Forem: hanapiko

A Deep Dive into Secure Authentication 🛡️💻

hanapiko — Fri, 13 Jun 2025 06:54:36 +0000

A few months ago, I had the opportunity to co-present a tech talk titled “JWTs in Go: A Deep Dive into Secure Authentication” And honestly? It was one of those sessions where you walk away having learned just as much as you shared.

We explored the world of JSON Web Tokens (JWTs), their role in securing modern applications, and how to implement them effectively in Go.This article is a reflection of that session, peppered with lessons and some personal takeaways that stuck with me.

What Exactly Are JWTs?

JWTs are like digital passports they help two parties trust each other without constantly asking “Who are you again?” They consist of three parts:

Header.Payload.Signature

Header: Info about the token algorithm, token type.

Payload: The claims. Think user ID, roles, or anything relevant.

Signature: Ensures that no one tampered with the token.

They’re encoded (not encrypted!) and meant to be verified, not trusted blindly.

Why JWTs in Go?

Go is fast, clean, and great for building APIs, perfect match for JWTs. Instead of maintaining clunky server-side sessions, you issue a token and validate it with every request. Stateless. Scalable. Simple.

But, and this is a big but, it’s only simple if you implement it right.

🔐 How JWT Authentication Works in Go

Here’s a super simplified flow:

- User logs in with credentials.

- Server validates credentials and generates a JWT.

- User stores the token (usually in localStorage or a cookie).

On every API request, the token is sent in the Authorization header.

- Server validates the token and either allows or denies access.

We used the popular github.com/golang-jwt/jwt/v5 package to do the heavy lifting.

Generating a Token

func GenerateJWT(username string) (string, error) {
     claims := jwt.RegisteredClaims{
        Subject:   username,
        ExpiresAt: jwt.NewNumericDate(time.Now().Add(2 * time.Hour)),
        IssuedAt:  jwt.NewNumericDate(time.Now()),
    }

    token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
    return token.SignedString([]byte("your-secret-key"))
}

Validating a Token

func ValidateJWT(tokenStr string) (*jwt.RegisteredClaims, error) {
    token, err := jwt.ParseWithClaims(tokenStr, &jwt.RegisteredClaims{}, func(t *jwt.Token) (interface{}, error) {
        return []byte("your-secret-key"), nil
    })

    if err != nil || !token.Valid {
        return nil, err
    }

    claims, ok := token.Claims.(*jwt.RegisteredClaims)
    if !ok {
        return nil, errors.New("invalid claims")
    }

    return claims, nil
}

Hard Earned Lessons

Some mistakes we’ve either made or seen others make:

❌ Storing sensitive data (like passwords!) in the JWT payload. Never do this.

❌ Forgetting to set expiration times (exp) - leads to tokens that never die.

❌ Using weak secrets. A JWT signed with mysecret123 is an open invitation to attackers.

Instead:

✅ Use short-lived access tokens + refresh tokens.

✅ Secure your secrets with env vars or vaults.

✅ Always validate all claims, even the ones you don’t think matter.

🔄 Bonus: Token Refreshing

If you’ve ever had to juggle access + refresh tokens, you know it’s not trivial. Go doesn’t magically handle this, you have to build a strategy.

Final Thoughts

JWTs are powerful, but they’re not magic. Go gives you the tools to implement them efficiently, but security is always in the details.

Never trust a token blindly.

Always validate everything.

And don’t forget the human side of engineering, code is only part of the equation.

WebSocket vs HTTP: Understanding the Real Difference

hanapiko — Thu, 22 May 2025 12:47:10 +0000

Ever built something that needed real-time updates and found yourself wondering if HTTP alone could cut it? I’ve been there too. In this post, I’ll walk you through the key differences between HTTP and WebSocket, technologies you’ll often encounter when building modern web applications.

What’s the Core Difference?

Both HTTP and WebSocket are protocols used for communication between a client and a server. But they operate very differently and that matters a lot depending on what you're building.

HTTP: Request-Response, Stateless

HTTP is the way the web communicates. A client (like your browser) sends a request, and the server sends a response. That’s it. Once the transaction is done, the connection usually closes.

