<p>I've started a new project and looking for a good package to implement user authentification. I'm not really looking to implement it by myself since there could be possible security issues. What I'm really looking for is a package similar to <a href="http://passportjs.org/">passport-js</a> that implements vanilla authentication with register/login methods (no auth0 needed). I've been checking the awesome-go list and <a href="https://github.com/go-authboss/authboss">authboss</a> seems to do it, but it has a covarage of 73% on github..</p>
<p>TL;DR Looking for a well test package to implement vanilla authentication with login/register methods..</p>
<hr/>**评论:**<br/><br/>tscs37: <pre><p>73% is not a bad coverage and afaik the authboss package works very well.</p>
<p>I recommend to drop looking at raw testing metrics as a measurement of package quality, it's not possible to test 100% of all code.</p>
<p>Instead, you should look at what is and isn't tested and how.</p></pre>Muchoz: <pre><p>Exactly this. It's not because the code has coverage that it is bug free. I can have 100% coverage and have the most insecure library.</p></pre>NikkoTheGreeko: <pre><p>Just talk nice to it and complement it more often.</p></pre>alireza94: <pre><p>In this regard, <a href="https://xinhuang.github.io/posts/2017-02-27-the-epic-fail-of-enforcing-unit-tests.html">The Epic Fail of Enforcing Unit Tests</a>.</p></pre>thewhitetulip: <pre><p>I don't think you should start with oAuth, start with implementing your own version using gorilla/sessions for stateful and JWT tokens for RESTful API, you can read more about them here, <a href="https://github.com/thewhitetulip/web-dev-golang-anti-textbook/blob/master/manuscript/4.0authentication.md">https://github.com/thewhitetulip/web-dev-golang-anti-textbook/blob/master/manuscript/4.0authentication.md</a></p></pre>Yojihito: <pre><p>JWT tokens can't be revoked ....</p></pre>mcouturier: <pre><p>Use a short lived one and revoke the refresh token</p></pre>xyproto: <pre><p><a href="https://github.com/xyproto/permissions2" rel="nofollow">permissions2</a> uses bcrypt, secure cookies and redis. It's easy to get started with, fast and hashes passwords in a way that may prevent timing attacks.</p>
<p>Disclaimer: it's written by me, but it's fairly popular on github.</p></pre>Keshenka: <pre><p>Nice documentation. The examples were very helpful.</p></pre>sairamk: <pre><p>I recently came across <a href="https://github.com/namsral/multipass" rel="nofollow">MultiPass</a> if you are looking for a username type auth without a password which I was planning to use for my next project. </p>
<p>I use <a href="https://github.com/mbates/goth" rel="nofollow">Goth</a> for a hosted project(<a href="https://github.com/sairam/gitnotify" rel="nofollow">GitNotify</a>) and it the integration was straight forward (for OAuth). </p></pre>shark1337: <pre><p>I'm lookinf for full auth system, but ty, I'll take a look ;). </p></pre>lumost: <pre><p>I've had some fairly good luck with <a href="https://github.com/markbates/goth" rel="nofollow">https://github.com/markbates/goth</a> for integrating with various OAuth providers. But it doesn't include any stock user register/lockout mechanisms.</p></pre>alaskacodes: <pre><p>I've used <a href="https://github.com/ory/hydra" rel="nofollow">https://github.com/ory/hydra</a> for a few things, and it seems really well put together so far.</p></pre>Hexodam: <pre><p>Take a look at Bitly's oauth2 proxy</p>
<p><a href="https://github.com/bitly/oauth2_proxy" rel="nofollow">https://github.com/bitly/oauth2_proxy</a></p>
<p>It's not exactly what you are looking for but its great for handling the basic oauth part outside of your code, then you should only need to handle the session management.</p></pre>
