The latest articles on Forem by Dan Gillis (@gilcrest). https://forem.com/gilcrest https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F473071%2F85d2dbc3-c0e2-4b2f-ad2b-784c025c77ce.jpeg https://forem.com/gilcrest en Dan Gillis Tue, 13 Jul 2021 20:06:49 +0000 https://forem.com/gilcrest/logging-in-go-api-basic-32i6 https://forem.com/gilcrest/logging-in-go-api-basic-32i6 <h2> Thoughts on Logging </h2> <p>I've gone through a few logging phases in my career. I logged <em>everything</em>. It was great, until the logs became meaningless because there were too many. I logged only errors, but in some cases that was not enough. Now I'm somewhere in the middle. I do believe in logging all errors and detailed how I do that in <a href="https://dangillis.dev/posts/errors/#typical-error-response">my last post</a>. There are also times when it's helpful to have some debugging logs in place. As an example, if you've ever tried to build a google doc using their APIs, then you may know that it can be helpful to have some tidbits of information about the document index position along your code/document path. In cases like this, I will leave debug logs in place in order to be able to pull the thread on them later if need be. Often times, I may deploy a change with some logs in place until I've seen enough data in action in production and then back out the logs in the next change when I'm satisfied. In general, I try to minimize the amount of logging in my code and only put logs in where it counts.</p> <h2> Logging in go-api-basic with zerolog </h2> <p><a href="https://github.com/gilcrest/go-api-basic">go-api-basic</a> uses the <a href="https://github.com/rs/zerolog">zerolog</a> library from <a href="https://github.com/rs">Olivier Poitrey</a>. I'm not gonna lie - initially, I chose this library because Olivier uses it at <a href="https://github.com/Netflix?language=go">Netflix</a> and that was enough for me. Over time though, I've really come to love this logging library and Olivier is a great maintainer. I spent a lot of time a couple of years ago helping with the README and a number of other things in the library along the way. I've learned a lot about Go and open source just from these interactions. If I use a library, I generally try to give back in some way to it, but often times through these interactions, I get back more in return, actually.</p> <p>The mechanics for using <code>zerolog</code> are straightforward and are well documented in the library's <a href="https://github.com/rs/zerolog#readme">README</a>. <code>zerolog</code> takes an <code>io.Writer</code> as input to create a new logger; for simplicity in <code>go-api-basic</code>, I use <code>os.Stdout</code>.</p> <h2> Setting Logger State on Startup </h2> <p>When starting <code>go-api-basic</code>, there are several flags which setup the logger:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Flag Name</th> <th>Description</th> <th>Environment Variable</th> <th>Default</th> </tr> </thead> <tbody> <tr> <td>log-level</td> <td>zerolog logging level (debug, info, etc.)</td> <td>LOG_LEVEL</td> <td>debug</td> </tr> <tr> <td>log-level-min</td> <td>sets the minimum accepted logging level</td> <td>LOG_LEVEL_MIN</td> <td>debug</td> </tr> <tr> <td>log-error-stack</td> <td>If true, log full error stacktrace, else just log error</td> <td>LOG_ERROR_STACK</td> <td>false</td> </tr> </tbody> </table></div> <blockquote> <p><code>go-api-basic</code> uses the <a href="https://github.com/peterbourgon/ff">ff</a> library from <a href="https://peter.bourgon.org">Peter Bourgon</a>, which allows for using either flags or environment variables. Click <a href="https://github.com/gilcrest/go-api-basic#command-line-flags">here</a> if you want more info on this setup. Going forward, we'll assume you've chosen flags.</p> </blockquote> <p>The <code>log-level</code> flag sets the Global logging level for your <code>zerolog.Logger</code>.</p> <p><strong>zerolog</strong> allows for logging at the following levels (from highest to lowest):</p> <ul> <li>panic (<code>zerolog.PanicLevel</code>, 5)</li> <li>fatal (<code>zerolog.FatalLevel</code>, 4)</li> <li>error (<code>zerolog.ErrorLevel</code>, 3)</li> <li>warn (<code>zerolog.WarnLevel</code>, 2)</li> <li>info (<code>zerolog.InfoLevel</code>, 1)</li> <li>debug (<code>zerolog.DebugLevel</code>, 0)</li> <li>trace (<code>zerolog.TraceLevel</code>, -1)</li> </ul> <p>The <code>log-level-min</code> flag sets the minimum accepted logging level, which means, for example, if you set the minimum level to error, the only logs that will be sent to your chosen output will be those that are greater than or equal to error (<code>error</code>, <code>fatal</code> and <code>panic</code>).</p> <p>The <code>log-error-stack</code> boolean flag tells whether to log stack traces for each error. If <code>true</code>, the <code>zerolog.ErrorStackMarshaler</code> will be set to <code>pkgerrors.MarshalStack</code> which means, for errors raised using the <a href="https://github.com/pkg/errors">github.com/pkg/errors</a> package, the error stack trace will be captured and printed along with the log. All errors raised in <code>go-api-basic</code> are raised using <code>github.com/pkg/errors</code>.</p> <p>After parsing the command line flags, <code>zerolog.Logger</code> is initialized in <code>main.go</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// setup logger with appropriate defaults</span> <span class="n">lgr</span> <span class="o">:=</span> <span class="n">logger</span><span class="o">.</span><span class="n">NewLogger</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stdout</span><span class="p">,</span> <span class="n">minlvl</span><span class="p">,</span> <span class="no">true</span><span class="p">)</span> </code></pre> </div> <p>and subsequently injected into the <code>app.Server</code> struct as a Server parameter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// initialize server configuration parameters</span> <span class="n">params</span> <span class="o">:=</span> <span class="n">app</span><span class="o">.