<p>Hey, I'm looking to implement users authentication for my application and I'm not sure how to do it the go way. However, there's some options I got in my mind:</p>
<ol>
<li><p>Implementing my own auth system (pretty risky if done wrong)</p></li>
<li><p>Using a production ready Go auth package</p></li>
<li><p>Node.JS + PassportJS (been there, done it, but that's not prefered)</p></li>
</ol>
<p>Although second option seems the best, I'm not that used to go packages as I tend to use standard lib. Just wanna know if there's any solid auth package that people frequently use it in production, mostly looking for local authentication.</p>
<hr/>**评论:**<br/><br/>metamatic: <pre><p>What do you mean by "local"? Console, authenticating against <code>/etc/passwd</code>?</p></pre>shark1337: <pre><p>Email, Password authentication</p></pre>metamatic: <pre><p>So, SMTP or IMAP authentication, checked against /etc/passwd?</p>
<p>There are some <a href="https://golanglibs.com/top?q=passwd" rel="nofollow">passwd packages</a>, but I don't know how good they are. You might need to implement it yourself using <a href="https://github.com/incredlabs/goGetent" rel="nofollow">wrappers</a> to the underlying C routines, <code>getent</code>/<code>getpwnam</code>.</p>
<p>(You could read the files directly, but that's not a good idea because systems could be using LDAP or some other name service for system authentication.)</p>
<p>Or do you mean the credentials are going to be e-mail and password? That wasn't what I was asking about, I was asking about the protocol you're trying to add authentication to, and where the master credentials are going to be stored.</p></pre>shark1337: <pre><p>It was my mistake, in node.js they call it local authetication meaning email/password credentials. Just looking for something similar to PassportJS..</p></pre>metamatic: <pre><p>OK, so auth0, goji/httpauth, <a href="https://github.com/fernet/fernet-go" rel="nofollow">fernet</a>, many other options. Depends more precisely how you want it implemented and how you want it to behave.</p></pre>shark1337: <pre><p>Not looking for third party like auth0, just wanna do email registration..</p></pre>metamatic: <pre><p>Well, not auth0 then, but there are <a href="https://github.com/avelino/awesome-go#authentication--oauth" rel="nofollow">many other examples</a> of HTTP middleware for authentication.</p></pre>Redundancy_: <pre><p>I think it depends strongly on what general environment you work in.</p>
<p>The best situation you can put yourself in is not to have maintain lots of auth against lots of machines, and not to have to pass passwords in the clear to any server across http (or https).</p>
<p>So, based on that, I would suggest considering Kerberos (<a href="https://github.com/jcmturner/gokrb5" rel="nofollow">https://github.com/jcmturner/gokrb5</a>), ADFS or some other third party SSO like Okta, Google auth, Facebook etc.</p>
<p>HTTPS would make things easier, since you can use something simple like JWT if you wanted to.</p></pre>try2think1st: <pre><p>Have a look at Authboss (<a href="https://github.com/go-authboss/authboss" rel="nofollow">https://github.com/go-authboss/authboss</a>).
It includes email verification and password reset functionality and also provides OAuth2 login. Future v2 will also support JWT if that floats your boat.</p>
<p>And you are right, implementing it on your own is risky and is best example of reinventing the wheel.</p></pre>
