π A robust Go-based backend service with advanced authentication and permission systems.
- π― JWT-based authentication with refresh tokens
- π₯ Role-based access control (RBAC)
- π Password reset functionality with time-limited codes
- π Super admin creation on first run
- π Granular resource-based permissions
- ποΈ Module-based organization
- π€ Role-based default permissions
- π Support for wildcard permissions (e.g., "teams:*")
- π Multi-team support
- βοΈ Team invitations
- βοΈ Team settings
- π User roles (Super Admin, Admin, Member)
- π Permission management
- π€ Profile management
- π― Decoupled service communication
- β‘ Asynchronous event handling
- π Service hooks integration
- π‘οΈ Panic recovery in event handlers
sequenceDiagram
participant M as Models
participant E as Event Bus
participant S as Services
participant H as Hooks
M->>E: Emit Event
activate E
E->>S: Notify Service
E->>H: Trigger Hooks
S-->>E: Process Event
H-->>E: Execute Hook
deactivate E
| Event Name | Description | Payload |
|---|---|---|
| user.registered | Triggered on new registration | UserData |
| team.created | Triggered when a new team is created | TeamData |
// Register event handler
events.On("user.created", func(data interface{}) {
// Handle email sent event
})
// Emit event
events.Emit("user.created", emailData)- π§ Go 1.21 or higher
- ποΈ PostgreSQL 17 or higher
- β‘ Redis (for rate limiting and caching)
# π₯οΈ Server Configuration
SERVER_HOST=localhost
SERVER_PORT=8080
# ποΈ Database Configuration
POSTGRES_HOST=localhost
POSTGRES_PORT=5432
POSTGRES_USER=kori_user
POSTGRES_PASSWORD=kori_password
POSTGRES_DB=kori
POSTGRES_SSLMODE=disable
# π JWT Configuration
JWT_SECRET=your_secure_jwt_secret
# π Storage Configuration
STORAGE_PROVIDER=local
STORAGE_BASE_PATH=./storage
# βοΈ Worker Configuration
WORKER_CONCURRENCY=5
WORKER_QUEUE_SIZE=100
# π Redis Configuration
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=kori_password
REDIS_DB=0
# π Super Admin Configuration (First Run)
SUPERADMIN_EMAIL=[email protected]
SUPERADMIN_PASSWORD=secure_password
SUPERADMIN_NAME=Admin- Clone the repository:
git clone https://github.com/theboringhumane/be0.go.git
cd be0.go- Install dependencies:
go mod download- Set up the environment:
cp .env.example .env
# Edit .env with your configuration- Run migrations:
go run cmd/migrate/main.go- Start the server:
go run cmd/server/main.goThe API is documented using Swagger/OpenAPI. Access the documentation at:
http://localhost:8080/swagger/index.html
POST /api/v1/auth/register
{
"email": "[email protected]",
"password": "secure_password",
"first_name": "John",
"last_name": "Doe"
}POST /api/v1/auth/login
{
"email": "[email protected]",
"password": "secure_password"
}POST /api/v1/auth/password-reset
{
"email": "[email protected]"
}The authentication system supports both traditional email/password authentication and Google OAuth, integrated with JWT-based session management.
