logo Buffalo slack logo
Local Authentication
Guides

Local Authentication

In many use-cases, you’ll need to implement user authentication in your apps.

Buffalo had a native support for Auth until version v0.9.4. Since then, it was moved into it’s own plugin, https://github.com/gobuffalo/buffalo-auth.

Installation

To install the buffalo-auth plugin, run the following command at your project route:

$ buffalo plugins install github.com/gobuffalo/buffalo-auth

Generator

$ buffalo g auth

create  models/user.go
create  models/user_test.go
    run  goimports -w actions/actions_test.go actions/app.go actions/home.go actions/home_test.go actions/render.go grifts/db.go grifts/init.go main.go models/models.go models/models_test.go models/user.go models/user_test.go
create  migrations/20180910062057_create_users.up.fizz
create  migrations/20180910062057_create_users.down.fizz
create  actions/auth.go
create  actions/auth_test.go
create  actions/users.go
create  actions/users_test.go
create  models/user_test.go
create  actions/home_test.go
create  templates/auth/new.html
create  templates/index.html
create  templates/users/new.html

Example Usage

Actions

// actions/app.go
package actions

import (
  "github.com/gobuffalo/buffalo"
  "github.com/gobuffalo/buffalo/middleware"
  "github.com/gobuffalo/buffalo/middleware/ssl"
  "github.com/gobuffalo/envy"
  "github.com/unrolled/secure"

  "coke/models"

  "github.com/gobuffalo/buffalo/middleware/csrf"
  "github.com/gobuffalo/buffalo/middleware/i18n"
  "github.com/gobuffalo/packr"
)

// ENV is used to help switch settings based on where the
// application is being run. Default is "development".
var ENV = envy.Get("GO_ENV", "development")
var app *buffalo.App
var T *i18n.Translator

// App is where all routes and middleware for buffalo
// should be defined. This is the nerve center of your
// application.
func App() *buffalo.App {
  if app == nil {
    app = buffalo.New(buffalo.Options{
      Env:         ENV,
      SessionName: "_coke_session",
    })
    // Automatically redirect to SSL
    app.Use(forceSSL())

    if ENV == "development" {
      app.Use(middleware.ParameterLogger)
    }

    // Protect against CSRF attacks. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
    // Remove to disable this.
    app.Use(csrf.New)

    // Wraps each request in a transaction.
    //  c.Value("tx").(*pop.PopTransaction)
    // Remove to disable this.
    app.Use(middleware.PopTransaction(models.DB))

    // Setup and use translations:
    app.Use(translations())

    app.GET("/", HomeHandler)

    app.Use(SetCurrentUser)
    app.Use(Authorize)
    app.GET("/users/new", UsersNew)
    app.POST("/users", UsersCreate)
    app.GET("/signin", AuthNew)
    app.POST("/signin", AuthCreate)
    app.DELETE("/signout", AuthDestroy)
    app.Middleware.Skip(Authorize, HomeHandler, UsersNew, UsersCreate, AuthNew, AuthCreate)
    app.ServeFiles("/", assetsBox) // serve files from the public directory
  }

  return app
}

// translations will load locale files, set up the translator `actions.T`,
// and will return a middleware to use to load the correct locale for each
// request.
// for more information: https://gobuffalo.io/en/docs/localization
func translations() buffalo.MiddlewareFunc {
  var err error
  if T, err = i18n.New(packr.NewBox("../locales"), "en-US"); err != nil {
    app.Stop(err)
  }
  return T.Middleware()
}

// forceSSL will return a middleware that will redirect an incoming request
// if it is not HTTPS. "http://example.com" => "https://example.com".
// This middleware does **not** enable SSL. for your application. To do that
// we recommend using a proxy: https://gobuffalo.io/en/docs/proxy
// for more information: https://github.com/unrolled/secure/
func forceSSL() buffalo.MiddlewareFunc {
  return ssl.ForceSSL(secure.Options{
    SSLRedirect:     ENV == "production",
    SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"},
  })
}
// actions/auth.go
package actions

import (
  "database/sql"
  "strings"

    "coke/models"
  "github.com/gobuffalo/buffalo"
  "github.com/gobuffalo/pop"
  "github.com/gobuffalo/validate"
  "github.com/pkg/errors"
  "golang.org/x/crypto/bcrypt"
)

// AuthNew loads the signin page
func AuthNew(c buffalo.Context) error {
  c.Set("user", models.User{})
  return c.Render(200, r.HTML("auth/new.html"))
}

// AuthCreate attempts to log the user in with an existing account.
func AuthCreate(c buffalo.Context) error {
  u := &models.User{}
  if err := c.Bind(u); err != nil {
    return errors.WithStack(err)
  }

  tx := c.Value("tx").(*pop.Connection)

