Creating a RESTful API with JWT Authentication in Go
Go has been a favorite among many developers when it comes to backend development. Its simplicity, combined with performance benefits, makes it a powerful tool for web services. In this tutorial, we'll guide you through creating a RESTful API using Go, with a focus on adding JWT (JSON Web Tokens) for authentication.
Step 1: Initialize Your Go Module
Create a new directory for your project:
mkdir go-jwt-api
cd go-jwt-api
Initialize a new module:
go mod init go-jwt-api
Step 2: Installing Required Packages
We'll use the gorilla/mux package for routing and dgrijalva/jwt-go for JWT functionality.
go get -u github.com/gorilla/mux go get -u github.com/dgrijalva/jwt-go
Step 3: Setting Up Basic Routes
package main
import (
"fmt"
"net/http"
"github.com/gorilla/mux"
)
func main() {
r := mux.NewRouter()
r.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "Hello World!")
})
http.ListenAndServe(":8000", r)
}
Step 4: JWT Authentication
1. Create a utility for generating and validating JWTs:
package main
import (
"fmt"
"net/http"
"github.com/gorilla/mux"
)
func main() {
r := mux.NewRouter()
r.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "Hello World!")
})
http.ListenAndServe(":8000", r)
}
2. Integrate JWT authentication in your main Go file:
package jwtutil
import (
"time"
"github.com/dgrijalva/jwt-go"
)
var jwtKey = []byte("your_secret_key")
type Claims struct {
Username string `json:"username"`
jwt.StandardClaims
}
func GenerateToken(username string) (string, error) {
expirationTime := time.Now().Add(24 * time.Hour)
claims := &Claims{
Username: username,
StandardClaims: jwt.StandardClaims{
ExpiresAt: expirationTime.Unix(),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(jwtKey)
}
func ValidateToken(tknStr string) (*Claims, error) {
claims := &Claims{}
tkn, err := jwt.ParseWithClaims(tknStr, claims, func(token *jwt.Token) (interface{}, error) {
return jwtKey, nil
})
if err != nil {
return nil, err
}
if !tkn.Valid {
return nil, jwt.ErrSignatureInvalid
}
return claims, nil
}
5. Put It All Together
package main
import (
"fmt"
"net/http"
"time"
"github.com/gorilla/mux"
"github.com/dgrijalva/jwt-go"
)
var jwtKey = []byte("your_secret_key")
type Claims struct {
Username string `json:"username"`
jwt.StandardClaims
}
func GenerateToken(username string) (string, error) {
expirationTime := time.Now().Add(24 * time.Hour)
claims := &Claims{
Username: username,
StandardClaims: jwt.StandardClaims{
ExpiresAt: expirationTime.Unix(),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(jwtKey)
}
func ValidateToken(tknStr string) (*Claims, error) {
claims := &Claims{}
tkn, err := jwt.ParseWithClaims(tknStr, claims, func(token *jwt.Token) (interface{}, error) {
return jwtKey, nil
})
if err != nil {
return nil, err
}
if !tkn.Valid {
return nil, jwt.ErrSignatureInvalid
}
return claims, nil
}
func handleLogin(w http.ResponseWriter, r *http.Request) {
username := r.PostFormValue("username")
password := r.PostFormValue("password")
// For demonstration, we're assuming "admin"/"password" as valid credentials.
if username != "admin" || password != "password" {
http.Error(w, "Invalid credentials", http.StatusUnauthorized)
return
}
token, err := GenerateToken(username)
if err != nil {
http.Error(w, "Failed to generate token", http.StatusInternalServerError)
return
}
http.SetCookie(w, &http.Cookie{
Name: "token",
Value: token,
Expires: time.Now().Add(24 * time.Hour),
})
}
func handleProtectedRoute(w http.ResponseWriter, r *http.Request) {
c, err := r.Cookie("token")
if err != nil {
if err == http.ErrNoCookie {
http.Error(w, "No token", http.StatusUnauthorized)
return
}
http.Error(w, "Bad Request", http.StatusBadRequest)
return
}
tokenStr := c.Value
claims, err := ValidateToken(tokenStr)
if err != nil {
http.Error(w, "Invalid token", http.StatusUnauthorized)
return
}
w.Write([]byte(fmt.Sprintf("Hello, %s!", claims.Username)))
}
func main() {
r := mux.NewRouter()
r.HandleFunc("/login", handleLogin).Methods("POST")
r.HandleFunc("/protected", handleProtectedRoute).Methods("GET")
http.ListenAndServe(":8000", r)
}
Conclusion
With these steps, you now have a basic RESTful API in Go with JWT authentication. Remember to replace the hardcoded credentials and secret key with more secure methods in a production setting. Use bcrypt for password hashing, and consider storing your secret key securely or even rotating it regularly. Happy coding!