graph TD
subgraph "Traditional Email/Password Authentication"
A[User Registration/Login] -->|Email & Password| B{Exists?}
B -->|No - Register| C[Create Team & User]
C --> D[Assign Default Permissions]
B -->|Yes - Login| E[Validate Password]
D --> F[Generate Tokens]
E -->|Valid| F
E -->|Invalid| G[Return Error]
F --> H[Create Auth Transaction]
H --> I[Return JWT & Refresh Token]
end
subgraph "Google OAuth Authentication"
J[Google Sign-In] -->|ID Token| K[Verify with Firebase]
K -->|Valid| L{User Exists?}
L -->|No| M[Create Team & User]
M --> N[Assign Default Permissions]
L -->|Yes| O[Update Provider Data]
N --> P[Generate Tokens]
O --> P
P --> Q[Create Auth Transaction]
Q --> R[Return JWT & Refresh Token]
end
subgraph "JWT Token Flow"
S[Protected API Request] -->|JWT Token| T[Auth Middleware]
T -->|Validate| U{Token Valid?}
U -->|Yes| V[Extract Claims]
V --> W[Set Context]
W --> X[Continue to Handler]
U -->|No| Y[Return 401]
end
subgraph "Token Refresh Flow"
Z[Refresh Token Request] -->|Refresh Token| AA{Valid?}
AA -->|Yes| AB[Get User]
AB --> AC[Generate New Access Token]
AC --> AD[Update Auth Transaction]
AD --> AE[Return New Access Token]
AA -->|No| AF[Return 401]
end
subgraph "Password Reset Flow"
AG[Reset Request] -->|Email| AH[Generate Reset Code]
AH --> AI[Store Reset Code]
AI --> AJ[Send Reset Email]
AK[Reset Verification] -->|Code & New Password| AL{Valid Code?}
AL -->|Yes| AM[Update Password]
AM --> AN[Mark Code Used]
AL -->|No| AO[Return Error]
end
subgraph "Team Invite Flow"
AP[Team Invite] -->|Email & Role| AQ[Generate Invite Code]
AQ --> AR[Store Invite]
AR --> AS[Send Invite Email]
AT[Accept Invite] -->|Code & Password| AU{Valid Invite?}
AU -->|Yes| AV[Create User]
AV --> AW[Assign Team & Role]
AU -->|No| AX[Return Error]
end
-
π Authentication Methods
- π§ Traditional Email/Password
- π Google OAuth via Firebase
- π¨ Team Invitations
-
ποΈ Token Management
- π JWT Access Tokens (24h validity)
- π Refresh Tokens (7 days validity)
- π Auth Transaction Tracking
-
π₯ User Management
- π’ Automatic Team Creation
- π Role Assignment
- π Permission Management
-
π Security Features
- π Bcrypt Password Hashing
- β° Time-Limited Reset Codes
- π Firebase Token Verification
- π Transaction-based Operations
-
π€ Integration Points
- π Firebase Authentication
- π¨ Email Service for Notifications
- π Event System for Tracking
# Traditional Authentication
POST /api/v1/auth/register # User Registration
POST /api/v1/auth/login # User Login
POST /api/v1/auth/refresh # Token Refresh
# Google OAuth
POST /api/v1/auth/google # Google Sign-In
# Password Management
POST /api/v1/auth/password-reset # Request Reset
POST /api/v1/auth/password-reset/verify # Verify Reset
# Team Management
POST /api/v1/auth/invite # Send Team Invite
POST /api/v1/auth/accept/:code # Accept Invite-
β‘ Rate Limiting
- π Request rate limiting per IP
- π API key rate limiting
- βοΈ Configurable limits
-
π JWT Security
- β±οΈ Short-lived access tokens (24 hours)
- π Refresh token support (7 days)
- π― Permission claims in tokens
-
π Password Security
- π Bcrypt password hashing
- β Minimum password requirements
- π‘οΈ Secure password reset flow
-
π API Security
- π CORS protection
- π¦ Request size limiting
- π‘οΈ Secure headers
- ποΈ GZIP compression
π¦ be0.go
β£ π cmd # Application entry points
β£ π internal
β β£ π api # API layer
β β β£ π middleware # Custom middlewares
β β β£ π validator # Request validators
β β β π server.go # Server setup
β β£ π config # Configuration
β β£ π events # Event bus system
β β£ π handlers # Request handlers
β β£ π models # Database models
β β£ π routes # Route definitions
β β£ π services # Business logic
β β π utils # Utility functions
β£ π migrations # Database migrations
β π storage # Local storage
-
π¦ New Resource
- π Add model in
internal/models/ - π Add permissions in
internal/models/seed.go - π― Create handler in
internal/handlers/ - π Add routes in
internal/routes/
- π Add model in
-
π New Permission
- π Add resource in
defaultResources - π₯ Add permissions in
rolePermissions - π Run server to auto-seed
- π Add resource in
This project is licensed under the MIT License - see the LICENSE file for details.