  // find a user with the email
  err := tx.Where("email = ?", strings.ToLower(u.Email)).First(u)

  // helper function to handle bad attempts
  bad := func() error {
    c.Set("user", u)
    verrs := validate.NewErrors()
    verrs.Add("email", "invalid email/password")
    c.Set("errors", verrs)
    return c.Render(422, r.HTML("auth/new.html"))
  }

  if err != nil {
    if errors.Cause(err) == sql.ErrNoRows {
      // couldn't find an user with the supplied email address.
      return bad()
    }
    return errors.WithStack(err)
  }

  // confirm that the given password matches the hashed password from the db
  err = bcrypt.CompareHashAndPassword([]byte(u.PasswordHash), []byte(u.Password))
  if err != nil {
    return bad()
  }
  c.Session().Set("current_user_id", u.ID)
  c.Flash().Add("success", "Welcome Back to Buffalo!")

  return c.Redirect(302, "/")
}

// AuthDestroy clears the session and logs a user out
func AuthDestroy(c buffalo.Context) error {
  c.Session().Clear()
  c.Flash().Add("success", "You have been logged out!")
  return c.Redirect(302, "/")
}
// actions/auth_test.go
package actions

import (
  "coke/models"
)

func (as *ActionSuite) Test_Auth_New() {
  res := as.HTML("/signin").Get()
  as.Equal(200, res.Code)
  as.Contains(res.Body.String(), "Sign In")
}

func (as *ActionSuite) Test_Auth_Create() {
  u := &models.User{
    Email:                "mark@example.com",
    Password:             "password",
    PasswordConfirmation: "password",
  }
  verrs, err := u.Create(as.DB)
  as.NoError(err)
  as.False(verrs.HasAny())

  res := as.HTML("/signin").Post(u)
  as.Equal(302, res.Code)
  as.Equal("/", res.Location())
}

func (as *ActionSuite) Test_Auth_Create_UnknownUser() {
  u := &models.User{
    Email:    "mark@example.com",
    Password: "password",
  }
  res := as.HTML("/signin").Post(u)
  as.Equal(422, res.Code)
  as.Contains(res.Body.String(), "invalid email/password")
}

func (as *ActionSuite) Test_Auth_Create_BadPassword() {
  u := &models.User{
    Email:                "mark@example.com",
    Password:             "password",
    PasswordConfirmation: "password",
  }
  verrs, err := u.Create(as.DB)
  as.NoError(err)
  as.False(verrs.HasAny())

  u.Password = "bad"
  res := as.HTML("/signin").Post(u)
  as.Equal(422, res.Code)
  as.Contains(res.Body.String(), "invalid email/password")
}
// actions/home.go
package actions

import "github.com/gobuffalo/buffalo"

// HomeHandler is a default handler to serve up
// a home page.
func HomeHandler(c buffalo.Context) error {
  return c.Render(200, r.HTML("index.html"))
}
// actions/home_test.go
package actions

import "coke/models"

func (as *ActionSuite) Test_HomeHandler() {
  res := as.HTML("/").Get()
  as.Equal(200, res.Code)
  as.Contains(res.Body.String(), "Sign In")
}

func (as *ActionSuite) Test_HomeHandler_LoggedIn() {
  u := &models.User{
    Email:                "mark@example.com",
    Password:             "password",
    PasswordConfirmation: "password",
  }
  verrs, err := u.Create(as.DB)
  as.NoError(err)
  as.False(verrs.HasAny())
  as.Session.Set("current_user_id", u.ID)

  res := as.HTML("/").Get()
  as.Equal(200, res.Code)
  as.Contains(res.Body.String(), "Sign Out")

  as.Session.Clear()
  res = as.HTML("/").Get()
  as.Equal(200, res.Code)
  as.Contains(res.Body.String(), "Sign In")
}
// actions/users.go
package actions

import (
  "coke/models"
  "github.com/gobuffalo/buffalo"
  "github.com/gobuffalo/pop"
  "github.com/pkg/errors"
)

func UsersNew(c buffalo.Context) error {
  u := models.User{}
  c.Set("user", u)
  return c.Render(200, r.HTML("users/new.html"))
}

// UsersCreate registers a new user with the application.
func UsersCreate(c buffalo.Context) error {
  u := &models.User{}
  if err := c.Bind(u); err != nil {
    return errors.WithStack(err)
  }

  tx := c.Value("tx").(*pop.Connection)
  verrs, err := u.Create(tx)
  if err != nil {
    return errors.WithStack(err)
  }

  if verrs.HasAny() {
    c.Set("user", u)
    c.Set("errors", verrs)
    return c.Render(200, r.HTML("users/new.html"))
  }

  c.Session().Set("current_user_id", u.ID)
  c.Flash().Add("success", "Welcome to Buffalo!")

