This blog post provides a comprehensive guide on implementing JWT authentication in a Go web application. It covers various aspects of the implementation process, from setting up the project, installing required packages to implementing JWT middleware using the Gin Gonic framework.
JWT (short for JSON Web Token) authentication is a popular method for securing web applications and APIs. A JWT is a digitally signed token that contains a set of claims or statements about a user, such as their identity or authorization level. When a user logs in to a web application, the server generates a JWT and sends it back to the client, storing it in a cookie or local storage. The client then sends the JWT with each subsequent request to the server, which verifies the token and uses the user data in the token’s claims to authorize the request.
JWT is a widely used authentication standard supported by many programming languages and frameworks. Using JWT in Go can simplify authentication and provide a secure way to transmit user data between the client and server. Go’s strong typing and support for concurrency make it well-suited for building scalable and secure web applications, and using JWT can be a useful tool in this regard.
In this blog, we will explore how to implement JWT authentication in a Go web application. We will start by setting up the project and installing the required packages. Then, we will look at how to generate a JWT token and how to authenticate it. We will also implement a middleware to protect our routes, and look at how to store the JWT in a cookie for added security. By the end of this blog, you should have a good understanding of how to use JWT authentication in your Go web applications.
Before we can begin implementing JWT authentication in our Go web application, we first need to make sure that Go is installed on our system. You can download and install the latest version of Go from the official Go website: golang.org/dl. You can follow our guide on how to install and set up Go: https://rekib-ahmed023.hashnode.dev/installing-and-setting-up-go-for-development
Once Go is installed, we can create a new project directory and initialize it as a Go module. We can do this by running the following commands in our terminal:
mkdir go-jwt-authentication
cd go-jwt-authentication
go mod init go-jwt-authentication
This will create a new directory called go-jwt-authentication, and initialize it as a Go module with the module path go-jwt-authentication.
We will also need to install some additional packages to work with JWT in Go. The two main packages we will be using are jwt-go for generating and verifying JWT tokens, and gin for handling HTTP requests and routing. We can install these packages using the go get command:
go get github.com/dgrijalva/jwt-go
go get github.com/gin-gonic/gin
Now that we have our project directory set up and our dependencies installed, we can start creating our Go web application. We can create a new file called main.go in the root directory of our project, and start by importing the necessary packages:
Next, we can define our main function and start configuring our HTTP server using the gin package:
To start the project, run the following command:
go run main.go
We will come back to defining our routes in later sections of the blog. For now, we have successfully set up our Go project and installed the necessary packages to start implementing JWT authentication in our web application.
When building any Go project, it’s important to follow a well-organized directory structure to maintain code readability, scalability, and maintainability. Here’s an example project structure we’ll be following for our JWT authentication implementation:
├── controllers
│ ├── authController.go
│ └── userController.go
├── database
│ └── connection.go
├── helpers
│ ├── config.go
│ ├── cookieHelper.go
│ └── tokenHelper.go
├── middleware
│ └── authMiddleware.go
├── models
│ └── userModel.go
├── routes
│ ├── authRouter.go
│ └── userRouter.go
├── serializers
│ └── serializers.go
├── go.mod
├── go.sum
├── main.go
└── Makefile
This project structure organizes the code by functionality, separating the database connection code from the controllers and middleware code. The routes directory contains the routing configuration for the API endpoints, while the models directory contains the data models used in the application. The helpers directory contains utility functions for handling JWT tokens and cookies, while the serializers directory contains functions for serializing and deserializing data between the application and the client.
In this section, we will create a User model using Go's gorm package. The User model will define the fields that we want to store in our database for each user. We'll be using the gorm.Model struct, which contains the default fields of id, created_at, updated_at, and deleted_at.
Our User model will also include the following fields:
Here’s what the User model implementation might look like:
In this implementation, we’ve defined the fields using struct tags, which are used to add metadata to the struct fields. We’ve added the json tag to specify the JSON key for each field, and the validate tag to add validation rules for each field. We've also added the gorm tag to specify the database constraints for the Email field.
By defining our model using struct tags, we can easily serialize and deserialize our model to and from JSON, and we can also easily validate the incoming data before storing it in our database.
Once we have our project structure set up and our user model ready, we can connect to our database using Go’s gorm package. We will create a connection.go file in the database directory, which will handle the database connection and provide a DB object that we can use throughout the application.