</span><span class="n">NewServerParams</span><span class="p">(</span><span class="n">lgr</span><span class="p">,</span> <span class="n">serverDriver</span><span class="p">)</span> <span class="c">// initialize Server</span> <span class="n">s</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">app</span><span class="o">.</span><span class="n">NewServer</span><span class="p">(</span><span class="n">mr</span><span class="p">,</span> <span class="n">params</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">lgr</span><span class="o">.</span><span class="n">Fatal</span><span class="p">()</span><span class="o">.</span><span class="n">Err</span><span class="p">(</span><span class="n">err</span><span class="p">)</span><span class="o">.</span><span class="n">Msg</span><span class="p">(</span><span class="s">"Error from app.NewServer"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Logger Setup in Handlers </h2> <p>The <code>Server.routes</code> method is responsible for registering routes and corresponding middleware/handlers to the Server's <code>gorilla/mux</code> router. For each route registered to the handler, upon execution, the initialized <code>zerolog.Logger</code> struct is added to the request context through the <code>Server.loggerChain</code> method.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// register routes/middleware/handlers to the Server router</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">Server</span><span class="p">)</span> <span class="n">routes</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Match only POST requests at /api/v1/movies</span> <span class="c">// with Content-Type header = application/json</span> <span class="n">s</span><span class="o">.</span><span class="n">router</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="n">moviesV1PathRoot</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">loggerChain</span><span class="p">()</span><span class="o">.</span><span class="n">Extend</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">ctxWithUserChain</span><span class="p">())</span><span class="o">.</span> <span class="n">Append</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">authorizeUserHandler</span><span class="p">)</span><span class="o">.</span> <span class="n">Append</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">jsonContentTypeResponseHandler</span><span class="p">)</span><span class="o">.</span> <span class="n">ThenFunc</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">handleMovieCreate</span><span class="p">))</span><span class="o">.</span> <span class="n">Methods</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">)</span><span class="o">.</span> <span class="n">Headers</span><span class="p">(</span><span class="n">contentTypeHeaderKey</span><span class="p">,</span> <span class="n">appJSONContentTypeHeaderVal</span><span class="p">)</span> <span class="o">...</span> </code></pre> </div> <p>The <code>Server.loggerChain</code> method sets up the logger with pre-populated fields, including the request method, url, status, size, duration, remote IP, user agent, referer. A unique <code>Request ID</code> is also added to the logger, context and response headers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">Server</span><span class="p">)</span> <span class="n">loggerChain</span><span class="p">()</span> <span class="n">alice</span><span class="o">.</span><span class="n">Chain</span> <span class="p">{</span> <span class="n">ac</span> <span class="o">:=</span> <span class="n">alice</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">hlog</span><span class="o">.</span><span class="n">NewHandler</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">logger</span><span class="p">),</span> <span class="n">hlog</span><span class="o">.</span><span class="n">AccessHandler</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">size</span> <span class="kt">int</span><span class="p">,</span> <span class="n">duration</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">)</span> <span class="p">{</span> <span class="n">hlog</span><span class="o">.</span><span class="n">FromRequest</span><span class="p">(</span><span class="n">r</span><span class="p">)</span><span class="o">.</span><span class="n">Info</span><span class="p">()</span><span class="o">.</span> <span class="n">Str</span><span class="p">(</span><span class="s">"method"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span><span class="p">)</span><span class="o">.</span> <span class="n">Stringer</span><span class="p">(</span><span class="s">"url"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="p">)</span><span class="o">.</span> <span class="n">Int</span><span class="p">(</span><span class="s">"status"</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span><span class="o">.</span> <span class="n">Int</span><span class="p">(</span><span class="s">"size"</span><span class="p">,</span> <span class="n">size</span><span class="p">)</span><span class="o">.</span> <span class="n">Dur</span><span class="p">(</span><span class="s">"duration"</span><span class="p">,</span> <span class="n">duration</span><span class="p">)</span><span class="o">.</span> <span class="n">Msg</span><span class="p">(</span><span class="s">"request logged"</span><span class="p">)</span> <span class="p">}),</span> <span class="n">hlog</span><span class="o">.</span><span class="n">RemoteAddrHandler</span><span class="p">(</span><span class="s">"remote_ip"</span><span class="p">),</span> <span class="n">hlog</span><span class="o">.