README
¶
serverToken
TODO - make this whole thing read way better
Server Token authorization using Go. A server token is a way to identify a client of an API that is not accessing a resource directly as the user (as in Oauth2). Some shops call these server tokens API keys, I chose server token.
- Server access to resources
- Basic Auth - Basic Authentication is used for endpoints that do not require a user's authentication. For Basic Auth endpoints, a pre-assigned "Server" token (JWT) should be sent in the username field of the Basic Authentication scheme. The password should be left blank.
Research for Server Authorization Tokens
Uber
Uber provides both a server token and a user token in the Uber admin console
- Uber uses an OAuth Bearer token for requests that require a user's login:
$ curl -H 'Authorization: Bearer <USER_ACCESS_TOKEN>' \
-H 'Accept-Language: en_US' \
-H 'Content-Type: application/json' \
'https://api.uber.com/v1.2/estimates/price?start_latitude=37.7752315&start_longitude=-122.418075&end_latitude=37.7752415&end_longitude=-122.518075'
- Uber uses an unusual "Token" Authorization scheme for server tokens that do not require a user login:
$ curl -H 'Authorization: Token <SERVER_TOKEN>' \
-H 'Accept-Language: en_US' \
-H 'Content-Type: application/json' \
'https://api.uber.com/v1.2/estimates/price?start_latitude=37.7752315&start_longitude=-122.418075&end_latitude=37.7752415&end_longitude=-122.518075'
Twilio
- Twilio uses HTTP Basic Authentication and provides a SID (some custom unique ID) and an auth token as part of the Twilio admin console. This account SID thing is also passed back in responses
$ curl -G https://api.twilio.com/2010-04-01/Accounts \
-u '[YOUR ACCOUNT SID]:[YOUR AUTH TOKEN]'
Stripe
- Stripe just has you pass an API key as the username of HTTP Basic Authentication and no password
$ curl https://api.stripe.com/v1/charges \
-u 'sk_test_4eC39HqLyjWDarjtT1zdp7dc:'
Mailchimp
- Mailchimp has you pass your API key in the password field of HTTP Basic Authentication (you can pass anything you want in the username section). Mailchimp also supports Oauth2, but has a somewhat unusual implementation of it (no Bearer token, an "Oauth token" instead), no refresh token, etc.
$ curl --request GET \
--url 'https://<dc>.api.mailchimp.com/3.0/' \
--user 'anystring:<your_apikey>'
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ServerToken ¶
type ServerToken string
ServerToken is a token which represents a Server
func (*ServerToken) Add2Ctx ¶ added in v0.2.0
func (s *ServerToken) Add2Ctx(ctx context.Context) context.Context
Add2Ctx adds the calling serverToken to the context
func (*ServerToken) Authorize ¶
func (s *ServerToken) Authorize(ctx context.Context, log zerolog.Logger, db *sql.DB, path string, method string) (context.Context, error)
Authorize leverages HTTP standards for Basic Authentication. The expectation is that the client will provide their ServerToken in the username field of the Basic Authentication header. The token must be base64 encoded to be compliant with the spec and be parsed.
func (ServerToken) String ¶ added in v0.1.1
func (s ServerToken) String() string
Source Files
Click to show internal directories.
Click to hide internal directories.