  return c.Redirect(302, "/")
}

// SetCurrentUser attempts to find a user based on the current_user_id
// in the session. If one is found it is set on the context.
func SetCurrentUser(next buffalo.Handler) buffalo.Handler {
  return func(c buffalo.Context) error {
    if uid := c.Session().Get("current_user_id"); uid != nil {
      u := &models.User{}
      tx := c.Value("tx").(*pop.Connection)
      err := tx.Find(u, uid)
      if err != nil {
        return errors.WithStack(err)
      }
      c.Set("current_user", u)
    }
    return next(c)
  }
}

// Authorize require a user be logged in before accessing a route
func Authorize(next buffalo.Handler) buffalo.Handler {
  return func(c buffalo.Context) error {
    if uid := c.Session().Get("current_user_id"); uid == nil {
      c.Flash().Add("danger", "You must be authorized to see that page")
      return c.Redirect(302, "/")
    }
    return next(c)
  }
}
// actions/users_test.go
package actions

import (
  "coke/models"
)

func (as *ActionSuite) Test_Users_New() {
  res := as.HTML("/users/new").Get()
  as.Equal(200, res.Code)
}

func (as *ActionSuite) Test_Users_Create() {
  count, err := as.DB.Count("users")
  as.NoError(err)
  as.Equal(0, count)

  u := &models.User{
    Email:                "mark@example.com",
    Password:             "password",
    PasswordConfirmation: "password",
  }

  res := as.HTML("/users").Post(u)
  as.Equal(302, res.Code)

  count, err = as.DB.Count("users")
  as.NoError(err)
  as.Equal(1, count)
}

Models

// models/user.go
package models

import (
  "encoding/json"
  "time"

  "github.com/gobuffalo/pop"
  "github.com/gobuffalo/uuid"
  "github.com/gobuffalo/validate"
  "github.com/gobuffalo/validate/validators"
"strings"
"github.com/pkg/errors"
"golang.org/x/crypto/bcrypt"
)

type User struct {
  ID           uuid.UUID `json:"id" db:"id"`
  CreatedAt    time.Time `json:"created_at" db:"created_at"`
  UpdatedAt    time.Time `json:"updated_at" db:"updated_at"`
  Email        string    `json:"email" db:"email"`
  PasswordHash string    `json:"password_hash" db:"password_hash"`
Password string `json:"-" db:"-"`
PasswordConfirmation string `json:"-" db:"-"`
}

// String is not required by pop and may be deleted
func (u User) String() string {
  ju, _ := json.Marshal(u)
  return string(ju)
}

// Users is not required by pop and may be deleted
type Users []User

// String is not required by pop and may be deleted
func (u Users) String() string {
  ju, _ := json.Marshal(u)
  return string(ju)
}

// Validate gets run every time you call a "pop.Validate*" (pop.ValidateAndSave, pop.ValidateAndCreate, pop.ValidateAndUpdate) method.
// This method is not required and may be deleted.
func (u *User) Validate(tx *pop.Connection) (*validate.Errors, error) {
    var err error
    return validate.Validate(
        &validators.StringIsPresent{Field: u.Email, Name: "Email"},
        &validators.StringIsPresent{Field: u.PasswordHash, Name: "PasswordHash"},
        // check to see if the email address is already taken:
        &validators.FuncValidator{
            Field:   u.Email,
            Name:    "Email",
            Message: "%s is already taken",
            Fn: func() bool {
                var b bool
                q := tx.Where("email = ?", u.Email)
                if u.ID != uuid.Nil {
                    q = q.Where("id != ?", u.ID)
                }
                b, err = q.Exists(u)
                if err != nil {
                    return false
                }
                return !b
            },
        },
    ), err
}

// ValidateCreate gets run every time you call "pop.ValidateAndCreate" method.
// This method is not required and may be deleted.
func (u *User) ValidateCreate(tx *pop.Connection) (*validate.Errors, error) {
    var err error
    return validate.Validate(
        &validators.StringIsPresent{Field: u.Password, Name: "Password"},
        &validators.StringsMatch{Name: "Password", Field: u.Password, Field2: u.PasswordConfirmation, Message: "Password does not match confirmation"},
    ), err
}

// ValidateUpdate gets run every time you call "pop.ValidateAndUpdate" method.
// This method is not required and may be deleted.
func (u *User) ValidateUpdate(tx *pop.Connection) (*validate.Errors, error) {
  return validate.NewErrors(), nil
}