</span><span class="n">UserAgentHandler</span><span class="p">(</span><span class="s">"user_agent"</span><span class="p">),</span> <span class="n">hlog</span><span class="o">.</span><span class="n">RefererHandler</span><span class="p">(</span><span class="s">"referer"</span><span class="p">),</span> <span class="n">hlog</span><span class="o">.</span><span class="n">RequestIDHandler</span><span class="p">(</span><span class="s">"request_id"</span><span class="p">,</span> <span class="s">"Request-Id"</span><span class="p">),</span> <span class="p">)</span> <span class="k">return</span> <span class="n">ac</span> <span class="p">}</span> </code></pre> </div> <p>For every request, you'll get a request log that looks something like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"info"</span><span class="p">,</span><span class="w"> </span><span class="nl">"remote_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"127.0.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PostmanRuntime/7.28.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c3npn8ea0brt0m3scvq0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/v1/movies"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">401</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"duration"</span><span class="p">:</span><span class="w"> </span><span class="mf">392.254496</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="mi">1626315682</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"INFO"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"request logged"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>All error logs will have the same request metadata, including <code>request_id</code>. The <code>Request-Id</code> is also sent back as part of the error response as a response header, allowing you to link the two. An error log will look something like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"remote_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"127.0.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PostmanRuntime/7.28.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c3nppj6a0brt1dho9e2g"</span><span class="p">,</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"googleapi: Error 401: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project., unauthorized"</span><span class="p">,</span><span class="w"> </span><span class="nl">"http_statuscode"</span><span class="p">:</span><span class="w"> </span><span class="mi">401</span><span class="p">,</span><span class="w"> </span><span class="nl">"realm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"go-api-basic"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="mi">1626315981</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Unauthenticated Request"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>The above error log demonstrates a log for an error with stack trace turned off.</p> </blockquote> <p>If the Logger is to be used beyond the scope of the handler, it should be pulled from the request context in the handler and sent as a parameter to any inner calls. The Logger is added only to the request context to capture request related fields with the Logger and be able to pass the initialized logger and middleware handlers easier to the app/route handler. Additional use of the logger should be directly called out in function/method signatures so there are no surprises. All logs from the logger passed down get the benefit of the request metadata though, which is great!</p> <h2> Reading and Modifying Logger State </h2> <p>You can retrieve and update the state of these flags using the <code>{{base_url}}/api/v1/logger</code> endpoint.</p> <p>To retrieve the current logger state use a <code>GET</code> request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--location</span> <span class="nt">--request</span> GET <span class="s1">'http://127.0.0.1:8080/api/v1/logger'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Authorization: Bearer &lt;REPLACE WITH ACCESS TOKEN&gt;'</span> </code></pre> </div> <p>and the response will look something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"logger_minimum_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"debug"</span><span class="p">,</span><span class="w"> </span><span class="nl">"global_log_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"log_error_stack"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In order to update the logger state use a <code>PUT</code> request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--location</span> <span class="nt">--request</span> PUT <span class="s1">'http://127.0.0.1:8080/api/v1/logger'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/json'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Authorization: Bearer &lt;REPLACE WITH ACCESS TOKEN&gt;'</span> <span class="se">\</span> <span class="nt">--data-raw</span> <span class="s1">'{ "global_log_level": "debug", "log_error_stack": "true" }'</span> </code></pre> </div> <p>and the response will look something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"logger_minimum_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"debug"</span><span class="p">,</span><span class="w"> </span><span class="nl">"global_log_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"debug"</span><span class="p">,</span><span class="w"> </span><span class="nl">"log_error_stack"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>PUT</code> response is the same as the <code>GET</code> response, but with updated values. In the examples above, I used a scenario where the logger state started with the global logging level (<code>global_log_level</code>) at error and error stack tracing (<code>log_error_stack</code>) set to false. The <code>PUT</code> request then updates the logger state, setting the global logging level to <code>debug</code> and the error stack tracing. You might do something like this if you are debugging an issue and need to see debug logs or error stacks to help with that.