{"id":15845104,"url":"https://github.com/sixcolors/gofiber-react-session-csrf-example","last_synced_at":"2025-10-08T03:11:19.198Z","repository":{"id":205348674,"uuid":"713977682","full_name":"sixcolors/gofiber-react-session-csrf-example","owner":"sixcolors","description":"Example of a GoFiber backend with a React frontend that uses sessions and CSRF protection","archived":false,"fork":false,"pushed_at":"2025-07-28T18:45:11.000Z","size":7618,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-28T20:42:52.007Z","etag":null,"topics":["csrf-protection","docker-compose","gofiber","golang","javascript","react","reverse-proxy","sessions"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sixcolors.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-11-03T16:34:49.000Z","updated_at":"2025-07-28T18:44:00.000Z","dependencies_parsed_at":null,"dependency_job_id":"56152748-2a4b-45e8-85e6-67f6a5614d45","html_url":"https://github.com/sixcolors/gofiber-react-session-csrf-example","commit_stats":null,"previous_names":["sixcolors/gofiber-react-session-csrf-example"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sixcolors/gofiber-react-session-csrf-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sixcolors%2Fgofiber-react-session-csrf-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sixcolors%2Fgofiber-react-session-csrf-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sixcolors%2Fgofiber-react-session-csrf-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sixcolors%2Fgofiber-react-session-csrf-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sixcolors","download_url":"https://codeload.github.com/sixcolors/gofiber-react-session-csrf-example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sixcolors%2Fgofiber-react-session-csrf-example/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278882246,"owners_count":26062252,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csrf-protection","docker-compose","gofiber","golang","javascript","react","reverse-proxy","sessions"],"created_at":"2024-10-05T17:41:53.095Z","updated_at":"2025-10-08T03:11:19.190Z","avatar_url":"https://github.com/sixcolors.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Example GoFiber Backend with React Frontend using Sessions and CSRF\n\n**Note:** This is an example has been updated to use the latest GoFiber v3 beta version. You can check the [v2](https://github.com/sixcolors/gofiber-react-session-csrf-example/tree/v2) branch for the a version that uses GoFiber v2.\n\nThis is an example of a GoFiber backend with a React frontend that uses sessions and CSRF tokens.\n\nInspired by https://redis.com/blog/json-web-tokens-jwt-are-dangerous-for-user-sessions/ and developer questions about such a use case on the GoFiber discord server. \n\nIt uses an nginx reverse proxy to serve the frontend and backend on the same port. The backend is served on `/api` and the frontend is served on `/`.\n\nThis example is not complete and therefore should not be used in production.\n\nIt still needs the following:\n\n- [x] Docker compose for development (see [docker-compose.yml](docker-compose.yml))\n- [x] React Dev Tools do not work with the proxy, fix\n- [x] Go Delve remote debugger (see [launch.json](.vscode/launch.json)) `Docker: Attach to Go (Delve)` config for debugging the backend in VSCode\n- [x] React debugging (see [launch.json](.vscode/launch.json)) `Launch Chrome against localhost` config for debugging the frontend in VSCode\n- [ ] Seperate frontend and backend docker containers\n- [ ] SECURE Dockerfiles (ie dont run as root etc)\n- [x] Secure handling of login credentials in the backend\n- [x] Timeouts on the frontend\n- [x] Mechanism to refresh auth status on the frontend (if auth error happens, or the user does something that changes their auth status)\n- [x] TODO: session timeout in the front end with multiple tabs open could cause the session to be extended indefinitely, fix\n- [ ] Some browsers (Safari) will not offer to save passwords when using fetch and require a page load to trigger the save password dialog, fix\n\n\n## Development\n\nA docker-compose file is provided for development. It will start the backend, frontend and a redis cache.\n\n```bash\ndocker compose up\n```\n\nThe server will be available at [http://localhost:8080](http://localhost:8080).\n\nTo support web socket based hot reloading of the frontend, Ngix is configured to proxy_pass `/ws` requests to the frontend container.\n\nNote: React Dev Tools require ENV `WDS_SOCKET_PORT` to be set to `8080` to work with the proxy, (see [react-app/Dockerfile.dev](react-app/Dockerfile.dev)).\n\nThe backend will be restarted when changes are made to the backend code using [air](github.com/air-verse/air).\n\nGo delve remote debugger will be available at [http://localhost:2345](http://localhost:2345) (see [launch.json](.vscode/launch.json)) `Docker: Attach to Go (Delve)` config for debugging the backend in VSCode.\n\n## Production\n\n```bash\ndocker build -t gofiber-react-session-csrf-example .\ndocker run -p 8080:8080 gofiber-react-session-csrf-example\n```\n\nThe server will be available at [http://localhost:8080](http://localhost:8080).\n\n## Credentials\n\nThere are two users with securely hashed passwords (using Argon2id):\n\n- `admin` with password `admin`\n- `user` with password `user`\n\n## Security Features\n\nThis example demonstrates secure authentication practices:\n- **Password Hashing**: Argon2id for secure password storage.\n- **Rate Limiting**: 10 login attempts per minute per IP to prevent brute force.\n- **Timing Attack Mitigation**: Constant-time password verification.\n- **CSRF Protection**: Token-based CSRF prevention using sessions.\n- **Session Management**: Secure session handling with regeneration and timeouts.\n\n**Note**: For production, enable HTTPS, set `CookieSecure: true`, and use environment variables for sensitive config.\n\n## API\n\n### `POST /api/auth/login`\n\nRate limited to 10 requests per minute per IP address.\n\nrequest:\n```json\n{\n  \"username\": \"admin\",\n  \"password\": \"admin\"\n}\n```\n\nresponse:\n```json\n{\n    \"loggedIn\": true,\n    \"username\": \"admin\",\n    \"roles\": [\"admin\", \"user\"],\n    \"sessionTimeout\": 3600 // seconds\n}\n```\n\n### `POST /api/auth/logout`\n\nrequest:\n```json\n{}\n```\n\nresponse:\n```json\n{\n    \"loggedIn\": false,\n}\n```\n\n### `GET /api/auth/status`\n\nresponse:\n```json\n{\n  \"loggedIn\": true,\n  \"username\": \"admin\",\n  \"roles\": [\"admin\", \"user\"],\n  \"sessionTimeout\": 3600 // seconds\n}\n```\n\n### `GET /api/thingamabob`\n\nresponse:\n```json\n[\n  {\n    \"id\": 1,\n    \"name\": \"Thingamabob 1\"\n  },\n  {\n    \"id\": 2,\n    \"name\": \"Thingamabob 2\"\n  }\n]\n```\n\n### `POST /api/thingamabob`\n\nrequest:\n```json\n{\n  \"name\": \"Thingamabob 3\"\n}\n```\n\nresponse:\n```json\n{\n  \"id\": 3,\n  \"name\": \"Thingamabob 3\"\n}\n```\n\n### `GET /api/thingamabob/:id`\n\nresponse:\n```json\n{\n  \"id\": 1,\n  \"name\": \"Thingamabob 1\"\n}\n```\n\n### `PUT /api/thingamabob/:id`\n\nrequest:\n```json\n{\n  \"name\": \"Thingamabob 1 Updated\"\n}\n```\n\nresponse:\n```json\n{\n  \"id\": 1,\n  \"name\": \"Thingamabob 1 Updated\"\n}\n```\n\n### `DELETE /api/thingamabob/:id`\n\nresponse:\n```http\n204 No Content\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsixcolors%2Fgofiber-react-session-csrf-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsixcolors%2Fgofiber-react-session-csrf-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsixcolors%2Fgofiber-react-session-csrf-example/lists"}