    log.Fatal(http.ListenAndServe("localhost:8000", mux))
}

// myAuthFunc is not secure.  It checks to see if the password is simply
// the username repeated three times.
func myAuthFunc(user, pass string, r *http.Request) bool {
    return pass == strings.Repeat(user, 3)
}

gorilla/mux

Since it's all http.Handler, httpauth works with gorilla/mux (and most other routers) as well:

package main

import (
    "net/http"

    "github.com/goji/httpauth"
    "github.com/gorilla/mux"
)

func main() {
    r := mux.NewRouter()

    r.HandleFunc("/", YourHandler)
    http.Handle("/", httpauth.SimpleBasicAuth("dave", "somepassword")(r))

    http.ListenAndServe(":7000", nil)
}

func YourHandler(w http.ResponseWriter, r *http.Request) {
    w.Write([]byte("Gorilla!\n"))
}

net/http

If you're using vanilla net/http:

package main

import(
    "net/http"

    "github.com/goji/httpauth"
)

func main() {
    http.Handle("/", httpauth.SimpleBasicAuth("dave", "somepassword")(http.HandlerFunc(YourHandler)))
    http.ListenAndServe(":7000", nil)
}

Contributing

Send a pull request! Note that features on the (informal) roadmap include HTTP Digest Auth.

License

MIT Licensed. See the LICENSE file for details.