</p> <blockquote class="ltag__twitter-tweet"> <div class="ltag__twitter-tweet__main"> <div class="ltag__twitter-tweet__header"> <img class="ltag__twitter-tweet__profile-image" src="https://res.cloudinary.com/practicaldev/image/fetch/s--YaooN52M--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://pbs.twimg.com/profile_images/606008487005585408/9JGvEKX8_normal.jpg" alt="✕✕✕✕✕ profile image"> <div class="ltag__twitter-tweet__full-name"> ✕✕✕✕✕ </div> <div class="ltag__twitter-tweet__username"> @peterbourgon </div> <div class="ltag__twitter-tweet__twitter-logo"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ir1kO05j--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev.to/assets/twitter-f95605061196010f91e64806688390eb1a4dbc9e913682e043eb8b1e06ca484f.svg" alt="twitter logo"> </div> </div> <div class="ltag__twitter-tweet__body"> <a href="https://twitter.com/hashtag/golang">#golang</a> modules you probably shouldn't use<br><br><a href="https://t.co/33ROwusCgx">github.com/pkg/errors</a> — basically superseded by 1.13+ stdlib package errors <br><br><a href="https://t.co/TC8K4IAw85">github.com/uber-go/fx</a>, <a href="https://t.co/XRNj1H0zTJ">github.com/google/wire</a> — plain DI with interfaces/mocks is strictly superior almost always (exceptions know they're exceptions) </div> <div class="ltag__twitter-tweet__date"> 03:39 AM - 03 Jul 2021 </div> <div class="ltag__twitter-tweet__actions"> <a href="https://twitter.com/intent/tweet?in_reply_to=1411167609983229954" class="ltag__twitter-tweet__actions__button"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--fFnoeFxk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev.to/assets/twitter-reply-action-238fe0a37991706a6880ed13941c3efd6b371e4aefe288fe8e0db85250708bc4.svg" alt="Twitter reply action"> </a> <a href="https://twitter.com/intent/retweet?tweet_id=1411167609983229954" class="ltag__twitter-tweet__actions__button"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--k6dcrOn8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev.to/assets/twitter-retweet-action-632c83532a4e7de573c5c08dbb090ee18b348b13e2793175fea914827bc42046.svg" alt="Twitter retweet action"> </a> <a href="https://twitter.com/intent/like?tweet_id=1411167609983229954" class="ltag__twitter-tweet__actions__button"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--SRQc9lOp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev.to/assets/twitter-like-action-1ea89f4b87c7d37465b0eb78d51fcb7fe6c03a089805d7ea014ba71365be5171.svg" alt="Twitter like action"> </a> </div> </div> </blockquote> <p><a href="https://peter.bourgon.org">Peter Bourgon</a> recently tweeted the above about <code>github.com/pkg/errors</code>. He's not wrong. In general the standard library is always the way to go. For years I only used the standard library for raising errors and would annotate each error with the function name in order to capture a pseudo stack trace exactly like Rob Pike does in <a href="https://commandcenter.blogspot.com/2017/12/error-handling-in-upspin.html">this post</a> (the <code>errs.Op</code> field). I believe in annotating and logging every error - not everyone does. It can cause noise in your logs, but in my experience, it's helpful. After years of trying to annotate every error though, I found I made too many mistakes. I kept forgetting to log the function name or I would misspell it, etc. I switched to use <code>github.com/pkg/errors</code> because of it's stack trace capability as well as the integration <code>zerolog</code> has with it. Stack trace for errors can certainly be overkill though, hence the ability to turn it on/off with a service for tactical usage can come in handy.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--D1EU27_p--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t7e1udl8hoibpig7q084.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--D1EU27_p--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t7e1udl8hoibpig7q084.gif" alt='Twin Peaks Log Lady holding log saying "My log does not judge."'></a></p> <blockquote> <p>No actual logs were harmed in this post.</p> </blockquote> go logging template restapi Dan Gillis Mon, 21 Jun 2021 14:48:56 +0000 https://forem.com/gilcrest/rest-api-error-handling-in-go-14hn https://forem.com/gilcrest/rest-api-error-handling-in-go-14hn <p>Handling errors is really important in Go. Errors are first class citizens and there are many different approaches for handling them. Initially I started off basing my error handling almost entirely on a <a href="https://commandcenter.blogspot.com/2017/12/error-handling-in-upspin.html">blog post from Rob Pike</a> and created a carve-out from his code to meet my needs. It served me well for a long time, but found over time I wanted a way to easily get a stacktrace of the error, which led me to Dave Cheney's <a href="https://github.com/pkg/errors">https://github.com/pkg/errors</a> package. I now use a combination of the two. The implementation below is sourced from my <a href="https://github.com/gilcrest/go-api-basic">go-api-basic</a> repo, indeed, this post will be folded into its <a href="https://github.com/gilcrest/go-api-basic#errors">README</a> as well.</p> <h2> Requirements </h2> <p>My requirements for REST API error handling are the following:</p> <ul> <li>Requests for users who are <em>not</em> properly <strong><em>authenticated</em></strong> should return a <code>401 Unauthorized</code> error with a <code>WWW-Authenticate</code> response header and an empty response body.</li> <li>Requests for users who are authenticated, but do not have permission to access the resource, should return a <code>403 Forbidden</code> error with an empty response body.