It is very important that NewCookieStore be given a random secret here: https://github.com/go-authboss/authboss-sample/blob/master/blog.go#L93
It should be high-lighted in the docs that is needed.

volatiletech/authboss-clientstate#3

Form submission always returns a blank page. No modifications are made to the project.

2016/07/24 16:49:33 Failed to validate XSRF Token: The CSRF token in the cookie doesn't match the one received in a form/header.

How to reproduce the bug: The server first had some valid users(register and confirm with the usual routine) and restarts (lost all user information), and try to access an authed route with the original session(cookie), the server encounter an exception.

Two way to stop this from happening:

• Delete the ab_blog cookie before issue a request to an authed route after restarts
• register a new account before issue a request after restarts

It appears that in the function layoutData or the dataInjector, even if it failed to load the current user, its context still contains the pid value, but I am not sure if this was related.

I am new to Go, and doesn't really know how to modify the context to remove the pid, could you briefly explain how to do it or any other way to resolve this issue?

Propose adding cstore.Options.MaxAge(xxx) to the sample.

In the sample, it says

	sessionStore = abclientstate.NewSessionStorer(sessionCookieName, sessionStoreKey, nil)
	cstore := sessionStore.Store.(*sessions.CookieStore)
	cstore.Options.HttpOnly = false
	cstore.Options.Secure = false

So we wrote cstore.Options.Maxage = 2654000 in the project. but keep getting 500 error because of the cookie is expired. (btw return 500 on cookie expiry is too much?). then we found the session store's MaxAge is the value we set but the MaxAge in securecookie still using the initial value(12 hours). Eventually, we found the Maxage setter function in the source code. Apparently, to set MaxAge, we should use cstore.Options.Maxage(265400) rather than assigning the value directly.

It took us several hours to dig it out. I think it would be good to add the correct usage in the sample.

Sorry to bother you again but I cannot make your sample work.

My error is :

~/Projects/go/ » go version
go version go1.6.2 linux/amd64
~/Projects/go/ » echo $GOPATH
/home/albin/Projects/go
~/Projects/go/ » go get github.com/go-authboss/authboss-sample    
~/Projects/go/src/github.com/go-authboss/authboss-sample » go run blog.go
# command-line-arguments
./blog.go:45: undefined: NewMemStorer
./blog.go:82: undefined: NewCookieStorer
./blog.go:83: undefined: NewSessionStorer
./blog.go:129: undefined: cookieStore
./blog.go:130: undefined: sessionStore
./blog.go:145: undefined: authProtect
./blog.go:146: undefined: authProtect
./blog.go:150: undefined: authProtect
./blog.go:151: undefined: authProtect
./blog.go:199: undefined: blogs
./blog.go:151: too many errors

I don't really understand as for example : NewMemStorer which is in storer.go is in the same package as blog.go. It should find it no ? What am I missing ? Something wrong with my setup ?

It is kind of hard for new Go programmers to figure out how to write tests.

In the case of authboss, it is not really clear how one could mock authboss for their tests.

If you need help, I can put some time into it. But would be nice to receive some suggestions how you best envision users of authboss to mock authboss for their tests.

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (volatiletech/authboss#210).

Let's take authboss-sample (https://github.com/volatiletech/authboss-sample).

If I use it via browser it works. If I visit localhost:3000/blogs/new it redirects on /login page which is what I want.

But if I use Postman (or a javascript client) and - example - call the POST localhost:3000/blogs/new or maybe the GET localhost:3000/blogs/new it panics:

GET /blogs/new HTTP/1.1
2019-01-05T17:22:17Z [INFO]: redirecting unauthorized user to login from: /blogs/new
2019-01-05T17:22:17Z [EROR]: failed to redirect user during authboss.Middleware redirect: template for page redirect not found
github.com/volatiletech/authboss-renderer.(*HTML).Render
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]/html.go:95
github.com/volatiletech/authboss/defaults.Redirector.redirectAPI
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]+incompatible/defaults/responder.go:103
github.com/volatiletech/authboss/defaults.Redirector.redirectAPI-fm
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]+incompatible/defaults/responder.go:71
github.com/volatiletech/authboss/defaults.(*Redirector).Redirect
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]+incompatible/defaults/responder.go:74
github.com/volatiletech/authboss.MountedMiddleware2.func1.1.1
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]+incompatible/authboss.go:190
github.com/volatiletech/authboss.MountedMiddleware2.func1.1
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]+incompatible/authboss.go:203
net/http.HandlerFunc.ServeHTTP
        C:/Go/src/net/http/server.go:1964
github.com/go-chi/chi.(*ChainHandler).ServeHTTP
        C:/Users/Fred/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/chain.go:31
github.com/go-chi/chi.(*Mux).routeHTTP
        C:/Users/Fred/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/mux.go:424
github.com/go-chi/chi.(*Mux).routeHTTP-fm
        C:/Users/Fred/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/mux.go:368
net/http.HandlerFunc.ServeHTTP
        C:/Go/src/net/http/server.go:1964
main.dataInjector.func1
        D:/go/authboss-sample/blog.go:309
net/http.HandlerFunc.ServeHTTP
        C:/Go/src/net/http/server.go:1964
github.com/volatiletech/authboss/remember.Middleware.func1.1
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]+incompatible/remember/remember.go:80
net/http.HandlerFunc.ServeHTTP
        C:/Go/src/net/http/server.go:1964
github.com/volatiletech/authboss.(*Authboss).LoadClientStateMiddleware.func1
        C:/Users/Fred/go/pkg/mod/github.com/volatiletech/[email protected]+incompatible/client_state.go:132
net/http.HandlerFunc.ServeHTTP
        C:/Go/src/net/http/server.go:1964
main.logger.func1
        D:/go/authboss-sample/middleware.go:59
net/http.HandlerFunc.ServeHTTP
        C:/Go/src/net/http/server.go:1964
github.com/go-chi/chi.(*Mux).ServeHTTP
        C:/Users/Fred/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/mux.go:81
net/http.serverHandler.ServeHTTP
        C:/Go/src/net/http/server.go:2741
net/http.(*conn).serve
        C:/Go/src/net/http/server.go:1847
runtime.goexit
        C:/Go/src/runtime/asm_amd64.s:1333

Why this behaviour?

If I remove the Content-Type: application/json from the request it redirects again but is not what I need.
I need a 401 http status code so I can handle the error in my javascript client.

I don't need the API mode. Just need to use authboss in browser with templates and all, which is amazing (thanks again!).

Same problem using Middleware2.

Is it wrong what I need?

Same on authboss: volatiletech/authboss#208

go version: go1.10.3 windows/amd64
authboss branch: master
authboss-sample branch: master

Issue
When I go to the site, login and attempt to create a new post I get redirected to the login page. I re-enter the login information but get redirected to the login page again.
What I expected was to see the "create post" page.

Detailed Steps

1. cloned repo from master branch
2. get deps with go get ./...
3. build application with go build
4. started application
5. in browser went to http://localhost:3000
6. click "login"
7. Enter [email protected] / 1234
8. Try and create a new post

In this project you have used /go-chi/chi for routing. How can we change it with gorrila mux.

I tried to incorporate this example to echo but a lot of things seem to break.
Do you have an example somewhere with this on echo?

Since this is an exemplar package, it would be good for this package to demonstrate how to store password securely with bcrypt or similar.

Hello,

You can use 1 CSRF token, for calling registration multiple times(for API as X-CSRF-TOKEN token).
Is this intended?

Thanks!

I am very new to this and trying to learn. Integrating SQLBoiler to the sample. My sql migration file is:

-- +migrate Up
CREATE TABLE users (
    id SERIAL PRIMARY KEY,
    name text,

    -- Auth
    email    text NOT NULL UNIQUE,
    password text NOT NULL,

    -- Confirm
    Confirm_Selector text,
    Confirm_Verifier text,
    Confirmed        BOOLEAN DEFAULT 'f',

    -- Lock
    Attempt_Count INT,
    Last_Attempt  DATE,
    Locked        DATE,

    -- Recover
    Recover_Selector     text,
    Recover_Verifier     text,
    Recover_Token_Expiry DATE,

    -- OAuth2
    O_Auth2_U_I_D         text,
    O_Auth2_Provider      text,
    O_Auth2_Access_Token  text,
    O_Auth2_Refresh_Token text,
    O_Auth2_Expiry        DATE,

    -- 2fa
    T_O_T_P_Secret_Key      text,
    S_M_S_Phone_Number      text,
    S_M_S_Seed_Phone_Number text,
    Recovery_Codes          text
);

