Go-Chi Boilerplate
Creating boilerplate for Go-chi with some good defaults.
Note
This repository is updated infrequently, as I backport changes from my other projects into this. However, at any given point, the repo should be considered a good starting point.
Features
- Fully documented codebase with GoDoc.
- Logging with zerolog
- Routing with go-chi
- OpenAPI with go-swagger
- Input Validation with go-playground/validator
- Sane HTTP Security Headers with secure
- Custom Redis Cache Middleware with go-redis
- Optional: Memcached implementation
- OAuth 2.0 client.
- Password hashing with bcrypt
- Token Grant
- Token Validation + RBAC
- Token Refresh
- Token Revoke
- JWT authentication.
Setup
Run make to see all available commands.
Install dependencies
cd server
make packages_installRun
cd server
make runNotes on Design Considerations
-
JWTIDs were used, but for the
refresh tokenonly. This is because therefresh tokenis persisted in therediscache, and therefore needs to be revoked.The access tokenis not persisted, and therefore does not need to be revoked. This has the following benefits:-
The
access tokendoesn't need to be validated against the DB or cache, on each request. And instead therefresh tokenrequires this only during a refresh. -
This avoids too many DB/cache lookups, and therefore improves performance.
-
You can however, choose to use JWTIDs for both the
access tokenandrefresh token, if you want to preventreplay attacks.
-
Notes on storage of JWTs
-
The API returns both an
access tokenand arefresh token, it is recommended that theaccess tokenis stored in memory, and therefresh tokenis stored in a cookie with thesecure&http-onlyflags set. -
The
refresh tokenis also persisted in therediscache for validation and revocation. -
Persisting the
access tokenin memory, means that the token is not persisted across browser restarts, and is therefore more secure. -
Your client should refresh the
access tokenwhen it expires, using therefresh tokenstored in the cookie. -
In case of higher security requirements, you can follow one of the following patterns:
-
Use a
refresh tokenwith a short expiry time, and refresh therefresh tokenon every request. -
Omit the
refresh tokenentirely, and use a short livedaccess token, and prompt the user to login again when theaccess tokenexpires.
-
-
You may also consider using JWTIDs, to prevent replay attacks.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent