
Authboss is a modular authentication system for the web.
It has several modules that represent authentication and authorization features that are common to websites in general so that you can enable as many as you need, and leave the others out. It makes it easy to plug in authentication to an application and get a lot of functionality for (hopefully) a smaller amount of integration effort.
v1 -> v2 was a very big change. If you're looking to upgrade there is a general guide in tov2.md in this project.
v2 -> v3 was not a big change, it simply changed the project to use Go modules. Authboss no longer supports GOPATH as of version 3
Every time you'd like to start a new web project, you really want to get to the heart of what you're trying to accomplish very quickly and it would be a sure bet to say one of the systems you're excited about implementing and innovating on is not authentication. In fact it's very much the opposite: it's one of those things that you have to do and one of those things you loathe to do. Authboss is supposed to remove a lot of the tedium that comes with this, as well as a lot of the chances to make mistakes. This allows you to care about what you're intending to do, rather than care about ancillary support systems required to make what you're intending to do happen.
Here are a few bullet point reasons you might like to try it out:
To get started with Authboss in the simplest way, is to simply create a Config, populate it with the things that are required, and start implementing use cases. The use cases describe what's required to be able to use a particular piece of functionality, or the best practice when implementing a piece of functionality. Please note the app requirements for your application as well integration requirements that follow.
Of course the standard practice of fetching the library is just the beginning:
# Get the latest, you must be using Go modules as of v3 of Authboss.
go get -u github.com/aarondl/authboss/v3
Here's a bit of starter code that was stolen from the sample.
ab := authboss.New()
ab.Config.Storage.Server = myDatabaseImplementation
ab.Config.Storage.SessionState = mySessionImplementation
ab.Config.Storage.CookieState = myCookieImplementation
ab.Config.Paths.Mount = "/authboss"
ab.Config.Paths.RootURL = "https://www.example.com/"
// This is using the renderer from: github.com/aarondl/authboss
ab.Config.Core.ViewRenderer = abrenderer.NewHTML("/auth", "ab_views")
// Probably want a MailRenderer here too.
// This instantiates and uses every default implementation
// in the Config.Core area that exist in the defaults package.
// Just a convenient helper if you don't want to do anything fancy.
defaults.SetCore(&ab.Config, false, false)
if err := ab.Init(); err != nil {
panic(err)
}
// Mount the router to a path (this should be the same as the Mount path above)
// mux in this example is a chi router, but it could be anything that can route to
// the Core.Router.
mux.Mount("/authboss", http.StripPrefix("/authboss", ab.Config.Core.Router))
For a more in-depth look you definitely should look at the authboss sample to see what a full implementation looks like. This will probably help you more than any of this documentation.
https://github.com/aarondl/authboss-sample
Authboss does a lot of things, but it doesn't do some of the important things that are required by a typical authentication system, because it can't guarantee that you're doing many of those things in a different way already, so it punts the responsibility.
What this means is you should apply a middleware that can protect the application from csrf attacks or you may be vulnerable. Authboss previously handled this but it took on a dependency that was unnecessary and it complicated the code. Because Authboss does not render views nor consumes data directly from the user, it no longer does this.
Currently Authboss is vulnerable to brute force attacks because there are no protections on it's endpoints. This again is left up to the creator of the website to protect the whole website at once (as well as Authboss) from these sorts of attacks.
In terms of integrating Authboss into your app, the following things must be considered.
There are middlewares that are required to be installed in your middleware stack if it's all to function properly, please see Middlewares for more information.
There are some required configuration variables that have no sane defaults and are particular to your app:
Everything under Config.Storage and Config.Core are required and you must provide them,
however you can optionally use default implementations from the
defaults package.
This also provides an easy way to share implementations of certain stack pieces (like HTML Form Parsing).
As you saw in the example above these can be easily initialized with the SetCore method in that
package.
The following is a list of storage interfaces, they must be provided by the implementer. Server is a very involved implementation, please see the additional documentation below for more details.
The following is a list of the core pieces, these typically are abstracting the HTTP stack. Out of all of these you'll probably be mostly okay with the default implementations in the defaults package but there are two big exceptions to this rule and that's the ViewRenderer and the MailRenderer. For more information please see the use case Rendering Views
The ServerStorer is
meant to be upgraded to add capabilities depending on what modules you'd like to use.
It starts out by only knowing how to save and load users, but the remember module as an example
needs to be able to find users by remember me tokens, so it upgrades to a
RememberingServerStorer
which adds these abilities.
Your ServerStorer implementation does not need to implement all these additional interfaces
unless you're using a module that requires it. See the Use Cases documentation to know what the requirements are.
Users in Authboss are represented by the User interface. The user interface is a flexible notion, because it can be upgraded to suit the needs of the various modules.
Initially the User must only be able to Get/Set a PID or primary identifier. This allows the authboss
modules to know how to refer to him in the database. The ServerStorer also makes use of this
to save/load users.
As mentioned, it can be upgraded, for example suppose now we want to use the confirm module,
in that case the e-mail address now becomes a requirement. So the confirm module will attempt
to upgrade the user (and panic if it fails) to a
ConfirmableUser
which supports retrieving and setting of confirm tokens, e-mail addresses, and a confirmed state.
Your User implementation does not need to implement all these additional user interfaces unless you're
using a module that requires it. See the Use Cases documentation to know what the
requirements are.
The BodyReader interface in the Config returns Validator implementations which can be validated. But much like the storer and user it can be upgraded to add different capabilities.
A typical BodyReader (like the one in the defaults package) implementation checks the page being
requested and switches on that to parse the body in whatever way
(msgpack, json, url-encoded, doesn't matter), and produce a struct that has the ability to
Validate() it's data as well as functions to retrieve the data necessary for the particular
valuer required by the module.
An example of an upgraded Valuer is the
UserValuer
which stores and validates the PID and Password that a user has provided for the modules to use.
Your body reader implementation does not need to implement all valuer types unless you're using a module that requires it. See the Use Cases documentation to know what the requirements are.
The config struct is an important part of Authboss. It's the key to making Authboss do what you want with the implementations you want. Please look at it's code definition as you read the documentation below, it will make much more sense.
Paths are the paths that should be redirected to or used in whatever circumstance they describe.
Two special paths that are required are Mount and RootURL without which certain authboss
modules will not function correctly. Most paths get defaulted to / such as after login success
or when a user is locked out of their account.
Modules are module specific configuration options. They mostly control the behavior of modules.
For example RegisterPreserveFields decides a whitelist of fields to allow back into the data
to be re-rendered so the user doesn't have to type them in again.
Mail sending related options.
These are the implementations of how storage on the server and the client are done in your app. T
$ claude mcp add authboss \
-- python -m otcore.mcp_server <graph>