httpauth currently provides HTTP Basic Authentication middleware for Go. It is compatible with Go's own net/http, goji, Gin & anything that speaks the http.Handler interface.
Example
httpauth provides a SimpleBasicAuth function to get you up and running. Particularly ideal for development servers.
Note that HTTP Basic Authentication credentials are sent over the wire "in the clear" (read: plaintext!) and therefore should not be considered a robust way to secure a HTTP server. If you're after that, you'll need to use SSL/TLS ("HTTPS") at a minimum.
Install It
$ go get github.com/goji/httpauth
Goji v2
Simple Usage
The fastest and simplest way to get started using httpauth is to use the
SimpleBasicAuth function.
package main import( "net/http" "goji.io" ) func main() { mux := goji.NewMux() mux.Use(httpauth.SimpleBasicAuth("dave", "somepassword")) mux.Use(SomeOtherMiddleware) // YourHandler now requires HTTP Basic Auth mux.Handle(pat.Get("/some-route"), YourHandler)) log.Fatal(http.ListenAndServe("localhost:8000", mux)) }
Advanced Usage
For more control over the process, pass a AuthOptions struct to BasicAuth instead. This allows you to:
- Configure the authentication realm.
- Provide your own UnauthorizedHandler (anything that satisfies
http.Handler) so you can return a better looking 401 page. - Define a custom authentication function, which is discussed in the next section.
func main() { authOpts := httpauth.AuthOptions{ Realm: "DevCo", User: "dave", Password: "plaintext!", UnauthorizedHandler: myUnauthorizedHandler, } mux := goji.NewMux() mux.Use(BasicAuth(authOpts)) mux.Use(SomeOtherMiddleware) mux.Handle(pat.Get("/some-route"), YourHandler)) log.Fatal(http.ListenAndServe("localhost:8000", mux)) }
Custom Authentication Function
httpauth will accept a custom authentication function.
Normally, you would not set AuthOptions.User nor AuthOptions.Password in this scenario.
You would instead validate the given credentials against an external system such as a database.
The contrived example below is for demonstration purposes only.
func main() { authOpts := httpauth.AuthOptions{ Realm: "DevCo", AuthFunc: myAuthFunc, UnauthorizedHandler: myUnauthorizedHandler, } mux := goji.NewMux() mux.Use(BasicAuth(authOpts)) mux.Use(SomeOtherMiddleware) mux.Handle(pat.Get("/some-route"), YourHandler)) log.Fatal(http.ListenAndServe("localhost:8000", mux)) } // myAuthFunc is not secure. It checks to see if the password is simply // the username repeated three times. func myAuthFunc(user, pass string, r *http.Request) bool { return pass == strings.Repeat(user, 3) }
gorilla/mux
Since it's all http.Handler, httpauth works with gorilla/mux (and most other routers) as well:
package main import ( "net/http" "github.com/goji/httpauth" "github.com/gorilla/mux" ) func main() { r := mux.NewRouter() r.HandleFunc("/", YourHandler) http.Handle("/", httpauth.SimpleBasicAuth("dave", "somepassword")(r)) http.ListenAndServe(":7000", nil) } func YourHandler(w http.ResponseWriter, r *http.Request) { w.Write([]byte("Gorilla!\n")) }
net/http
If you're using vanilla net/http:
package main import( "net/http" "github.com/goji/httpauth" ) func main() { http.Handle("/", httpauth.SimpleBasicAuth("dave", "somepassword")(http.HandlerFunc(YourHandler))) http.ListenAndServe(":7000", nil) }
Contributing
Send a pull request! Note that features on the (informal) roadmap include HTTP Digest Auth.
License
MIT Licensed. See the LICENSE file for details.