Authboss v2

<p>Hello <a href="/r/golang">r/golang</a>. Today I put the finishing touches on Authboss v2&#39;s rc2. This was an extremely long time coming and so I&#39;m very happy to have delivered on it finally.</p> <p>Authboss helps solve http authentication (password recovery e-mails, user confirmation, oauth2) for the web. It&#39;s modular in that you can take what you want and nothing else, and it should integrate into any existing Go web stack fairly easily.</p> <p>v2 was about flexibility and type safety and I&#39;m happy to say it achieved both of these goals. Now it&#39;s time to collect feedback and do some finishing touches to see the full release which is why I&#39;m announcing the rc and not the full release :)</p> <p>Project link: <a href="https://github.com/volatiletech/authboss/tree/v2.0.0-rc2">https://github.com/volatiletech/authboss/tree/v2.0.0-rc2</a></p> <p>Mailing list announcement: <a href="https://groups.google.com/a/volatile.tech/forum/#!topic/authboss/SBfx0Bc5PNE">https://groups.google.com/a/volatile.tech/forum/#!topic/authboss/SBfx0Bc5PNE</a></p> <p>Hope it helps someone in their web adventures.</p> <hr/>**评论：**<br/><br/>edevil: <pre><p>Thank you for your work. Re-implementing web auth is one of the things that keeps me going back to Django.</p></pre>aarondl: <pre><p>Yep. This is one of the biggest reasons my last more serious projects ended up being rails. One of my other big pain points is databases and for that I made <a href="https://github.com/volatiletech/sqlboiler" rel="nofollow">https://github.com/volatiletech/sqlboiler</a> I mention it because maybe you share that pain not being able to use flask or what have you. :)</p></pre>edevil: <pre><p>Seems great! I&#39;m keeping it bookmarked.</p></pre>ChristophBerger: <pre><p>Be aware that <code>go get</code> always fetches the master branch.</p></pre>vic3lord: <pre><p>vgo get fixes that :)</p></pre>ChristophBerger: <pre><p>True but vgo is still an experiment. Many (if not most) Go users rely on a stable version of the Go toolchain.</p></pre>vic3lord: <pre><p>I agree</p></pre>mvrhov: <pre><p>Nice. </p> <p>I don&#39;t like the way tokens reset/confirm are implemented. </p> <p>IMO <a href="https://paragonie.com/blog/2017/02/split-tokens-token-based-authentication-protocols-without-side-channels" rel="nofollow">Split tokens</a> as described in the linked post are the secure way. And while in RC it&#39;s still time to fix that.</p></pre>aarondl: <pre><p>Will be looking at this in the coming days. Thanks for the link! </p></pre>i-dontevenseethecode: <pre><p>What’s the license?</p></pre>jere_jones: <pre><p>MIT</p></pre>Xeoncross: <pre><p>Authboss looks very complete and promising. Thanks for your work.</p> <p>I&#39;m wondering what type of overhead this adds to each HTTP request. I see tests but could you add some benchmarks? I would love to see allocs and memory usage.</p></pre>aarondl: <pre><p>Thanks for your kind comments. In terms of performance in Authboss there&#39;s two areas that we could be looking at.</p> <p>1) Authboss routes: this is logging in/out, confirming users etc. This stuff should all be accessed quite infrequently compared to the rest of the site, so I&#39;m pretty unconcerned about performance here.</p> <p>2) The rest of your site: Authboss supplies a few <a href="https://github.com/volatiletech/authboss-sample/blob/96684a765cfb0b28b3f663de7e0c1fc512b60616/blog.go#L228" rel="nofollow">middlewares</a> that you might want to use in your app. One of the main reasons I&#39;m not really concerned about these either is because they&#39;re very small and completely rewritable since Authboss doesn&#39;t hide anything and also all these middlewares are really doing is querying the database with code you wrote and doing session/cookie management with code you wrote and so the hotpaths would probably involve your own code if not more than Authboss code.</p> <p>So having said that performance isn&#39;t really a concern I currently have with this code (mostly because I&#39;m starting on sqlboiler v3 now and I&#39;d like to focus on that). It&#39;s not zero allocation because there&#39;s context.Context in use as well as a custom ResponseWriter, but I don&#39;t think there&#39;s anything prohibitively expensive but of course that depends on the use case. All abstractions come at a cost unfortunately.</p> <p>Importantly however, if someone raised performance concerns, or contributed benchmarks like you&#39;re wanting to see (hint hint) and things weren&#39;t where they should be I&#39;d commit to help fixing. I like fast and efficient things too! Thanks for bringing up the topic.</p> <p>edit: grammar</p></pre>