Auth server

This is a basic authentication server that handles sign-up, login, and all the associated session management that comes with it.

To start the server add .env file in the format as shown below and run

go run main.go

.env file example

HOST_SERVER=smtp.example.com
EMAIL_PORT=465
EMAIL_DOMAIN=example.com
EMAIL_USER=example@example.com
EMAIL_PASS=example

JWT_KEY=example

PORT=3001

MAINDB_PASS=password123

CACHE_PASS=password123

TODO list

Add appropriate headers against XSS attacks
Add tests
Add input validation for login
Add input validation for registration
Add request-rate limiting against DDOS attacks
Add Authorization header
Implement max-retries for login
Ensure HTTPS is used

Things to be aware of

Validate content-type on request Accept header (Content Negotiation) to allow only your supported format (e.g., application/xml, application/json, etc.) and respond with 406 Not Acceptable response if not matched.
Use response type: application/json and charset=utf-8
Use appropriate headers
- X-Content-Type-Options: nosniff
- X-Frame-Options: deny
- X-XSS-Protection: 0
- Cache-Control: 'no-store'
- Content-Security-Policy: default-src 'none' frame-ancestors 'none'; sandbox
- Server: ''
Don't use GET request to alter state on the server. They are usually assumed to be safe by the browser.
Beware of timing attacks - make sure that the comparisons happen in constant time.
Use encrypted keystore instead of .env file

Request handling in order

(Rate Limiter) If exceeds server computational capabilities, ignore the request
Deal with CORS if needed
- Check if it's preflight, set Origin related headers
Enforce that POST requests must be of type application/json (otherwise return 415)
Set response headers
- X-Content-Type-Options: nosniff
- X-Frame-Options: deny
- X-XSS-Protection: 0
- Cache-Control: 'no-store'
- Content-Security-Policy: default-src 'none' frame-ancestors 'none'; sandbox
- Server: ''
Authenticate incoming response
Validate token
Enable logging (log incomming request as well as the outgoing response before it's sent)
API handlers go here
Respond with Not Found 404

Things to store in JWT

{
  "alg": "HS256"
}
{
  "sub": "username",
  "aud": "https://localhost:3001",
  "exp": 125843646247,
  "attrs": {}
}
Base64-encoded key

Potentially useful technologies

etcd - distributed key-value store that provides a reliable way to store data that needs to be accessed by a distributed system or cluster of machines.

Name		Name	Last commit message	Last commit date
Latest commit History 25 Commits
.vscode		.vscode
config		config
controllers		controllers
database		database
middlewares		middlewares
models		models
rest		rest
templates		templates
token		token
views		views
.gitignore		.gitignore
Dockerfile		Dockerfile
README.md		README.md
docker-compose.yml		docker-compose.yml
go.mod		go.mod
go.sum		go.sum
init.sql		init.sql
main.go		main.go
main_test.go		main_test.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Auth server

.env file example

TODO list

Things to be aware of

Request handling in order

Things to store in JWT

Potentially useful technologies

About

Releases

Packages

Languages

kasparas-ban/jwt-auth

Folders and files

Latest commit

History

Repository files navigation

Auth server

.env file example

TODO list

Things to be aware of

Request handling in order

Things to store in JWT

Potentially useful technologies

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages