I'm currently writing an API in Go and have been racking my brain over how to do authentication/authorization correctly and securely.
As I understand it, this is how it goes:
api/user/register
endpoint (or api/user/login
for existing users) My questions are regarding the steps dealing with refresh tokens .
I am also writing the client application (in React); I won't be releasing the API to the public. I simply am writing the backend as an API for the client app.
api/auth/token
route? I keep reading about them in implementation examples and I feel like I can just have some helper functions to query the database and reissue tokens in my backend code instead of having to query another endpoint to do so. Sorry if they're dumb questions, but I've been poring over page after page detailing the auth spec, and the subtle differences from page to page are leaving me confused and unsure of what is truly "best practice" in production.
I think you are confusing this over the word login. Instead of /api/user/login
I call it /api/user/authentication
. So if the request has a json attached to its body, it return a valid token. But if the request got a Authentication Header that is valid, you just issue a new token valid for the same period of time. This is specially good for frontends, so you could try to re-auth automatically.
newUser := types.User{}
if r.Body != nil {
err := json.NewDecoder(r.Body).Decode(&newUser)
...
}
authHeader := r.Header.Get("Authorization")
if authHeader != "" {
_, err := USERAUTH.CHeckJWT(w,r)
if err !=nil {
...,
}
newToken := GenerateTokenFromToken(token)
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.