servertoken

package module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 4, 2019 License: MIT Imports: 5 Imported by: 1

README

serverToken

TODO - make this whole thing read way better

Server Token authorization using Go. A server token is a way to identify a client of an API that is not accessing a resource directly as the user (as in Oauth2). Some shops call these server tokens API keys, I chose server token.

  • Server access to resources
    • Basic Auth - Basic Authentication is used for endpoints that do not require a user's authentication. For Basic Auth endpoints, a pre-assigned "Server" token (JWT) should be sent in the username field of the Basic Authentication scheme. The password should be left blank.

Research for Server Authorization Tokens

Uber

Uber provides both a server token and a user token in the Uber admin console

  • Uber uses an OAuth Bearer token for requests that require a user's login:
$ curl -H 'Authorization: Bearer <USER_ACCESS_TOKEN>' \
     -H 'Accept-Language: en_US' \
     -H 'Content-Type: application/json' \
     'https://api.uber.com/v1.2/estimates/price?start_latitude=37.7752315&start_longitude=-122.418075&end_latitude=37.7752415&end_longitude=-122.518075'
  • Uber uses an unusual "Token" Authorization scheme for server tokens that do not require a user login:
$ curl -H 'Authorization: Token <SERVER_TOKEN>' \
     -H 'Accept-Language: en_US' \
     -H 'Content-Type: application/json' \
     'https://api.uber.com/v1.2/estimates/price?start_latitude=37.7752315&start_longitude=-122.418075&end_latitude=37.7752415&end_longitude=-122.518075'
Twilio
  • Twilio uses HTTP Basic Authentication and provides a SID (some custom unique ID) and an auth token as part of the Twilio admin console. This account SID thing is also passed back in responses
$ curl -G https://api.twilio.com/2010-04-01/Accounts \
    -u '[YOUR ACCOUNT SID]:[YOUR AUTH TOKEN]'
Stripe
  • Stripe just has you pass an API key as the username of HTTP Basic Authentication and no password
$ curl https://api.stripe.com/v1/charges \
   -u 'sk_test_4eC39HqLyjWDarjtT1zdp7dc:'
Mailchimp
  • Mailchimp has you pass your API key in the password field of HTTP Basic Authentication (you can pass anything you want in the username section). Mailchimp also supports Oauth2, but has a somewhat unusual implementation of it (no Bearer token, an "Oauth token" instead), no refresh token, etc.
$ curl --request GET \
--url 'https://<dc>.api.mailchimp.com/3.0/' \
--user 'anystring:<your_apikey>'

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FromCtx 

func FromCtx(ctx context.Context) (string, error)

FromCtx gets the Server Token from the context.

func Handler 

func Handler(log zerolog.Logger, db *sql.DB) (mw func(http.Handler) http.Handler)

Handler middleware performs Server Token authorization The client must send their Server token as the username portion of HTTP Basic Authenication. This middleware will parse the token and determine if the token is valid for the request path and method

Types

type ServerToken 

type ServerToken string

ServerToken is a token which represents a Server

func (*ServerToken) Authorize 

func (s *ServerToken) Authorize(ctx context.Context, log zerolog.Logger, db *sql.DB, path string, method string) (context.Context, error)

Authorize leverages HTTP standards for Basic Authentication. The expectation is that the client will provide their ServerToken in the username field of the Basic Authentication header. The token must be base64 encoded to be compliant with the spec and be parsed.

func (ServerToken) String added in v0.1.1 

func (s ServerToken) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.