<img src="http://i.imgur.com/fPIgqLg.jpg"/>

Authboss

Authboss is a modular authentication system for the web.

It has several modules that represent authentication and authorization features that are common to websites in general so that you can enable as many as you need, and leave the others out. It makes it easy to plug in authentication to an application and get a lot of functionality for (hopefully) a smaller amount of integration effort.

New to v2?

v1 -> v2 was a very big change. If you're looking to upgrade there is a general guide in tov2.md in this project.

New to v3?

v2 -> v3 was not a big change, it simply changed the project to use Go modules. Authboss no longer supports GOPATH as of version 3

Why use Authboss?

Every time you'd like to start a new web project, you really want to get to the heart of what you're trying to accomplish very quickly and it would be a sure bet to say one of the systems you're excited about implementing and innovating on is not authentication. In fact it's very much the opposite: it's one of those things that you have to do and one of those things you loathe to do. Authboss is supposed to remove a lot of the tedium that comes with this, as well as a lot of the chances to make mistakes. This allows you to care about what you're intending to do, rather than care about ancillary support systems required to make what you're intending to do happen.

Here are a few bullet point reasons you might like to try it out:

• Saves you time (Authboss integration time should be less than re-implementation time)
• Saves you mistakes (at least using Authboss, people can bug fix as a collective and all benefit)
• Should integrate with or without any web framework

Click Here To Get Started

Readme Table of Contents

<!-- TOC -->

• Authboss
• New to v2?
• New to v3?
• Why use Authboss?
• Readme Table of Contents
• Getting Started
  • App Requirements
    • CSRF Protection
    • Request Throttling
  • Integration Requirements
    • Middleware
    • Configuration
    • Storage and Core implementations
    • ServerStorer implementation
    • User implementation
    • Values implementation
  • Config
    • Paths
    • Modules
    • Mail
    • Storage
    • Core
• Available Modules
• Middlewares
• Use Cases
  • Get Current User
  • Reset Password
  • User Auth via Password
  • User Auth via OAuth1
  • User Auth via OAuth2
  • User Registration
  • Confirming Registrations
  • Password Recovery
  • Remember Me
  • Locking Users
  • Expiring User Sessions
  • One Time Passwords
  • Two Factor Authentication
    • Two-Factor Recovery
    • Two-Factor Setup E-mail Authorization
    • Time-Based One Time Passwords 2FA (totp)
      • Adding 2fa to a user
      • Removing 2fa from a user
      • Logging in with 2fa
      • Using Recovery Codes
    • Text Message 2FA (sms)
      • Adding 2fa to a user
      • Removing 2fa from a user
      • Logging in with 2fa
      • Using Recovery Codes
  • Rendering Views
    • HTML Views
    • JSON Views
    • Data

<!-- /TOC -->

Getting Started

To get started with Authboss in the simplest way, is to simply create a Config, populate it with the things that are required, and start implementing use cases. The use cases describe what's required to be able to use a particular piece of functionality, or the best practice when implementing a piece of functionality. Please note the app requirements for your application as well integration requirements that follow.

Of course the standard practice of fetching the library is just the beginning:

# Get the latest, you must be using Go modules as of v3 of Authboss.
go get -u github.com/aarondl/authboss/v3

Here's a bit of starter code that was stolen from the sample.

ab := authboss.New()

ab.Config.Storage.Server = myDatabaseImplementation
ab.Config.Storage.SessionState = mySessionImplementation
ab.Config.Storage.CookieState = myCookieImplementation

ab.Config.Paths.Mount = "/authboss"
ab.Config.Paths.RootURL = "https://www.example.com/"

// This is using the renderer from: github.com/aarondl/authboss
ab.Config.Core.ViewRenderer = abrenderer.NewHTML("/auth", "ab_views")
// Probably want a MailRenderer here too.


// This instantiates and uses every default implementation
// in the Config.Core area that exist in the defaults package.
// Just a convenient helper if you don't want to do anything fancy.
 defaults.SetCore(&ab.Config, false, false)

if err := ab.Init(); err != nil {
    panic(err)
}

// Mount the router to a path (this should be the same as the Mount path above)
// mux in this example is a chi router, but it could be anything that can route to
// the Core.Router.
mux.Mount("/authboss", http.StripPrefix("/authboss", ab.Config.Core.Router))

For a more in-depth look you definitely should look at the authboss sample to see what a full implementation looks like. This will probably help you more than any of this documentation.

https://github.com/aarondl/authboss-sample

App Requirements

Authboss does a lot of things, but it doesn't do some of the important things that are required by a typical authentication system, because it can't guarantee that you're doing many of those things in a different way already, so it punts the responsibility.

CSRF Protection

What this means is you should apply a middleware that can protect the application from csrf attacks or you may be vulnerable. Authboss previously handled this but it took on a dependency that was unnecessary and it complicated the code. Because Authboss does not render views nor consumes data directly from the user, it no longer does this.

Request Throttling

Currently Authboss is vulnerable to brute force attacks because there are no protections on it's endpoints. This again is left up to the creator of the website to protect the whole website at once (as well as Authboss) from these sorts of attacks.

Integration Requirements

In terms of integrating Authboss into your app, the following things must be considered.

Middleware

There are middlewares that are required to be installed in your middleware stack if it's all to function properly, please see Middlewares for more information.

Configuration

There are some required configuration variables that have no sane defaults and are particular to your app:

• Config.Paths.Mount
• Config.Paths.RootURL

Storage and Core implementations

Everything under Config.Storage and Config.Core are required and you must provide them, however you can optionally use default implementations from the defaults package. This also provides an easy way to share implementations of certain stack pieces (like HTML Form Parsing). As you saw in the example above these can be easily initialized with the SetCore method in that package.

The following is a list of storage interfaces, they must be provided by the implementer. Server is a very involved implementation, please see the additional documentation below for more details.

• Config.Storage.Server
• Config.Storage.SessionState
• Config.Storage.CookieState (only for "remember me" functionality)

The following is a list of the core pieces, these typically are abstracting the HTTP stack. Out of all of these you'll probably be mostly okay with the default implementations in the defaults package but there are two big exceptions to this rule and that's the ViewRenderer and the MailRenderer. For more information please see the use case Rendering Views

• Config.Core.Router
• Config.Core.ErrorHandler
• Config.Core.Responder
• Config.Core.Redirector
• Config.Core.BodyReader
• Config.Core.ViewRenderer
• Config.Core.MailRenderer
• Config.Core.Mailer
• Config.Core.Logger

ServerStorer implementation

The [ServerStorer](https://pkg.go.dev/github.com/aarondl/authboss