<p>I need to add user authentification in a go app I am writing. However, I have zero experience with login. All I know is that I need to store only the hash of the password in my db. I would really appreciate it if someone would break it down for me or point me to a good tutorial. Thanks!</p>
<hr/>**评论:**<br/><br/>titpetric: <pre><p>There are various ways you can store passwords in a database. MySQL for example provides a PASSWORD() function, and you could use <a href="https://godoc.org/golang.org/x/crypto/bcrypt">x/crypto/bcrypt</a> if you want to hash the password in Go. I think <a href="https://astaxie.gitbooks.io/build-web-application-with-golang/en/09.5.html">this part of a larger go book</a> should explain the how and the why. I can also suggest googling a bit :)</p></pre>tomtom5152: <pre><p>Please for the love of Christmas pudding follow the MySQL docs and <a href="https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password" rel="nofollow">DO NOT USE THE PASSWORD() FUNCTION FOR USER PASSWORDS</a>. I apologise for the capitals but I cannot stress this enough, it is just two rounds of MD5. A better suggestion would be to use bcrypt, PKBDF2, or any of the other numerous dedicated password salting and hashing functions. </p>
<p>There's a <a href="https://github.com/hlandau/passlib" rel="nofollow">go port of passlib</a> which is pretty good for this (my PKBDF2 PR is pending), and the upstream <a href="https://passlib.readthedocs.io/en/stable/" rel="nofollow">python passlib</a> is really good for explaining things and the different algorithms. </p></pre>titpetric: <pre><p>You are absolutely correct, citing the mysql manual entry for password function:</p>
<blockquote>
<p>PASSWORD() is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider a more secure function such as AES_ENCRYPT() or SHA2() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.</p>
</blockquote>
<p>Anyhow, yes, a better hashing algo function should be used. I’d go with that lib I linked myself, or at least a salted sha1 hash (at the very least). There are libraries that enable you to sort of upgrade your hashes as they are used (recreating them on a more secure one). Also for the love of Easter eggs, of course you should use your head and not just copy paste some tutorials (to OP) ?</p></pre>septaaa: <pre><p><a href="https://crackstation.net/hashing-security.htm">This</a> article really helped me understand the topic better. It's not specific to Go, but might still be useful to you.</p></pre>cheeseboythrowaway: <pre><p>I don't know much about Go web authentication libraries but I do greatly recommend not reinventing the wheel. Do something that someone else has done before. There are many mistakes one can make, and when you write authentication code you are playing for all the marbles and it is a big deal. Use the experience of others that have already made those mistakes to your advantage.</p>
<p>The basic login mechanism is: get username and password from user, hash their password (bcrypt is objectively the correct choice), compare the hash to the usernames/hashes in your DB and if you successfully make the lookup, issue that user a cookie you signed. When checking if a user is logged in, you check the sig on their cookie and if it's valid and the cookie is not expired, they are authenticated. You need some kind of form so users can create their accounts and set passwords.</p>
<p>I guarantee someone has already implemented a library that makes this easy for you. Use it. I'm sorry I don't have specifics for you, I've only done auth code in Python.</p></pre>lectorlector: <pre><p>Users authentication in Go, have the same concepts than authentication in other languages like Python, Nodejs, Java, ...
maybe this link help: <a href="http://lmgtfy.com/?q=golang+authentication+tutorial" rel="nofollow">http://lmgtfy.com/?q=golang+authentication+tutorial</a></p>
<p>usually people use JWT (JSON Web Tokens) <a href="https://jwt.io/" rel="nofollow">https://jwt.io/</a></p></pre>tv64738: <pre><p><a href="https://storify.com/jcuid/thomas-h-ptacek-don-t-use-json-web-tokens">https://storify.com/jcuid/thomas-h-ptacek-don-t-use-json-web-tokens</a></p></pre>hybsuns: <pre><p>A simple implementation would be like this: receive password as plain text from client through HTTPS or some encrypted way; hash the password using SHA 256 with randomly generated salt; save the salt and hashed password in your database; when user login the next time, hash received password with the stored salt and compare the result with the stored hashed password. Hashed password and salt are slices of byte, so when you compare the result you will need to use deepequal function.</p></pre>tcrypt: <pre><p>Use <a href="https://gowebexamples.com/password-hashing/" rel="nofollow">bcrypt</a> instead of SHA 256. SHA's are not sufficient password hashing algorithms; they're too fast. Additionally, modern password hashing algorithms like bcrypt and scrypt handle the lower level details like salting for you so you don't have to deal with it and can't screw it up.</p></pre>Bappedekkel: <pre><p>To add yet another option: Use both. bcrypt implementations either truncate passwords at 72 bytes (which reduces the entropy of the passphrase), or it doesn't <a href="https://arstechnica.com/information-technology/2013/09/long-passwords-are-good-but-too-much-length-can-be-bad-for-security/" rel="nofollow">which might leave you open for DoS attacks</a> if some clever user tries to send you their 5MB passphrase. </p>
<p>To add a simple example on how this can be done:
<code>
func (u *User) CheckPassword(password string) error {
h := sha512.New()
fmt.Fprint(h, password)
return bcrypt.CompareHashAndPassword(u.HashedPassword, h.Sum(nil))
}
</code></p></pre>ScreamingTaco45: <pre><p>Thank you! That was a very helpful description.</p></pre>hell_0n_wheel: <pre><p><a href="https://astaxie.gitbooks.io/build-web-application-with-golang/en/09.5.html" rel="nofollow">Here's a description with code</a>... note that bcrypt is recommended over SHAs</p></pre>icetheace: <pre><p>Well I can't really say how secure is secure but here is a basic break down. I love his code cause so readable. I'm sure not production ready but a good start.</p>
<p><a href="https://github.com/GoesToEleven/golang-web-dev/tree/master/030_sessions" rel="nofollow">https://github.com/GoesToEleven/golang-web-dev/tree/master/030_sessions</a></p>
<p>Or take his class.
<a href="https://www.greatercommons.com" rel="nofollow">https://www.greatercommons.com</a></p>
<p>Really really really nice guy.
Or just message him on Twitter.</p></pre>beowulf_71: <pre><p>I have two thoughts on the topic. Lately it seems a lot more sites are moving towards passwordless mechanisms.. in particular, a magentic link like how Slack allows you to get a link via email, then just auto-log in when you start slack up. Using a cookie in a browser or the newer html5 storage mechanism to send the token in on each request but also have it have some sort of configurable configuration period would at least allow a quicker/faster/easier (though it does take on 2 trips to get the link after entering email to then be able to log in). Some will use that method for every login..e.g. no cookie/storage cache.. every time you just enter email get the link then log in that way. I like the idea somewhat.. but not quite sure if the long live magic link process is safe or not.</p>
<p>The other thought.. and sorry this isnt an implementation thing..but LastPass and such are really good password managers these days, and work across devices. So using a tried/tested way some other replies have provided.. and maybe hint at the use of LastPass to manage passwords and provide strong odd passwords instead of the user entering simple ones (enforce it even), is a better way to go.</p>
<p>I too would like to know if there is some better way to avoid username/password logins though. Why I like the first passwordless option is that for a consumer site, it gets you "signed up" faster because they enter their email which not only is now used as a username (and is unique), but it also gets them logged in soon as they check email and verify the email by clicking on the link.. you sort of kill two birds with one stone and the consumer gets in and uses your site sooner.</p></pre>
