This is a boilerplate for creating RESTful API services in Golang. This includes,
- Authorization using JWT tokens embedded within Cookies
- CSRF protection
- Standardized JSON responses
- Logging using Logrus
- Configuration using Viper
- Commands using Cobra
- Example of structuring database logic/schemas
- Clone the project
- Copy
config.example.yamland rename the new version asconfig.yaml - Configure
config.yamlto your needs - Get all of the dependencies by executing
go get ./...in your project root directory & RUN!
/apiis the app entry point, and defines the app's routes/handlerscontains all handlers/helperscontains helper files & functions to assist handlers/storageconsists of the database client, and database schemas/utilcontains the app's console commands and configuration
For this boilerplate it should be noted I have decided to use cookies to embed JWT tokens. The cookie is intended to only store a JWT token, since the more the cookie maintains a client's state, the more distant this becomes from being a RESTful API. However, if for whatever reason you wish to store insensitive data in this cookie, instead embed it within the JWT token to avoid clients tampering with the data.
By nature, cookies offer more security provided by browsers, and can be secured from XSS attacks through restricting access to cookies by only allowing them to be used by HTTP requests (httpOnly: true). This stops any JavaScript executed scripts from accessing these cookies.
The attacker may redirect the client to their own server, before the traffic is forwarded to the API. Alternatively, in an unsecured & opened network, an attacker could simply sniff the network. I would recommend using SSL (HTTPS) for transport so this data is encrypted. Caddy Server will make life much easier.