User Authentication in Go

agolangf · · 510 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>I&#39;ve started a new project and looking for a good package to implement user authentification. I&#39;m not really looking to implement it by myself since there could be possible security issues. What I&#39;m really looking for is a package similar to <a href="http://passportjs.org/">passport-js</a> that implements vanilla authentication with register/login methods (no auth0 needed). I&#39;ve been checking the awesome-go list and <a href="https://github.com/go-authboss/authboss">authboss</a> seems to do it, but it has a covarage of 73% on github..</p> <p>TL;DR Looking for a well test package to implement vanilla authentication with login/register methods..</p> <hr/>**评论:**<br/><br/>tscs37: <pre><p>73% is not a bad coverage and afaik the authboss package works very well.</p> <p>I recommend to drop looking at raw testing metrics as a measurement of package quality, it&#39;s not possible to test 100% of all code.</p> <p>Instead, you should look at what is and isn&#39;t tested and how.</p></pre>Muchoz: <pre><p>Exactly this. It&#39;s not because the code has coverage that it is bug free. I can have 100% coverage and have the most insecure library.</p></pre>NikkoTheGreeko: <pre><p>Just talk nice to it and complement it more often.</p></pre>alireza94: <pre><p>In this regard, <a href="https://xinhuang.github.io/posts/2017-02-27-the-epic-fail-of-enforcing-unit-tests.html">The Epic Fail of Enforcing Unit Tests</a>.</p></pre>thewhitetulip: <pre><p>I don&#39;t think you should start with oAuth, start with implementing your own version using gorilla/sessions for stateful and JWT tokens for RESTful API, you can read more about them here, <a href="https://github.com/thewhitetulip/web-dev-golang-anti-textbook/blob/master/manuscript/4.0authentication.md">https://github.com/thewhitetulip/web-dev-golang-anti-textbook/blob/master/manuscript/4.0authentication.md</a></p></pre>Yojihito: <pre><p>JWT tokens can&#39;t be revoked ....</p></pre>mcouturier: <pre><p>Use a short lived one and revoke the refresh token</p></pre>xyproto: <pre><p><a href="https://github.com/xyproto/permissions2" rel="nofollow">permissions2</a> uses bcrypt, secure cookies and redis. It&#39;s easy to get started with, fast and hashes passwords in a way that may prevent timing attacks.</p> <p>Disclaimer: it&#39;s written by me, but it&#39;s fairly popular on github.</p></pre>Keshenka: <pre><p>Nice documentation. The examples were very helpful.</p></pre>sairamk: <pre><p>I recently came across <a href="https://github.com/namsral/multipass" rel="nofollow">MultiPass</a> if you are looking for a username type auth without a password which I was planning to use for my next project. </p> <p>I use <a href="https://github.com/mbates/goth" rel="nofollow">Goth</a> for a hosted project(<a href="https://github.com/sairam/gitnotify" rel="nofollow">GitNotify</a>) and it the integration was straight forward (for OAuth). </p></pre>shark1337: <pre><p>I&#39;m lookinf for full auth system, but ty, I&#39;ll take a look ;). </p></pre>lumost: <pre><p>I&#39;ve had some fairly good luck with <a href="https://github.com/markbates/goth" rel="nofollow">https://github.com/markbates/goth</a> for integrating with various OAuth providers. But it doesn&#39;t include any stock user register/lockout mechanisms.</p></pre>alaskacodes: <pre><p>I&#39;ve used <a href="https://github.com/ory/hydra" rel="nofollow">https://github.com/ory/hydra</a> for a few things, and it seems really well put together so far.</p></pre>Hexodam: <pre><p>Take a look at Bitly&#39;s oauth2 proxy</p> <p><a href="https://github.com/bitly/oauth2_proxy" rel="nofollow">https://github.com/bitly/oauth2_proxy</a></p> <p>It&#39;s not exactly what you are looking for but its great for handling the basic oauth part outside of your code, then you should only need to handle the session management.</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

510 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传