Here, we will be using Docker to run our Postgres container. First, make sure that Docker is installed on your system. You can download and install Docker from the official Docker website: docker.com/get-started.
Once Docker is installed, we can create a new container for our Postgres database using the following command:
docker run --name postgres15 -p 5433:5432 -e POSTGRES_USER=myuser -e POSTGRES_PASSWORD=mypassword -d postgres:15-alpine
To simplify the setup process, we can create a Makefile that includes the necessary commands to run the PostgreSQL container and create a new database. This way, we can quickly and easily set up our database without having to manually execute each command.
Here is an example of what the Makefile might look like:
Next, we can create a connection.go file in the database directory with the following code:
Before explaining the code above, let’s create a helpers/config.go file that will contain the necessary environment variables mapping used in our application.
In this file, we are using the godotenv package to load the environment variables from the .env file. We then map the environmental variables to the AppConfig struct.
Coming to the connection.go file, to connect to the database, the Connect() function handles the database connection process. It creates a formatted string called dsn that contains the necessary information to connect to the PostgreSQL database. We are using the values set in our helpers package to create this string.
Then, it opens the database connection using the () function from the gorm package. The first argument to this function is the postgres package and the second argument is an empty gorm.Config{} struct.
If there are any errors during the database connection process, the panic() function will be called, which will stop the program execution.
If the connection is successful, the log package will print a message indicating that the connection was established. Then, it sets the log level of the GORM logger and auto-migrates the User model to create the necessary database tables. Finally, it sets the Database variable to the instance of the connected database.
We will then call this Connect() function inside the main.go file to establish a connection:
To generate JWT tokens in Go, we will be using the jwt-go package. First, we need to define a function that takes a user object and returns a signed JWT token. Here is an example implementation of such a function:
In this example, we define a function called GenerateToken that takes a User object and a string tokenType, and returns a signed JWT token. We set the expiration time for the access token to 1 hour from the current time and 7 days from the current time for the refresh token, and create a set of JWT claims that includes the user's id, the user's email, the expiration time, and the issuer of the token. We then create a new token using the jwt-go package, specifying the HS256 algorithm for signing the token and passing it in the JWT claims. Finally, we sign the token using our secret key and return the signed token.
The JWT claims is a struct that looks like this:
To verify JWT tokens in Go, we will also be using the jwt-go package. We can define a function that takes a JWT token and our secret key, and returns the claims contained in the token if it is valid. Here is an example implementation of such a function:
In this example, we define a function called ValidateToken that takes a JWT token as a string and returns the claims contained in the token if it is valid. We first parse the token using the jwt-go package, specifying the Claims struct to decode the JWT claims. We then verify that the token is signed using the HS256 algorithm and our secret key. If the token is valid, we return the decoded claims. If the token is invalid, we return an error.
With these two functions, we can generate and verify JWT tokens in our Go web application, and use them to implement authentication and authorization in our API.
In the previous section, we learned how to create and validate JWT tokens in Go. In this section, we will explore how to implement JWT middleware for Go.
Middleware is a way to intercept requests and responses in the HTTP request-response cycle. It provides a mechanism to execute additional logic before or after an HTTP request is processed by a handler. Middleware can be used to perform tasks such as logging, authentication, authorization, rate limiting, and caching.
Gin Gonic is a popular web framework for Go that includes middleware support out of the box. Middleware functions can be added to individual routes or to all routes using the Use() method.
Here’s an example of adding a middleware function to a route in Gin:
Here we define two sets of routes, AuthRoutes and UserRoutes. AuthRoutes handles the routes for authentication, whereas the UserRoutes contains the protected routes for user details. We will come back to defining our routes in later sections of the blog. For now, we will focus on the AuthMiddleware middleware. Here's an example of a JWT middleware function in Gin Gonic:
In this example, the AuthMiddleware() function is added as middleware to the routes UserRoutes. If the middleware logic fails (i.e. the JWT token is invalid), the middleware function aborts the request and returns an error response. If the authentication succeeds, the middleware function sets the UserID parsed from the JWT token and passes control to the next handler in the chain.
In conclusion, we have covered the initial setup of the project, including installing Go and the required dependencies, creating a new project, and adding the necessary packages. We also set up the database connection and migrated the user model. We then implemented JWT authentication by creating and validating tokens and adding middleware to protect routes. By the end of Part 1, we have a solid foundation to build upon for the rest of the series, where we will cover storing JWT in cookies and creating authentication routes.