:key: Secure alternative to JWT. Authenticated Encrypted API Tokens for Go.

Overview

branca

Build Status Go Report Card GoDoc

branca is a secure alternative to JWT, This implementation is written in pure Go (no cgo dependencies) and implements the branca token specification.

Requirements

Go 1.13+

Install

go get -u github.com/hako/branca

Example

package main

import (
	"fmt"
	"github.com/hako/branca"
)

func main() {
	b := branca.NewBranca("supersecretkeyyoushouldnotcommit") // This key must be exactly 32 bytes long.
	
	// Encode String to Branca Token.
	token, err := b.EncodeToString("Hello world!")
	if err != nil {
		fmt.Println(err)
	}
				
    //b.SetTTL(3600) // Uncomment this to set an expiration (or ttl) of the token (in seconds).
    //token = "87y8daMzSkn7PA7JsvrTT0JUq1OhCjw9K8w2eyY99DKru9FrVKMfeXWW8yB42C7u0I6jNhOdL5ZqL" // This token will be not allowed if a ttl is set.
	
	// Decode Branca Token.
	message, err := b.DecodeToString(token)
	if err != nil {
		fmt.Println(err) // token is expired.
		return
	}
	fmt.Println(token) // 87y8da....
	fmt.Println(message) // Hello world!
}

Todo

Here are a few things that need to be done:

  • Remove cgo dependencies.
  • Move to a pure XChaCha20 algorithm in Go.
  • Add more tests than just acceptance tests.
  • Increase test coverage.
  • Additional Methods. (Encode, Decode []byte)
  • Performance benchmarks.
  • More comments, examples and documentation.

Contributing

Contributions are welcome! Fork this repo and add your changes and submit a PR.

If you would like to fix a bug, add a feature or provide feedback you can do so in the issues section.

You can run tests by runnning go test. Running go test; go vet; golint is recommended.

License

MIT

Comments
  • Export sentinel package errors

    Export sentinel package errors

    Before this PR, the only way to explicitly check which error occurred was to test against the actual string error message. This is a anti-pattern and comes with a high risk of breaking when the value gets changed in the library.

    To allow to check against the errors, this PR exports the types so they can be tested using the errors.Is(error, error) function from Go's errors package.

    A suggestion to implement this change was already requested in https://github.com/hako/branca/issues/5#issuecomment-416915978, but at the time of this commit a PR has not been submitted yet.

    This PR also includes 4 new tests to ensure the exported error types can be checked using errors.Is(error, error). The execution of the tests is way slower because the new TestExpiredTokenError test makes use of the time.Sleep(time.Duration) function with a value of 3 seconds in order to ensure the TTL of the token is expired, but unfortunately there is no other way to test this scenario.

    opened by arcticicestudio 6
  • Need a method to get the timestamp from a Token string

    Need a method to get the timestamp from a Token string

    I want to refresh tokens every other day before they expire, to do this I'll probably need to get a timestamp from the token string somehow. The decoder doesn't expose this information, I'm hoping you'll perhaps add a method to get the timestamp alongside the payload.

    maybe something like this

    type Token struct {
       Timestamp time.Time
       Payload string
    }
    
    tkn, err := branca.DecodeToken(token) // -> Token, error
    
    // what I want to do
    if closeToExpiration(tkn.Timestamp) {
       refreshTokenAndUpdateDB(
          UserIdFromPayload(tkn.Payload)
       )
    }
    
    opened by SaulDoesCode 3
  • Usage of official chacha20poly1305 algorithm

    Usage of official chacha20poly1305 algorithm

    Hi,

    Your library is looking quite nice, but I noticed that you're using chacha20poly1305 from repository:

    • https://github.com/aead/chacha20poly1305

    Were you planning to use the official algorithm from:

    • https://godoc.org/golang.org/x/crypto/chacha20poly1305

    At least in your README example you're specifying the 32 byte key size, which would be the same as in the official algorithm. Aead's repository also recommends to use the official algorithm.

    opened by ovainola 3
  • Move to a pure XChaCha20 algorithm in Go.

    Move to a pure XChaCha20 algorithm in Go.

    This will untie our cgo dependency to the libsodium library, a proposal is being made to add XChaCha20 to golang.org/x/crypto

    See https://github.com/golang/go/issues/23885

    opened by hako 1
  • Fix index specification of slice

    Fix index specification of slice

    Hi, Fixed index specification of slice. token[0:29] and token[:29] have the same meaning, The code one line down was token[29:], so I thought it would be easier to understand if they were unified.

    opened by deepoil 0
  • remove cgo dependency and gofmt, now in pure go.

    remove cgo dependency and gofmt, now in pure go.

