MCPcopy Index your code
hub / github.com/aarondl/authboss

github.com/aarondl/authboss @v3.5.3 sqlite

repository ↗ · DeepWiki ↗ · release v3.5.3 ↗
987 symbols 3,978 edges 95 files 485 documented · 49% 4 cross-repo links
README

Authboss

GoDoc ActionsCI Mail Go Coverage Go Report Card

Authboss is a modular authentication system for the web.

It has several modules that represent authentication and authorization features that are common to websites in general so that you can enable as many as you need, and leave the others out. It makes it easy to plug in authentication to an application and get a lot of functionality for (hopefully) a smaller amount of integration effort.

New to v2?

v1 -> v2 was a very big change. If you're looking to upgrade there is a general guide in tov2.md in this project.

New to v3?

v2 -> v3 was not a big change, it simply changed the project to use Go modules. Authboss no longer supports GOPATH as of version 3

Why use Authboss?

Every time you'd like to start a new web project, you really want to get to the heart of what you're trying to accomplish very quickly and it would be a sure bet to say one of the systems you're excited about implementing and innovating on is not authentication. In fact it's very much the opposite: it's one of those things that you have to do and one of those things you loathe to do. Authboss is supposed to remove a lot of the tedium that comes with this, as well as a lot of the chances to make mistakes. This allows you to care about what you're intending to do, rather than care about ancillary support systems required to make what you're intending to do happen.

Here are a few bullet point reasons you might like to try it out:

  • Saves you time (Authboss integration time should be less than re-implementation time)
  • Saves you mistakes (at least using Authboss, people can bug fix as a collective and all benefit)
  • Should integrate with or without any web framework

Click Here To Get Started

Readme Table of Contents

Getting Started

To get started with Authboss in the simplest way, is to simply create a Config, populate it with the things that are required, and start implementing use cases. The use cases describe what's required to be able to use a particular piece of functionality, or the best practice when implementing a piece of functionality. Please note the app requirements for your application as well integration requirements that follow.

Of course the standard practice of fetching the library is just the beginning:

# Get the latest, you must be using Go modules as of v3 of Authboss.
go get -u github.com/aarondl/authboss/v3

Here's a bit of starter code that was stolen from the sample.

ab := authboss.New()

ab.Config.Storage.Server = myDatabaseImplementation
ab.Config.Storage.SessionState = mySessionImplementation
ab.Config.Storage.CookieState = myCookieImplementation

ab.Config.Paths.Mount = "/authboss"
ab.Config.Paths.RootURL = "https://www.example.com/"

// This is using the renderer from: github.com/aarondl/authboss
ab.Config.Core.ViewRenderer = abrenderer.NewHTML("/auth", "ab_views")
// Probably want a MailRenderer here too.


// This instantiates and uses every default implementation
// in the Config.Core area that exist in the defaults package.
// Just a convenient helper if you don't want to do anything fancy.
 defaults.SetCore(&ab.Config, false, false)

if err := ab.Init(); err != nil {
    panic(err)
}

// Mount the router to a path (this should be the same as the Mount path above)
// mux in this example is a chi router, but it could be anything that can route to
// the Core.Router.
mux.Mount("/authboss", http.StripPrefix("/authboss", ab.Config.Core.Router))

For a more in-depth look you definitely should look at the authboss sample to see what a full implementation looks like. This will probably help you more than any of this documentation.

https://github.com/aarondl/authboss-sample

App Requirements

Authboss does a lot of things, but it doesn't do some of the important things that are required by a typical authentication system, because it can't guarantee that you're doing many of those things in a different way already, so it punts the responsibility.

CSRF Protection

What this means is you should apply a middleware that can protect the application from csrf attacks or you may be vulnerable. Authboss previously handled this but it took on a dependency that was unnecessary and it complicated the code. Because Authboss does not render views nor consumes data directly from the user, it no longer does this.

Request Throttling

Currently Authboss is vulnerable to brute force attacks because there are no protections on it's endpoints. This again is left up to the creator of the website to protect the whole website at once (as well as Authboss) from these sorts of attacks.

Integration Requirements

In terms of integrating Authboss into your app, the following things must be considered.

Middleware

There are middlewares that are required to be installed in your middleware stack if it's all to function properly, please see Middlewares for more information.

Configuration

There are some required configuration variables that have no sane defaults and are particular to your app:

  • Config.Paths.Mount
  • Config.Paths.RootURL

Storage and Core implementations

Everything under Config.Storage and Config.Core are required and you must provide them, however you can optionally use default implementations from the defaults package. This also provides an easy way to share implementations of certain stack pieces (like HTML Form Parsing). As you saw in the example above these can be easily initialized with the SetCore method in that package.

The following is a list of storage interfaces, they must be provided by the implementer. Server is a very involved implementation, please see the additional documentation below for more details.