</li> <li>All requests which are due to a client error (invalid data, malformed JSON, etc.) should return a <code>400 Bad Request</code> and a response body which looks similar to the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"input_validation_error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"param"</span><span class="p">:</span><span class="w"> </span><span class="s2">"director"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"director is required"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li>All requests which incur errors as a result of an internal server or database error should return a <code>500 Internal Server Error</code> and not leak any information about the database or internal systems to the client. These errors should return a response body which looks like the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"internal_error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"internal server error - please contact support"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>All errors should return a <code>Request-Id</code> response header with a unique request id that can be used for debugging to find the corresponding error in logs.</p> <h2> Implementation </h2> <p>All errors should be raised using custom errors from the <a href="https://github.com/gilcrest/go-api-basic/tree/main/domain/errs">domain/errs</a> package. The three custom errors correspond directly to the requirements above.</p> <h3> Typical Errors </h3> <p>Typically, errors raised throughout <a href="https://github.com/gilcrest/go-api-basic">go-api-basic</a> are the custom <code>errs.Error</code>, which looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Error</span> <span class="k">struct</span> <span class="p">{</span> <span class="c">// User is the username of the user attempting the operation.</span> <span class="n">User</span> <span class="n">UserName</span> <span class="c">// Kind is the class of error, such as permission failure,</span> <span class="c">// or "Other" if its class is unknown or irrelevant.</span> <span class="n">Kind</span> <span class="n">Kind</span> <span class="c">// Param represents the parameter related to the error.</span> <span class="n">Param</span> <span class="n">Parameter</span> <span class="c">// Code is a human-readable, short representation of the error</span> <span class="n">Code</span> <span class="n">Code</span> <span class="c">// The underlying error that triggered this one, if any.</span> <span class="n">Err</span> <span class="kt">error</span> <span class="p">}</span> </code></pre> </div> <p>These errors are raised using the <code>E</code> function from the <a href="https://github.com/gilcrest/go-api-basic/tree/main/domain/errs">domain/errs</a> package. <code>errs.E</code> is taken from Rob Pike's <a href="https://github.com/upspin/upspin/tree/master/errors">upspin errors package</a> (but has been changed based on my requirements). The <code>errs.E</code> function call is <a href="https://en.wikipedia.org/wiki/Variadic">variadic</a> and can take several different types to form the custom <code>errs.Error</code> struct.</p> <p>Here is a simple example of creating an <code>error</code> using <code>errs.E</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">err</span> <span class="o">:=</span> <span class="n">errs</span><span class="o">.</span><span class="n">E</span><span class="p">(</span><span class="s">"seems we have an error here"</span><span class="p">)</span> </code></pre> </div> <p>When a string is sent, an error will be created using the <code>errors.New</code> function from <code>github.com/pkg/errors</code> and added to the <code>Err</code> element of the struct, which allows retrieval of the error stacktrace later on. In the above example, <code>User</code>, <code>Kind</code>, <code>Param</code> and <code>Code</code> would all remain unset.</p> <p>You can set any of these custom <code>errs.Error</code> fields that you like, for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">Movie</span><span class="p">)</span> <span class="n">SetReleased</span><span class="p">(</span><span class="n">r</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">Movie</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">RFC3339</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errs</span><span class="o">.</span><span class="n">E</span><span class="p">(</span><span class="n">errs</span><span class="o">.</span><span class="n">Validation</span><span class="p">,</span> <span class="n">errs</span><span class="o">.</span><span class="n">Code</span><span class="p">(</span><span class="s">"invalid_date_format"</span><span class="p">),</span> <span class="n">errs</span><span class="o">.</span><span class="n">Parameter</span><span class="p">(</span><span class="s">"release_date"</span><span class="p">),</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">m</span><span class="o">.</span><span class="n">Released</span> <span class="o">=</span> <span class="n">t</span> <span class="k">return</span> <span class="n">m</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Above, we used <code>errs.Validation</code> to set the <code>errs.Kind</code> as <code>Validation</code>. Valid error <code>Kind</code> are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">const</span> <span class="p">(</span> <span class="n">Other</span> <span class="n">Kind</span> <span class="o">=</span> <span class="no">iota</span> <span class="c">// Unclassified error. This value is not printed in the error message.</span> <span class="n">Invalid</span> <span class="c">// Invalid operation for this type of item.</span> <span class="n">IO</span> <span class="c">// External I/O error such as network failure.</span> <span class="n">Exist</span> <span class="c">// Item already exists.