> (2) would using a session cookie + some authorization middleware (such as casbin) make sense for our situation? what are its pro's and con's?
This is what I'm familiar with. The main con is having to check the authorization in every request. Writing your own isn't complex. Matt On Thursday, January 25, 2018 at 2:03:25 AM UTC-6, [email protected] wrote: > > thanks for the reply. we'll use https in production for sure because the > data going back and forth are valuable business data. the users from the 3 > locations are all employees of the organization, but because we're opening > up the api to the internet (to accommodate those remote employees), we want > to do our due diligence upfront regarding security (we want our apis to > only be available to authenticated and authorized users) > > On Thursday, January 25, 2018 at 1:32:36 PM UTC+8, [email protected] > wrote: >> >> i come from a java and c# background, and have built webapps the >> "classic" way (i.e., jsp, asp.net, cookies, server-side rendering, >> occasionally ajax, etc) >> >> i am about to build my first (eventually) medium-sized web app, where the >> server-side would just be serving up data rest-api style, and both local >> and remote users would be connecting via a browser and/or a non-browser. >> >> the webapp is meant for use within an organization only, but because the >> organization is spread out in three different locations, the rest api (or >> perhaps some sort of an api gateway?) would have to be exposed to the >> internet. >> >> my questions are all security-related and we're thinking of using go as >> the programming language, and some external libraries such as routers >> (we're currently investigating gorilla mux, ozzo-routing, and others) etc. >> >> (1) is validating JWTs in a web request's authorization header the >> current dominant best practice for securing an api? what are its pro's and >> con's? >> >> (2) would using a session cookie + some authorization middleware (such >> as casbin) make sense for our situation? what are its pro's and con's? >> >> thanks for helping! >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
