I’m currently making a small application and I’d like to learn how to add authenticate to the application. My best guess is using cookies but I’ve never really figured out authentication within any web application format and I’d like to change that. Right now I’m using Gin for routes, Render for templates, and Gorm for database if that changes the process.
My understanding on how to do this process would be to create a cookie and store it in the database with reference to the user, then when a user logs in check to see if that cookie is valid and matches. As for the middleware to control different views I would validate that cookie and see if it matches with a user.
I’m trying to accomplish basic password authentication along with middleware and have some sort of role system, so admins can have access to certain things a normal user would not.
As of right now I have a simple User struct
type User struct {
gorm.Model
Email string
FirstName string
LastName string
Role string
Password string
}
If anyone could point me in the right direction or help me out a bit I would appreciate it since I don’t want to mess up authentication or do something that may not be secure for my application.
There is much more about user authentication in a Web application than just cookie handling. I am not a Web auth expert (far from it!), but if you don’t mind spending some bucks, I recommend @joncalhoun’s eBook “Web Development with Go” that has two excellent chapters on this topic.
If you don’t want to buy a book, you surely will also find tutorials on this on the Web. The point I am trying to make is that your question might seem a simple one but the answer is complex and would not fit into a forum comment.
There are two parts of authentication, the client side and server side.
client side = cookies
server side = database
The user sends data in a form, username and password, it is validated with the database and a session ID is created in the backend, this session ID is set as a cookie on the browser of the user.
When you route a restricted URL, you read the “sessionID” from the cookie and if it is valid, then you allow access otherwise, you reject it.
I would recommend not getting into everything at once, first learn to build a webapp without using any framework and then go to using gin and everything else, you’d be confused otherwise. If you are interested, then you can read my book, it teaches writing webapps without using a framework and has a live webapp which you can learn from!