-- +migrate Down
DROP TABLE users;

This produced the following User in package models:

// User is an object representing the database table.
type User struct {
	ID                 int         `boil:"id" json:"id" toml:"id" yaml:"id"`
	Name               null.String `boil:"name" json:"name,omitempty" toml:"name" yaml:"name,omitempty"`
	Email              string      `boil:"email" json:"email" toml:"email" yaml:"email"`
	Password           string      `boil:"password" json:"password" toml:"password" yaml:"password"`
	ConfirmSelector    null.String `boil:"confirm_selector" json:"confirm_selector,omitempty" toml:"confirm_selector" yaml:"confirm_selector,omitempty"`
	ConfirmVerifier    null.String `boil:"confirm_verifier" json:"confirm_verifier,omitempty" toml:"confirm_verifier" yaml:"confirm_verifier,omitempty"`
	Confirmed          null.Bool   `boil:"confirmed" json:"confirmed,omitempty" toml:"confirmed" yaml:"confirmed,omitempty"`
	AttemptCount       null.Int    `boil:"attempt_count" json:"attempt_count,omitempty" toml:"attempt_count" yaml:"attempt_count,omitempty"`
	LastAttempt        null.Time   `boil:"last_attempt" json:"last_attempt,omitempty" toml:"last_attempt" yaml:"last_attempt,omitempty"`
	Locked             null.Time   `boil:"locked" json:"locked,omitempty" toml:"locked" yaml:"locked,omitempty"`
	RecoverSelector    null.String `boil:"recover_selector" json:"recover_selector,omitempty" toml:"recover_selector" yaml:"recover_selector,omitempty"`
	RecoverVerifier    null.String `boil:"recover_verifier" json:"recover_verifier,omitempty" toml:"recover_verifier" yaml:"recover_verifier,omitempty"`
	RecoverTokenExpiry null.Time   `boil:"recover_token_expiry" json:"recover_token_expiry,omitempty" toml:"recover_token_expiry" yaml:"recover_token_expiry,omitempty"`
	OAuth2UID          null.String `boil:"o_auth2_u_i_d" json:"o_auth2_u_i_d,omitempty" toml:"o_auth2_u_i_d" yaml:"o_auth2_u_i_d,omitempty"`
	OAuth2Provider     null.String `boil:"o_auth2_provider" json:"o_auth2_provider,omitempty" toml:"o_auth2_provider" yaml:"o_auth2_provider,omitempty"`
	OAuth2AccessToken  null.String `boil:"o_auth2_access_token" json:"o_auth2_access_token,omitempty" toml:"o_auth2_access_token" yaml:"o_auth2_access_token,omitempty"`
	OAuth2RefreshToken null.String `boil:"o_auth2_refresh_token" json:"o_auth2_refresh_token,omitempty" toml:"o_auth2_refresh_token" yaml:"o_auth2_refresh_token,omitempty"`
	OAuth2Expiry       null.Time   `boil:"o_auth2_expiry" json:"o_auth2_expiry,omitempty" toml:"o_auth2_expiry" yaml:"o_auth2_expiry,omitempty"`
	TOTPSecretKey      null.String `boil:"t_o_t_p_secret_key" json:"t_o_t_p_secret_key,omitempty" toml:"t_o_t_p_secret_key" yaml:"t_o_t_p_secret_key,omitempty"`
	SMSPhoneNumber     null.String `boil:"s_m_s_phone_number" json:"s_m_s_phone_number,omitempty" toml:"s_m_s_phone_number" yaml:"s_m_s_phone_number,omitempty"`
	SMSSeedPhoneNumber null.String `boil:"s_m_s_seed_phone_number" json:"s_m_s_seed_phone_number,omitempty" toml:"s_m_s_seed_phone_number" yaml:"s_m_s_seed_phone_number,omitempty"`
	RecoveryCodes      null.String `boil:"recovery_codes" json:"recovery_codes,omitempty" toml:"recovery_codes" yaml:"recovery_codes,omitempty"`

	R *userR `boil:"-" json:"-" toml:"-" yaml:"-"`
	L userL  `boil:"-" json:"-" toml:"-" yaml:"-"`
}

Does it look right? I am assuming that I can simply import the models package into the main package in the storer.go file.