</span> <span class="n">NotExist</span> <span class="c">// Item does not exist.</span> <span class="n">Private</span> <span class="c">// Information withheld.</span> <span class="n">Internal</span> <span class="c">// Internal error or inconsistency.</span> <span class="n">BrokenLink</span> <span class="c">// Link target does not exist.</span> <span class="n">Database</span> <span class="c">// Error from database.</span> <span class="n">Validation</span> <span class="c">// Input validation error.</span> <span class="n">Unanticipated</span> <span class="c">// Unanticipated error.</span> <span class="n">InvalidRequest</span> <span class="c">// Invalid Request</span> <span class="p">)</span> </code></pre> </div> <p><code>errs.Code</code> represents a short code to respond to the client with for error handling based on codes (if you choose to do this) and is any string you want to pass.</p> <p><code>errs.Parameter</code> represents the parameter that is being validated or has problems, etc.</p> <blockquote> <p>Note in the above example, instead of passing a string and creating a new error inside the <code>errs.E</code> function, I am directly passing the error returned by the <code>time.Parse</code> function to <code>errs.E</code>. The error is then added to the <code>Err</code> field using <code>errors.WithStack</code> from the <code>github.com/pkg/errors</code> package. This will enable stacktrace retrieval later as well.</p> </blockquote> <p>There are a few helpers in the <code>errs</code> package as well, namely the <code>errs.MissingField</code> function which can be used when validating missing input on a field. This idea comes from <a href="https://medium.com/@matryer/patterns-for-decoding-and-validating-input-in-go-data-apis-152291ac7372">this Mat Ryer post</a> and is pretty handy.</p> <p>Here is an example in practice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// IsValid performs validation of the struct</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">Movie</span><span class="p">)</span> <span class="n">IsValid</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">switch</span> <span class="p">{</span> <span class="k">case</span> <span class="n">m</span><span class="o">.</span><span class="n">Title</span> <span class="o">==</span> <span class="s">""</span><span class="o">:</span> <span class="k">return</span> <span class="n">errs</span><span class="o">.</span><span class="n">E</span><span class="p">(</span><span class="n">errs</span><span class="o">.</span><span class="n">Validation</span><span class="p">,</span> <span class="n">errs</span><span class="o">.</span><span class="n">Parameter</span><span class="p">(</span><span class="s">"title"</span><span class="p">),</span> <span class="n">errs</span><span class="o">.</span><span class="n">MissingField</span><span class="p">(</span><span class="s">"title"</span><span class="p">))</span> </code></pre> </div> <p>The error message for the above would read <strong>title is required</strong></p> <p>There is also <code>errs.InputUnwanted</code> which is meant to be used when a field is populated with a value when it is not supposed to be.</p> <h3> Typical Error Flow </h3> <p>As errors created with <code>errs.E</code> move up the call stack, they can just be returned, like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">inner</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">errs</span><span class="o">.</span><span class="n">E</span><span class="p">(</span><span class="s">"seems we have an error here"</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">middle</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">inner</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">outer</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">middle</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>In the above example, the error is created in the <code>inner</code> function - <code>middle</code> and <code>outer</code> return the error as is typical in Go.</p> </blockquote> <p>You can add additional context fields (<code>errs.Code</code>, <code>errs.Parameter</code>, <code>errs.Kind</code>) as the error moves up the stack, however, I try to add as much context as possible at the point of error origin and only do this in rare cases.</p> <h3> Handler Flow </h3> <p>At the top of the program flow for each service is the app service handler (for example, <a href="https://github.com/gilcrest/go-api-basic/blob/main/app/handlers.go">Server.handleMovieCreate</a>). In this handler, any error returned from any function or method is sent through the <code>errs.HTTPErrorResponse</code> function along with the <code>http.ResponseWriter</code> and a <code>zerolog.Logger</code>.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">response</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">CreateMovieService</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">rb</span><span class="p">,</span> <span class="n">u</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">errs</span><span class="o">.</span><span class="n">HTTPErrorResponse</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">logger</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> </code></pre> </div> <p><code>errs.HTTPErrorResponse</code> takes the custom error (<code>errs.Error</code>, <code>errs.Unauthenticated</code> or <code>errs.UnauthorizedError</code>), writes the response to the given <code>http.ResponseWriter</code> and logs the error using the given <code>zerolog.Logger</code>.</p> <blockquote> <p><code>return</code> must be called immediately after <code>errs.HTTPErrorResponse</code> to return the error to the client.</p> </blockquote> <h4> Typical Error Response </h4> <p>For the <code>errs.Error</code> type, <code>errs.HTTPErrorResponse</code> writes the HTTP response body as JSON using the <code>errs.ErrResponse</code> struct.