// Create wraps up the pattern of encrypting the password and
// running validations. Useful when writing tests.
func (u *User) Create(tx *pop.Connection) (*validate.Errors, error) {
    u.Email = strings.ToLower(strings.TrimSpace(u.Email))
    ph, err := bcrypt.GenerateFromPassword([]byte(u.Password), bcrypt.DefaultCost)
    if err != nil {
        return validate.NewErrors(), errors.WithStack(err)
    }
    u.PasswordHash = string(ph)
    return tx.ValidateAndCreate(u)
}
// models/user_test.go
package models_test

import (
  "coke/models"
)

func (ms *ModelSuite) Test_User_Create() {
  count, err := ms.DB.Count("users")
  ms.NoError(err)
  ms.Equal(0, count)

  u := &models.User{
    Email:                "mark@example.com",
    Password:             "password",
    PasswordConfirmation: "password",
  }
  ms.Zero(u.PasswordHash)

  verrs, err := u.Create(ms.DB)
  ms.NoError(err)
  ms.False(verrs.HasAny())
  ms.NotZero(u.PasswordHash)

  count, err = ms.DB.Count("users")
  ms.NoError(err)
  ms.Equal(1, count)
}

func (ms *ModelSuite) Test_User_Create_ValidationErrors() {
  count, err := ms.DB.Count("users")
  ms.NoError(err)
  ms.Equal(0, count)

  u := &models.User{
    Password: "password",
  }
  ms.Zero(u.PasswordHash)

  verrs, err := u.Create(ms.DB)
  ms.NoError(err)
  ms.True(verrs.HasAny())

  count, err = ms.DB.Count("users")
  ms.NoError(err)
  ms.Equal(0, count)
}

func (ms *ModelSuite) Test_User_Create_UserExists() {
  count, err := ms.DB.Count("users")
  ms.NoError(err)
  ms.Equal(0, count)

  u := &models.User{
    Email:                "mark@example.com",
    Password:             "password",
    PasswordConfirmation: "password",
  }
  ms.Zero(u.PasswordHash)

  verrs, err := u.Create(ms.DB)
  ms.NoError(err)
  ms.False(verrs.HasAny())
  ms.NotZero(u.PasswordHash)

  count, err = ms.DB.Count("users")
  ms.NoError(err)
  ms.Equal(1, count)

  u = &models.User{
    Email:    "mark@example.com",
    Password: "password",
  }
  verrs, err = u.Create(ms.DB)
  ms.NoError(err)
  ms.True(verrs.HasAny())

  count, err = ms.DB.Count("users")
  ms.NoError(err)
  ms.Equal(1, count)
}

Migrations

// migrations/20180910062057_create_users.down.fizz
drop_table("users")
// migrations/20180910062057_create_users.up.fizz
create_table("users") {
  t.Column("id", "uuid", {"primary": true})
  t.Column("email", "string", {})
  t.Column("password_hash", "string", {})
}

Templates

// templates/auth/new.html
<style>
  .auth-wrapper{
    height: 100%;
    display: flex;
    align-items: center;
    justify-content: center;
  }

  .auth-wrapper .sign-form{
    max-width: 350px;
    width: 100%;
    padding: 0 20px;
  }

  .auth-wrapper h1{
    margin-bottom: 20px;
  }
</style>

<div class="auth-wrapper">
  <div class="sign-form">
    <h1>Sign In</h1>

    <%= form_for(user, {action: signinPath()}) { %>
      <%= f.InputTag("Email") %>
      <%= f.InputTag("Password", {type: "password"}) %>
      <button class="btn btn-success">Sign In!</button>
    <% } %>
  </div>
</div>
// templates/new/new.html
<style>
  .auth-wrapper{
    height: 100%;
    display: flex;
    align-items: center;
    justify-content: center;
  }

  .auth-wrapper .sign-form{
    max-width: 350px;
    width: 100%;
    padding: 0 20px;
  }

  .auth-wrapper h1{
    margin-bottom: 20px;
  }
</style>

<div class="auth-wrapper">
  <div class="sign-form">
    <h1>register</h1>

    <%= form_for(user, {action: userspath()}) { %>
      <%= f.inputtag("email") %>
      <%= f.inputtag("password", {type: "password"}) %>
      <%= f.inputtag("passwordconfirmation", {type: "password"}) %>

      <button class="btn btn-success">register!</button>
    <% } %>
  </div>
</div>
// templates/index.html
<style>
  .auth-center{
    display: flex;
    align-items: center;
    justify-content: center;
    height: 100%;
  }
  .sign-in-btn{
    margin-right: 10px;
  }
</style>

<div class="auth-center">
  <%= if (current_user) { %>
    <h1><%= current_user.email %></h1>
    <a href="/signout" data-method="delete">sign out</a>
  <% } else { %>
    <a href="/signin" class="btn btn-primary">sign in</a>
    <a href="/users/new" class="btn btn-success">register</a>
  <% } %>
</div>