Go-Swagger : User Authentication & securing API using JWT — Part 2
This article is the continuation of user authentication using JWT . In Part-1 of this article, we successfully generated a valid JWT token using our /login
endpoint. In this section, we’ll work on securing APIs so that it restricts any unauthenticated calls.
1. Define security in swagger.yaml
To enable authentication for an API, we need to define securityDefinitions
into swagger.yaml
file:
securityDefinitions:
Bearer:
type: apiKey
name: Authorization
in: header
2. Create restricted API
Lets create an endpoint, say /user/cart
which fetches all cart items of a registered user. Since , we want to restrict this API for authorized user only, we need to add below definition in swagger.yaml
file under /user/cart
yaml property.
security:
- Bearer: []
The final swagger.yaml
file will look like:
You view this yaml
online on swagger editor, note the “Lock” icon on /user/cart
. It informs a developer that this API needs authorization.
3. Generate boilerplate code from swagger.yaml
To generate the code from the above swagger.yaml
file, you’ll have run below command:
swagger generate server -f swagger.yaml --default-scheme http --exclude-main
4. Create authentication middleware
Now, that we have the required code generated based on the swagger.yaml
file, we can proceed on creating a middleware which would intercept all those API calls that has security
defined under it. We’ll be doing below steps to get it done:
- Create
authenticator.go
, which will validate theJWT
token. If the token is valid, we return theemail
anderror
as nil. For any invalid token, we’ll return anerror
.
- In
configure_e_food.go
file, we’ll attachValidateHeader
as middleware.
That’s it ! 👑
Now, the /user/cart
can only be accessed by a valid JWT
token.
5. Getting User info from JWT Token in API code.
As I have already explained the during the intro article of go-swagger
, We’ll be similarly creating get_user_cart_item.go
. We can re-use ValidateHeader()
from utils
package and use it extract email . Once we have the email, we can pass it on to GetCustomerCart()
to get the respective cart items.
To test this endpoint , we need to generate a token using /login
endpoint. Once we have the token, we need add it in Authorization
header .
Screenshot of a Valid request :
Screenshot of a Invalid request with expired token :
The final code can be referred in my e-food GitHub repository. Feel free to explore the repository. It is a working code with no change in file names.
If you like this article, please 👏 clap 👏 few times to encourage me 🐼 to write more.