Hey there, my code is failing when I use the pattern provided in https://github.com/volatiletech/authboss-sample/blob/master/blog.go#L66. Here's what my code looks like:

import (
	"github.com/volatiletech/authboss"
	abclientstate "github.com/volatiletech/authboss-clientstate"

)

var sessionStore abclientstate.SessionStorer
var cookieStore abclientstate.CookieStorer

authBoss.Config.Storage.CookieState = cookieStore
authBoss.Config.Storage.SessionState = sessionStore

This is the error:

./main.go:91:38: cannot use cookieStore (type abclientstate.CookieStorer) as type "github.com/drshrey/scobophile/scobophile-go-api/vendor/github.com/volatiletech/authboss".ClientStateReadWriter in assignment:
        abclientstate.CookieStorer does not implement "github.com/drshrey/scobophile/scobophile-go-api/vendor/github.com/volatiletech/authboss".ClientStateReadWriter (wrong type for ReadState method)
                have ReadState(*http.Request) ("github.com/volatiletech/authboss".ClientState, error)
                want ReadState(*http.Request) ("github.com/drshrey/scobophile/scobophile-go-api/vendor/github.com/volatiletech/authboss".ClientState, error)
./main.go:92:39: cannot use sessionStore (type abclientstate.SessionStorer) as type "github.com/drshrey/scobophile/scobophile-go-api/vendor/github.com/volatiletech/authboss".ClientStateReadWriter in assignment:
        abclientstate.SessionStorer does not implement "github.com/drshrey/scobophile/scobophile-go-api/vendor/github.com/volatiletech/authboss".ClientStateReadWriter (wrong type for ReadState method)
                have ReadState(*http.Request) ("github.com/volatiletech/authboss".ClientState, error)
                want ReadState(*http.Request) ("github.com/drshrey/scobophile/scobophile-go-api/vendor/github.com/volatiletech/authboss".ClientState, error)

Versions of both packages:

[[constraint]]
  name = "github.com/volatiletech/authboss"
  version = "2.3.0"

[[constraint]]
  branch = "master"
  name = "github.com/volatiletech/authboss-clientstate"

Any reason why the types don't match? I checked out the definitions and they do seem to implement the ClientStateReadWriter interface, so help here would be much appreciated!

Hey,
using http://localhost:8080/auth/register to register a new user doesn't seem to work. After the POST, there is no new user in the MemStorer, only the default one.
There is also no activity about a confirmation mail.
Since ab.Mailer = authboss.LogMailer(os.Stdout) is set, I was assuming to see at least something about it in the console.
Is there something to configure first?

Thanks
Kai

See why nosurf library doesn't play nicely with the sample.

Since this is an exemplar project, it would be good for it to set a safe minimum password length. Currently, it sets it to 4 characters which is too small.

A preferable value, following NIST guidelines and other sources, is 8 characters minimum.

ab.Config.Modules.TwoFactorEmailAuthRequired = false

He still requires confirmation email

There is just a simple mistake in sample code :
in blog.go line 103
ab.Config.Core.Mailer = defaults.LogMailer{}

in blog.go line 117
defaults.SetCore(&ab.Config, *flagAPI, false)

it overrides the mailer with its default ...
i mean if u change line 103 to use your mailer implementation in my case mailgun

ab.Config.Core.Mailer = mailgunmailer

it will be overriden to default mailer that is std.out logger ....

Thanks 👍

Thanks

I am excited by the potential of authboss, so I have been studying your documentation and the example in order to learn.

I was curious is there is a reason the destroy handler doesn't use authProtect? I tried adding the protection and it seems to work ok, but since I'm still learning I thought I'd ask.

• https://github.com/golliher/authboss-sample/commit/bb11f307e6e1e2393d9a7e4acfb3f40e085aec2c

GET /auth/confirm HTTP/1.1
2018-10-08T10:37:36Z [EROR]: request error from (127.0.0.1:48610) /confirm?cnf=token-value....
: unexpected end of JSON input
failed to parse json http body

But doing a GET with a JSON body works

curl  -X GET -H "Content-Type: application/json" localhost:3000/auth/confirm -d '{"cnf": "token-value..."}'

I guess the it's caused by [1], how to disable config BodyReader for a certain url?

[1] https://github.com/volatiletech/authboss-sample/blob/master/blog.go#L139

edit: add content-type header

RoutesRedirectOnUnauthed is deprecated, what is the best change here?

• blog.go, line 112.