[DEPRECATED] Go package authcookie implements creation and verification of signed authentication cookies.

Overview

Package authcookie

import "github.com/dchest/authcookie"

Package authcookie implements creation and verification of signed authentication cookies.

Cookie is a Base64 encoded (using URLEncoding, from RFC 4648) string, which consists of concatenation of expiration time, login, and signature:

expiration time || login || signature

where expiration time is the number of seconds since Unix epoch UTC indicating when this cookie must expire (4 bytes, big-endian, uint32), login is a byte string of arbitrary length (at least 1 byte, not null-terminated), and signature is 32 bytes of HMAC-SHA256(expiration_time || login, k), where k = HMAC-SHA256(expiration_time || login, secret key).

Example:

secret := []byte("my secret key")

// Generate cookie valid for 24 hours for user "bender"
cookie := authcookie.NewSinceNow("bender", 24 * time.Hour, secret)

// cookie is now:
// Tajh02JlbmRlcskYMxowgwPj5QZ94jaxhDoh3n0Yp4hgGtUpeO0YbMTY
// send it to user's browser..

// To authenticate a user later, receive cookie and:
login := authcookie.Login(cookie, secret)
if login != "" {
	// access for login granted
} else {
	// access denied
}

Note that login and expiration time are not encrypted, they are only signed and Base64 encoded.

Variables

var (
    ErrMalformedCookie = errors.New("malformed cookie")
    ErrWrongSignature  = errors.New("wrong cookie signature")
)


var MinLength = base64.URLEncoding.EncodedLen(decodedMinLength)

MinLength is the minimum allowed length of cookie string.

It is useful for avoiding DoS attacks with too long cookies: before passing a cookie to Parse or Login functions, check that it has length less than the [maximum login length allowed in your application] + MinLength.

Functions

func Login

func Login(cookie string, secret []byte) string

Login returns a valid login extracted from the given cookie and verified using the given secret key. If verification fails or the cookie expired, the function returns an empty string.

func New

func New(login string, expires time.Time, secret []byte) string

New returns a signed authentication cookie for the given login, expiration time, and secret key. If the login is empty, the function returns an empty string.

func NewNoPadding

func NewNoPadding(login string, expires time.Time, secret []byte) string

NewNoPadding is like New but returns cookie encoded without base64 padding characters.

func NewSinceNow

func NewSinceNow(login string, dur time.Duration, secret []byte) string

NewSinceNow returns a signed authetication cookie for the given login, duration time since current time, and secret key.

func Parse

func Parse(cookie string, secret []byte) (login string, expires time.Time, err error)

Parse verifies the given cookie with the secret key and returns login and expiration time extracted from the cookie. If the cookie fails verification or is not well-formed, the function returns an error.

Callers must:

  1. Check for the returned error and deny access if it's present.

  2. Check the returned expiration time and deny access if it's in the past.

You might also like...
Golang based User creation and Management application. GORM, Fiber, JWT

User Creation and Management app (BACK-END) Auth Features: Create Clients (regular password + 6 one-time passwords + (optional) QR code and Secret for

Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Basic and Digest HTTP Authentication for golang http

HTTP Authentication implementation in Go This is an implementation of HTTP Basic and HTTP Digest authentication in Go language. It is designed as a si

Simple authentication and books management with GoFiber

Simple authentication and books management with GoFiber Simple authentication system with gofiber. Endpoints GET /api - Welcome message POST /api/auth

A collection of authentication Go packages related to OIDC, JWKs and Distributed Claims.

cap (collection of authentication packages) provides a collection of related packages which enable support for OIDC, JWT Verification and Distributed Claims.

An imaginary authentication and session tracking service that is defined in this Apiary

Userland This repository contains impelementation of "Userland" on boarding project Userland is an imaginary authentication and session tracking servi

A demo of authentication and authorization using jwt
A demo of authentication and authorization using jwt

Nogopy Hi, this a demo of how to use jwt for authentication in microservices Keep in mind that this is a demo of how to authenticate using jwt, we don

Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Comments
  • Dep use older version of this code because of the tag v1

    Dep use older version of this code because of the tag v1

    dep clones github.com/dchest/passwordreset and fetch the dependencies for it which is this package, however, because of the incorrect tagging the oldest tag v1 is use as reference point.

    opened by shackra 4
  • token gen no padding version

    token gen no padding version

    Parse and ParseNoPadding works both on padded and no padded tokes so probably this functions can be left unchanged, but to be clear better to follow API on both ecrypt/decrypt sides.

    opened by theromis 2
  • update to latest weekly API

    update to latest weekly API

    Hi - thanks for this package. I've updated to the latest weekly API and made a small adjustment to the API to use time.Time instead of int64 to represent expiration dates.

    One question remaining is whether it would be preferable to encode timestamps using 8 bytes, so that they're not truncated to 4 bytes as they are now. Thoughts?

    opened by liamstask 1
Owner
Dmitry Chestnykh
Founder of @coding-robots. Invented "I Write Like". Previously created BlogJet (acquired) and StableLib. Interested in cryptography and perfect code.
Dmitry Chestnykh
Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Dinesh Bhattarai 0 Aug 5, 2022
🍪CookieMonster is a command-line tool and API for decoding and modifying vulnerable session cookies from several different frameworks.

?? CookieMonster CookieMonster is a command-line tool and API for decoding and modifying vulnerable session cookies from several different frameworks.

Ian Carroll 481 Nov 21, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Sign, encrypt and authenticate http cookies with golang

ecookie sign, encrypt and authenticate cookies with golang... this package uses rabbit cipher to encrypt and blake2 hash function in order to authenti

Sina Ghaderi 5 Feb 3, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Paul Greenberg 643 Nov 27, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Miroslav Šedivý 5 Jul 27, 2022
Microservice generates pair of access and refresh JSON web tokens signed by user identifier.

go-jwt-issuer Microservice generates pair access and refresh JSON web tokens signed by user identifier. ?? Deployed on Heroku Run tests: export SECRET

Oleksii Velychko 29 Nov 21, 2022
Query browser cookies for golang

browser cookie query Only supported temporarily macOS,theoretically,it supports all chromium browsers valid browser : Edge Chrome Installation exec go

dmls 1 Dec 12, 2021
Ginx - Evilginx2 - A man-in-the-middle attack framework used for phishing login credentials along with session cookies

evilginx2 is a man-in-the-middle attack framework used for phishing login creden

null 2 Mar 19, 2022
Create the Provider for Zoom API and automate the creation of zoom user using terraform.

Create the Provider for Zoom API and automate the creation of zoom user using terraform.

ashish dhodria 3 Sep 7, 2022