  • Config.Storage.Server
  • Config.Storage.SessionState
  • Config.Storage.CookieState (only for "remember me" functionality)

The following is a list of the core pieces, these typically are abstracting the HTTP stack. Out of all of these you'll probably be mostly okay with the default implementations in the defaults package but there are two big exceptions to this rule and that's the ViewRenderer and the MailRenderer. For more information please see the use case Rendering Views

  • Config.Core.Router
  • Config.Core.ErrorHandler
  • Config.Core.Responder
  • Config.Core.Redirector
  • Config.Core.BodyReader
  • Config.Core.ViewRenderer
  • Config.Core.MailRenderer
  • Config.Core.Mailer
  • Config.Core.Logger

ServerStorer implementation

The ServerStorer is meant to be upgraded to add capabilities depending on what modules you'd like to use. It starts out by only knowing how to save and load users, but the remember module as an example needs to be able to find users by remember me tokens, so it upgrades to a RememberingServerStorer which adds these abilities.

Your ServerStorer implementation does not need to implement all these additional interfaces unless you're using a module that requires it. See the Use Cases documentation to know what the requirements are.

User implementation

Users in Authboss are represented by the User interface. The user interface is a flexible notion, because it can be upgraded to suit the needs of the various modules.

Initially the User must only be able to Get/Set a PID or primary identifier. This allows the authboss modules to know how to refer to him in the database. The ServerStorer also makes use of this to save/load users.

As mentioned, it can be upgraded, for example suppose now we want to use the confirm module, in that case the e-mail address now becomes a requirement. So the confirm module will attempt to upgrade the user (and panic if it fails) to a ConfirmableUser which supports retrieving and setting of confirm tokens, e-mail addresses, and a confirmed state.

Your User implementation does not need to implement all these additional user interfaces unless you're using a module that requires it. See the Use Cases documentation to know what the requirements are.

Values implementation

The BodyReader interface in the Config returns Validator implementations which can be validated. But much like the storer and user it can be upgraded to add different capabilities.

A typical BodyReader (like the one in the defaults package) implementation checks the page being requested and switches on that to parse the body in whatever way (msgpack, json, url-encoded, doesn't matter), and produce a struct that has the ability to Validate() it's data as well as functions to retrieve the data necessary for the particular valuer required by the module.

An example of an upgraded Valuer is the UserValuer which stores and validates the PID and Password that a user has provided for the modules to use.

Your body reader implementation does not need to implement all valuer types unless you're using a module that requires it. See the Use Cases documentation to know what the requirements are.

Config

The config struct is an important part of Authboss. It's the key to making Authboss do what you want with the implementations you want. Please look at it's code definition as you read the documentation below, it will make much more sense.

Config Struct Documentation

Paths

Paths are the paths that should be redirected to or used in whatever circumstance they describe. Two special paths that are required are Mount and RootURL without which certain authboss modules will not function correctly. Most paths get defaulted to / such as after login success or when a user is locked out of their account.

Modules

Modules are module specific configuration options. They mostly control the behavior of modules. For example RegisterPreserveFields decides a whitelist of fields to allow back into the data to be re-rendered so the user doesn't have to type them in again.

Mail

Mail sending related options.

Storage

These are the implementations of how storage on the server and the client are done in your app. T

Extension points exported contracts — how you extend this code

UserValuer (Interface)
UserValuer allows us to pull out the PID and Password from the request. [6 implementers]
values.go
ClientState (Interface)
ClientState represents the client's current state and can answer queries about it. [7 implementers]
client_state.go
Moduler (Interface)
Moduler should be implemented by all the authboss modules. [11 implementers]
module.go
ServerStorer (Interface)
ServerStorer represents the data store that's capable of loading users and giving them a context with which to store the [5 …
storage.go
Logger (Interface)
Logger is the basic logging structure that's required [5 implementers]
logger.go
Validator (Interface)
Validator takes a form name and a set of inputs and returns any validation errors for the inputs. [5 implementers]
validation.go
Mailer (Interface)
Mailer is a type that is capable of sending an e-mail. [5 implementers]
mailer.go
EmailVerifyTokenValuer (Interface)
EmailVerifyTokenValuer returns a token from the body [5 implementers]
otp/twofactor/twofactor_verify.go

Core symbols most depended-on inside this repo

Error
called by 782
logger.go
New
called by 92
storage.go
Request
called by 77
mocks/mocks.go
NewResponse
called by 69
client_state.go
Infof
called by 59
logger.go
Localizef
called by 58
localizer.go
Wrap
called by 55
errors.go
Errorf
called by 53
logger.go

Shape

Method 484
Function 338
Struct 103
Interface 52
TypeAlias 9
FuncType 1

Languages

Go100%

Modules by API surface

mocks/mocks.go126 symbols
mocks_test.go68 symbols
user.go57 symbols
client_state.go41 symbols
defaults/values.go25 symbols
values.go23 symbols
storage.go22 symbols
otp/otp_test.go22 symbols
otp/twofactor/totp2fa/totp.go19 symbols
otp/twofactor/sms2fa/sms.go19 symbols
otp/twofactor/totp2fa/totp_test.go18 symbols
otp/otp.go17 symbols

Dependencies from manifests, versioned

cloud.google.com/gov0.34.0 · 1×
github.com/boombuler/barcodev1.0.1 · 1×
github.com/friendsofgo/errorsv0.9.2 · 1×
golang.org/x/cryptov0.45.0 · 1×
golang.org/x/oauth2v0.30.0 · 1×
golang.org/x/xerrorsv0.0.0-2022090717135 · 1×

For agents

$ claude mcp add authboss \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact