Securing RESTful APIs

Authentication and Authorization

In this section, we will cover the essential concepts and techniques for securing RESTful APIs, focusing on authentication and authorization, with a deep dive into using JSON Web Tokens (JWT).

Introduction to Authentication and Authorization

• Authentication: The process of verifying the identity of a user or service.
• Authorization: The process of determining if the authenticated user or service has permission to perform a specific action or access certain resources.

Using JWT (JSON Web Tokens)

JWT is a compact, URL-safe means of representing claims to be transferred between two parties. It is widely used for securing RESTful APIs due to its simplicity and ease of use.

Understanding JWT

• Structure: A JWT consists of three parts separated by dots (.), encoded in Base64:
  • Header: Contains metadata about the token, such as the type of token (JWT) and the signing algorithm (e.g., HMAC SHA256).
  • Payload: Contains the claims, which are statements about an entity (typically, the user) and additional data.
  • Signature: Ensures that the token hasn't been altered. It is created by signing the header and payload with a secret key.

Example of a JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Creating a JWT

1. Header: Specify the algorithm and token type.

   json
   {
     "alg": "HS256",
     "typ": "JWT"
   }
   

2. Payload: Include the claims.

   json
   {
     "sub": "1234567890",
     "name": "John Doe",
     "iat": 1516239022
   }
   

3. Signature: Sign the header and payload using a secret key.

   bash
   HMACSHA256(
     base64UrlEncode(header) + "." +
     base64UrlEncode(payload),
     secret
   )
   

Implementing JWT in Go

Here's how you can implement JWT-based authentication and authorization in a Go RESTful API.

Step 1: Install the JWT Package

First, you need to install the github.com/dgrijalva/jwt-go package.

bash
go get github.com/dgrijalva/jwt-go

Step 2: Define a Struct for User Credentials

Create a struct to handle user login data.

go
type Credentials struct {
    Username string `json:"username"`
    Password string `json:"password"`
}

Step 3: Create a JWT Token

Write a function to generate a JWT token.

go
import (
    "time"
    "github.com/dgrijalva/jwt-go"
)

var jwtKey = []byte("my_secret_key")

func GenerateJWT(username string) (string, error) {
    expirationTime := time.Now().Add(24 * time.Hour)
    claims := &jwt.StandardClaims{
        Subject:   username,
        ExpiresAt: expirationTime.Unix(),
    }
    token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
    tokenString, err := token.SignedString(jwtKey)
    if err != nil {
        return "", err
    }
    return tokenString, nil
}

Step 4: Authenticate Users and Issue Tokens

Write a handler function for user login that validates credentials and issues a JWT token.

go
import (
    "encoding/json"
    "net/http"
)

func Login(w http.ResponseWriter, r *http.Request) {
    var creds Credentials
    err := json.NewDecoder(r.Body).Decode(&creds)
    if err != nil {
        w.WriteHeader(http.StatusBadRequest)
        return
    }

    // Here, you should validate the user credentials with your database
    if creds.Username != "user" || creds.Password != "password" {
        w.WriteHeader(http.StatusUnauthorized)
        return
    }

    token, err := GenerateJWT(creds.Username)
    if err != nil {
        w.WriteHeader(http.StatusInternalServerError)
        return
    }

    http.SetCookie(w, &http.Cookie{
        Name:    "token",
        Value:   token,
        Expires: time.Now().Add(24 * time.Hour),
    })
}

Step 5: Middleware to Protect Routes

Create a middleware function to protect your routes.

go
func AuthMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        cookie, err := r.Cookie("token")
        if err != nil {
            if err == http.ErrNoCookie {
                w.WriteHeader(http.StatusUnauthorized)
                return
            }
            w.WriteHeader(http.StatusBadRequest)
            return
        }

        tokenStr := cookie.Value
        claims := &jwt.StandardClaims{}

        token, err := jwt.ParseWithClaims(tokenStr, claims, func(token *jwt.Token) (interface{}, error) {
            return jwtKey, nil
        })
        if err != nil {
            if err == jwt.ErrSignatureInvalid {
                w.WriteHeader(http.StatusUnauthorized)
                return
            }
            w.WriteHeader(http.StatusBadRequest)
            return
        }
        if !token.Valid {
            w.WriteHeader(http.StatusUnauthorized)
            return
        }

        ctx := context.WithValue(r.Context(), "username", claims.Subject)
        next.ServeHTTP(w, r.WithContext(ctx))
    })
}

Step 6: Secure Your Endpoints

Apply the middleware to secure your API endpoints.

go
http.Handle("/protected", AuthMiddleware(http.HandlerFunc(ProtectedEndpoint)))

func ProtectedEndpoint(w http.ResponseWriter, r *http.Request) {
    username := r.Context().Value("username").(string)
    w.Write([]byte("Welcome " + username))
}

By following these steps, you can secure your RESTful APIs using JWT in Go. This implementation covers the basics of generating and validating tokens, as well as protecting your API endpoints with middleware. Always remember to follow best practices for securing your tokens and handling sensitive data.