    This PR removes libsodium-go. libsodium-go is a cgo based library which means you have to install libsodium to use branca.

    branca is now in pure go and is easily go gettable.

    go get github.com/hako/branca
    

    Until xchacha20 is in the stdlib, as per https://github.com/golang/go/issues/24485 aead/chacha20poly1305 will have to work for now.

    opened by hako 0
Owner
Wesley Hill
software engineer & (hobbyist) animator. building @fullcycleapp and other things.
Wesley Hill
Authenticated and encrypted API tokens using modern crypto

Branca Token Authenticated and encrypted API tokens using modern crypto. What? Branca is a secure, easy to use token format which makes it hard to sho

Mika Tuupola 192 Nov 24, 2022
Package gorilla/securecookie encodes and decodes authenticated and optionally encrypted cookie values for Go web applications.

securecookie securecookie encodes and decodes authenticated and optionally encrypted cookie values. Secure cookies can't be forged, because their valu

Gorilla Web Toolkit 602 Nov 15, 2022
Go-gin-jwt - Secure web api using jwt token and caching mechanism

Project Description This project demonstrate how to create api and secure it wit

Jeremy Panjaitan 0 Jan 27, 2022
Gets Firebase auth tokens (for development purposes only)Gets Firebase auth tokens

Firebase Token Gets Firebase auth tokens (for development purposes only) Getting started Create Firebase project Setup Firebase authentication Setup G

MousyBusiness 1 Nov 17, 2021
Account-jwt-go - Simple JWT api with go, gorm, gin

Account JWT on Go Go, gorm, Gin web framework 를 활용하여 만든 간단한 JWT API 입니다. Dajngo의

Deagwon Bu 1 Apr 14, 2022
Golang implementation of JSON Web Tokens (JWT)

jwt-go A go (or 'golang' for search engine friendliness) implementation of JSON Web Tokens NEW VERSION COMING: There have been a lot of improvements s

Dave Grijalva 10.5k Nov 22, 2022
Golang jwt tokens without any external dependency

Yet another jwt lib This is a simple lib made for small footprint and easy usage It allows creating, signing, reading and verifying jwt tokens easily

Karpelès Lab Inc. 1 Oct 11, 2021
Generate and verify JWT tokens with Trusted Platform Module (TPM)

golang-jwt for Trusted Platform Module (TPM) This is just an extension for go-jwt i wrote over thanksgiving that allows creating and verifying JWT tok

null 4 Oct 7, 2022
Generate and verify JWT tokens with PKCS-11

golang-jwt for PKCS11 Another extension for go-jwt that allows creating and verifying JWT tokens where the private key is embedded inside Hardware lik

null 2 Aug 25, 2022
JWT wrapper library which makes it simple to use ECDSA based JWT signing

JWT JWT wrapper library which makes it simple to user ECDSA based JWT signing. Usage package main import ( "context" "github.com/infiniteloopcloud

infinite loop 0 Feb 10, 2022
Krakend-jwt-header-rewriter - Kraken Plugin - JWT Header Rewriter

Kraken Plugin - JWT Header Rewriter 1 Plugin Configuration Name Desciption Defau

null 0 Feb 15, 2022
Fast, secure and efficient secure cookie encoder/decoder

Encode and Decode secure cookies This package provides functions to encode and decode secure cookie values. A secure cookie has its value ciphered and

Christophe Meessen 63 Nov 5, 2022
Key-Checker - Go scripts for checking API key / access token validity

Key-Checker Go scripts for checking API key / access token validity Update V1.0.0 ?? Added 37 checkers! Screenshoot ?? How to Install go get github.co

Muhammad Daffa 190 Nov 24, 2022
Utility to generate tokens to interact with GitHub API via GitHub App integration

GitHub App Authentication for integration with GitHub Introduction GitHub Apps are the officially recommended way to integrate with GitHub because of

GitHub Advanced Security 2 Mar 16, 2022
Backend Development Rest Api Project for book management system. Used Features like redis, jwt token,validation and authorization.

Golang-restapi-project Simple Rest Api Project with Authentication, Autherization,Validation and Connection with redis File Structure ├── cache │ ├──

Srijan Chakraborty 1 May 25, 2022
rEST API to test JWT on RS256 and HS256 algorithm.

JWT Check - Mock para tests This repo is just a simple example of JWT token generation using RS256 algorithm and HS256 algorithm. This api is responsi

Jefferson Otoni Lima 3 Aug 19, 2022
🔥 Golang Rest Api with basic JWT Authentication and Basic Crud Operations.

?? Golang Rest Api with basic JWT Authentication and Basic Crud Operations.

Junaid Javed 19 Oct 4, 2022
Safe, simple and fast JSON Web Tokens for Go

jwt JSON Web Token for Go RFC 7519, also see jwt.io for more. The latest version is v3. Rationale There are many JWT libraries, but many of them are h

cristaltech 576 Nov 19, 2022
Platform-Agnostic Security Tokens implementation in GO (Golang)

Golang implementation of PASETO: Platform-Agnostic Security Tokens This is a 100% compatible pure Go (Golang) implementation of PASETO tokens. PASETO

Oleg Lobanov 645 Nov 13, 2022