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// ErrResponse is used as the Response Body</span> <span class="k">type</span> <span class="n">ErrResponse</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Error</span> <span class="n">ServiceError</span> <span class="s">`json:"error"`</span> <span class="p">}</span> <span class="c">// ServiceError has fields for Service errors. All fields with no data will</span> <span class="c">// be omitted</span> <span class="k">type</span> <span class="n">ServiceError</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Kind</span> <span class="kt">string</span> <span class="s">`json:"kind,omitempty"`</span> <span class="n">Code</span> <span class="kt">string</span> <span class="s">`json:"code,omitempty"`</span> <span class="n">Param</span> <span class="kt">string</span> <span class="s">`json:"param,omitempty"`</span> <span class="n">Message</span> <span class="kt">string</span> <span class="s">`json:"message,omitempty"`</span> <span class="p">}</span> </code></pre> </div> <p>When the error is returned to the client, the response body JSON looks like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"input_validation_error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"invalid_date_format"</span><span class="p">,</span><span class="w"> </span><span class="nl">"param"</span><span class="p">:</span><span class="w"> </span><span class="s2">"release_date"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"parsing time </span><span class="se">\"</span><span class="s2">1984a-03-02T00:00:00Z</span><span class="se">\"</span><span class="s2"> as </span><span class="se">\"</span><span class="s2">2006-01-02T15:04:05Z07:00</span><span class="se">\"</span><span class="s2">: cannot parse </span><span class="se">\"</span><span class="s2">a-03-02T00:00:00Z</span><span class="se">\"</span><span class="s2"> as </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In addition, the error is logged. If <code>zerolog.ErrorStackMarshaler</code> is set to log error stacks (more about this in a later post), the logger will log the full error stack, which can be super helpful when trying to identify issues.</p> <p>The error log will look like the following (<em>I cut off parts of the stack for brevity</em>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"127.0.0.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PostmanRuntime/7.26.8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bvol0mtnf4q269hl3ra0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stack"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"func"</span><span class="p">:</span><span class="w"> </span><span class="s2">"E"</span><span class="p">,</span><span class="w"> </span><span class="nl">"line"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"errs.go"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"func"</span><span class="p">:</span><span class="w"> </span><span class="s2">"(*Movie).SetReleased"</span><span class="p">,</span><span class="w"> </span><span class="nl">"line"</span><span class="p">:</span><span class="w"> </span><span class="s2">"76"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"movie.go"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"func"</span><span class="p">:</span><span class="w"> </span><span class="s2">"(*MovieController).CreateMovie"</span><span class="p">,</span><span class="w"> </span><span class="nl">"line"</span><span class="p">:</span><span class="w"> </span><span class="s2">"139"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"create.go"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"parsing time </span><span class="se">\"</span><span class="s2">1984a-03-02T00:00:00Z</span><span class="se">\"</span><span class="s2"> as </span><span class="se">\"</span><span class="s2">2006-01-02T15:04:05Z07:00</span><span class="se">\"</span><span class="s2">: cannot parse </span><span class="se">\"</span><span class="s2">a-03-02T00:00:00Z</span><span class="se">\"</span><span class="s2"> as </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"HTTPStatusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">400</span><span class="p">,</span><span class="w"> </span><span class="nl">"Kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"input_validation_error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Parameter"</span><span class="p">:</span><span class="w"> </span><span class="s2">"release_date"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"invalid_date_format"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="mi">1609650267</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Response Error Sent"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>Note: <code>E</code> will usually be at the top of the stack as it is where the <code>errors.New</code> or <code>errors.WithStack</code> functions are being called.</p> </blockquote> <h4> Internal or Database Error Response </h4> <p>There is logic within <code>errs.HTTPErrorResponse</code> to return a different response body if the <code>errs.Kind</code> is <code>Internal</code> or <code>Database</code>. As per the requirements, we should not leak the error message or any internal stack, etc. when an internal or database error occurs. If an error comes through and is an <code>errs.Error</code> with either of these error <code>Kind</code> or is unknown error type in any way, the response will look like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"internal_error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"internal server error - please contact support"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Unauthenticated Errors </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">UnauthenticatedError</span> <span class="k">struct</span> <span class="p">{</span> <span class="c">// WWWAuthenticateRealm is a description of the protected area.