diogox / base-golang-rest-jwt Goto Github PK

View Code? Open in Web Editor NEW

2.0 1.0 0.0 7.93 MB

A boilerplate for any REST API projects that require a login system with (JWT) token authentication.

Go 12.44% HTML 1.55% Dockerfile 0.23% CSS 70.90% JavaScript 5.58% TypeScript 9.31%

golang jwt jwt-authentication login-system angular react

base-golang-rest-jwt's Introduction

TODO

After every change to th prisma data model, we need to run prisma deploy.
Need to add managementApiSecret to the docker-compose.yml.

Usage

Development Mode

To run the project in development mode, we need to run the docker-compose.dev.yml file, like so:

sudo docker-compose -f docker-compose.dev.yml up -d

And then, run the server's executable:

go run server/cmd/main.go

If redis is installed on the local machine, you may need to disable it:

sudo systemctl stop redis

You can start it back up again, when you're done, with the command:

sudo systemctl start redis

Release Mode

To run the project in Release Mode, we only need to run the docker-compose.yml file, like so:

sudo docker-compose up -d --build

(You may also have to disable redis, if you have it installed.)

Tests

To run all the unit tests included, use the command:

go test ./...

base-golang-rest-jwt's People

Contributors

Stargazers

Watchers

base-golang-rest-jwt's Issues

Create interface for email service & Mock email service

Do what's in the title for testing purposes

Add Paypal support

Add Paypal support to allow users to go Premium. Related to #12.

Token blacklist

Should probably have a 'Token Blacklist' so that I can invalidate tokens while they don't expire.
Some places where this would be useful:

Invalidate password reset token after the token is reset.
Invalidate an auth token so that I can implement a Logout-like functionality.
Invalidate an auth token after the password has been reset, to force the user to login again.

unlock locked account upon password reset

According to the OAuth specification, we should unlock locked accounts, when the password is reset. And it makes sense to do so...

Create endpoints for user management

Create endpoints to deal with a user's info. A user should be able add/modify their:

Email
Avatar (Use multipart to upload the image. Maybe restrict the image size)
Etc.

Deal with refresh token on the frontend

Right now, we're only using the auth token, we don't even acknowledge the existence of the refresh token on the frontend...

Get redis server's port from env var

What the title says...

Add user roles

Add user roles, for example:

Free User
Premium (paid) user

Have env vars for the duration of the other types of tokens

Right now, the duration of the auth tokens is being used for all tokens, but we might want to give the user more time to use their Email Verification token, for example, due to the slowness inherent to email.

Remove unverified accounts after a defined interval

Right now, when we sign in, we receive an email prompting use to verify our email before we can use the account.
If the account doesn't get verified then it just stays unverified indefinitely. This behaviour is not optimal, the account should probably get deleted after a defined interval.

Limit failed login attempts

Should limit the amount of failed login attempts.
This could be done on the server side by blocking the IP temporarily, blocking the account temporarily or, on the client side, by adding a captcha after a few failed attempts.
The one on the client side may be the least secure since one could possibly alter the javascript to be able to brute-force the account (maybe?). On the other hand, blocking the account may be an inconvenience to the affected user.

Reset Password Token
Email Verification Token (not as much of a security risk, I'd say...)