Documentation
¶
Overview ¶
authmw demonstrates a production-ish middleware stack:
Helmet with local HTTP HSTS disabled and production HSTS enabled by env.
Explicit credentialed CORS for one trusted browser origin.
Session + CSRF scoped to browser cookie routes.
BasicAuth scoped to admin token minting.
JWT scoped to bearer-token API routes, with issuer, audience, and required-claim validation configured in the middleware.
WebSocketAuth on the upgrade path, separate from HTTP CORS.
CGO_ENABLED=1 go run -tags gogo ./examples/authmw curl -i http://localhost:3002/ curl -i -c jar http://localhost:3002/browser/csrf curl -i -b jar -c jar -H 'Content-Type: application/json' \ -H 'X-CSRF-Token: <token-from-/browser/csrf>' \ -d '{"username":"alice","password":"wonderland"}' \ http://localhost:3002/browser/login curl -i -b jar http://localhost:3002/browser/private/me curl -i -u admin:dev-admin-password http://localhost:3002/admin/token curl -i -H "Authorization: Bearer <token-from-/admin/token>" \ http://localhost:3002/api/bearer/me