github.com/ed-henrique/suk

SUK - Single-use Keys

What if, instead of storing user information on the client side in a JWT token, you used a token containing a randomized key that holds client information on the server side? This session ID would be valid only for a specified duration and would expire immediately after use. This approach enhances security and minimizes the risk of unauthorized access.

This was intended to be used for web app authentication with HTTP cookies, but other applications may find it useful as well.

Need authentication? ───────────────────────────────┐
├── Yes                                             │
│   └── Is the user key valid?                      │
│       ├── Yes                                     │
│       │   └── Generate new one/Invalidate old one │ 
│       │       └── Continue execution normally ────┘
│       └── No
│           └── Authentication error
└── No
    └── Well, ok then.

Getting Started

Getting SUK

go get -u github.com/ed-henrique/suk

Running SUK

package main

import (
    "github.com/ed-henrique/suk"
)

func main() {
    resource := "important stuff here!"

    // Creates new session storage
    ss, _ := suk.New(suk.WithAutoClearExpiredKeys())

    // Removes session storage
    defer suk.Destroy(ss)

    // Sets resource to a randomly generated key
    key, _ := ss.Set(resource)

    // Gets the resource, invalidating the previous key
    resource, newKey, _ := ss.Get(key)

    // Removes both the key and the resource
    ss.Remove(newKey)
}

Examples

• Sample Server with Cookie Authentication

Documentation

Please refer to this.

Decisions

• Multiple cookies can connect to a single session, but they are not aware of each other
• If all cookies to a session are used up, the reference to the session is lost

Roadmap

• Extensive testing
• Make implementation concurrent-safe
• Use better algorithm for random and strong keys (refer to this)