</span> <span class="c">// If no realm is specified, "DefaultRealm" will be used as realm</span> <span class="n">WWWAuthenticateRealm</span> <span class="kt">string</span> <span class="c">// The underlying error that triggered this one, if any.</span> <span class="n">Err</span> <span class="kt">error</span> <span class="p">}</span> </code></pre> </div> <p>The <a href="https://tools.ietf.org/html/rfc7235#section-3.1">spec</a> for <code>401 Unauthorized</code> calls for a <code>WWW-Authenticate</code> response header along with a <code>realm</code>. The realm should be set when creating an Unauthenticated error. The <code>errs.NewUnauthenticatedError</code> function initializes an <code>UnauthenticatedError</code>.</p> <blockquote> <p>I generally like to follow the Go idiom for brevity in all things as much as possible, but for <code>Unauthenticated</code> vs. <code>Unauthorized</code> errors, it's confusing enough as it is already, I don't take any shortcuts.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">NewUnauthenticatedError</span><span class="p">(</span><span class="n">realm</span> <span class="kt">string</span><span class="p">,</span> <span class="n">err</span> <span class="kt">error</span><span class="p">)</span> <span class="o">*</span><span class="n">UnauthenticatedError</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">UnauthenticatedError</span><span class="p">{</span><span class="n">WWWAuthenticateRealm</span><span class="o">:</span> <span class="n">realm</span><span class="p">,</span> <span class="n">Err</span><span class="o">:</span> <span class="n">err</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Unauthenticated Error Flow </h4> <p>The <code>errs.Unauthenticated</code> error should only be raised at points of authentication as part of a middleware handler. I will get into application flow in detail later, but authentication for <code>go-api-basic</code> happens in middleware handlers prior to calling the app handler for the given route.</p> <ul> <li>The <code>WWW-Authenticate</code> <em>realm</em> is set to the request context using the <code>defaultRealmHandler</code> middleware in the <a href="https://github.com/gilcrest/go-api-basic/blob/main/app/middleware.go">app package</a> prior to attempting authentication.</li> <li>Next, the Oauth2 access token is retrieved from the <code>Authorization</code> http header using the <code>accessTokenHandler</code> middleware. There are several access token validations in this middleware, if any are not successful, the <code>errs.Unauthenticated</code> error is returned using the realm set to the request context.</li> <li>Finally, if the access token is successfully retrieved, it is then converted to a <code>User</code> via the <code>GoogleAccessTokenConverter.Convert</code> method in the <code>gateway/authgateway</code> package. This method sends an outbound request to Google using their API; if any errors are returned, an <code>errs.Unauthenticated</code> error is returned.</li> </ul> <blockquote> <p>In general, I do not like to use <code>context.Context</code>, however, it is used in <a href="https://github.com/gilcrest/go-api-basic">go-api-basic</a> to pass values between middlewares. The <code>WWW-Authenticate</code> <em>realm</em>, the Oauth2 access token and the calling user after authentication, all of which are <code>request-scoped</code> values, are all set to the request <code>context.Context</code>.</p> </blockquote> <h4> Unauthenticated Error Response </h4> <p>Per requirements, <a href="https://github.com/gilcrest/go-api-basic">go-api-basic</a> does not return a response body when returning an <strong>Unauthenticated</strong> error. The error response from <a href="https://curl.se/">cURL</a> looks like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>HTTP/1.1 401 Unauthorized Request-Id: c30hkvua0brkj8qhk3e0 Www-Authenticate: Bearer <span class="nv">realm</span><span class="o">=</span><span class="s2">"go-api-basic"</span> Date: Wed, 09 Jun 2021 19:46:07 GMT Content-Length: 0 </code></pre> </div> <h3> Unauthorized Errors </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">UnauthorizedError</span> <span class="k">struct</span> <span class="p">{</span> <span class="c">// The underlying error that triggered this one, if any.</span> <span class="n">Err</span> <span class="kt">error</span> <span class="p">}</span> </code></pre> </div> <p>The <code>errs.NewUnauthorizedError</code> function initializes an <code>UnauthorizedError</code>.</p> <h4> Unauthorized Error Flow </h4> <p>The <code>errs.Unauthorized</code> error is raised when there is a permission issue for a user when attempting to access a resource. Currently, <code>go-api-basic</code>'s placeholder authorization implementation <code>Authorizer.Authorize</code> in the <a href="https://github.com/gilcrest/go-api-basic/blob/main/domain/auth/auth.go">domain/auth</a> package performs rudimentary checks that a user has access to a resource. If the user does not have access, the <code>errs.Unauthorized</code> error is returned.</p> <p>Per requirements, <a href="https://github.com/gilcrest/go-api-basic">go-api-basic</a> does not return a response body when returning an <strong>Unauthorized</strong> error. The error response from <a href="https://curl.se/">cURL</a> looks like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>HTTP/1.1 403 Forbidden Request-Id: c30hp2ma0brkj8qhk3f0 Date: Wed, 09 Jun 2021 19:54:50 GMT Content-Length: 0 </code></pre> </div> <p>404 Error Illustration by <a href="https://icons8.com/illustrations/author/5ec7b0e101d0360016f3d1b3">Pixeltrue</a> from <a href="https://icons8.com/illustrations">Ouch!</a></p> go errors restapi