Great for:

- Web pages

- REST APIs

- Static resources

Not so great for:

- Anything that needs real-time data updates

WebSocket: Full-Duplex, Persistent

WebSocket is designed for continuous, two-way communication. After an initial handshake over HTTP, the connection upgrades to WebSocket and stays open. Both client and server can push messages to each other anytime.

Perfect for:

- Live chat

- Online games

- Stock tickers

Collaborative editing tools

HTTP runs securely over HTTPS. Well supported, widely used, and easy to scale.

WebSocket uses WSS (WebSocket Secure) for encrypted traffic. Requires a bit more care in implementation, especially with authentication and origin checks.

Both protocols are supported by all modern browsers and most cloud/server infrastructures.
💡 So… When Should You Use Each?

If your app:

Only needs data when a user does something (like clicking a button)

Is stateless or RESTful

✅ Use HTTP

If your app:

Needs to send or receive data without user action

Updates in real-time

🔥 Go with WebSocket
🧠 Final Thoughts

Whether you're building a chat app or just exploring backend development, understanding the difference between HTTP and WebSocket will help you design smarter, more efficient systems.

Let me know your thoughts or experiences in the comments

Introduction to Runes

hanapiko — Wed, 16 Oct 2024 06:08:02 +0000

When programming, dealing with text is a common task. Different programming languages have various ways to handle text, and Go (also known as Golang) has a special concept called "runes" to make working with characters easier. This guide will help you understand what runes are, why they’re important, and how to use them in Go.
What is a Rune?

In Go, a rune is a type that represents a single character. But it’s more than just a letter or symbol; a rune corresponds to a Unicode code point. Unicode is a system that assigns a unique number to every character from different languages and symbols.

Here’s a simple breakdown:

Characters: These are the letters, numbers, and symbols you see in text, like 'A', '1', or '#'.
Unicode: This system gives each character a unique number. For example, 'A' has a Unicode code point of U+0041.

In Go, a rune is just an int32, which means it can store any Unicode character.
Why Use Runes?

Runes are useful for several reasons:

Support for Multiple Languages: Runes allow you to handle characters from many languages and symbols, making your programs more versatile.
Clear Code: When you use runes, it’s clear that you’re dealing with characters, not just raw bytes.
Text Manipulation: Runes make it easier to work with text, especially when dealing with complex characters that take up more than one byte.

Basic Rune Operations

Here’s how to work with runes in Go:

Declaring Runes

You can declare a rune in Go using single quotes. For example:

var r rune = 'A'

This creates a rune variable r with the character 'A'.

Printing Runes

To print a rune, use the %c format in fmt.Printf to show the character. For example:

package main

import "fmt"

func main() {
var r rune = 'A'
fmt.Printf("Rune: %c, Unicode: %U\n", r, r)
}

Output:

Rune: A, Unicode: U+0041

This shows both the character and its Unicode value.

Working with Strings and Runes

In Go, strings are sequences of bytes, which can be tricky when handling characters that use multiple bytes. To handle this, you can use runes:

package main

import "fmt"

func main() {
str := "Hello, 世界" // "Hello, World" in Mandarin

for i, r := range str {
    fmt.Printf("%d: %c (Unicode: %U)\n", i, r, r)
}

}

Output:
0: H (Unicode: U+0048)
1: e (Unicode: U+0065)
2: l (Unicode: U+006C)
3: l (Unicode: U+006C)
4: o (Unicode: U+006F)
5: , (Unicode: U+002C)
6: (Unicode: U+0020)
7: 世 (Unicode: U+4E16)
9: 界 (Unicode: U+754C)

This code shows how to loop through each character in a string, including multi-byte characters.

Rune Slices

You can also create a slice of runes, which is useful for working with a collection of characters. Here’s how to convert a string into a rune slice:

package main

import "fmt"

func main() {
str := "Go is fun!"
runeSlice := []rune(str)

for i, r := range runeSlice {
    fmt.Printf("Index %d: %c\n", i, r)
}

}

Output:
Index 0: G
Index 1: o
Index 2:

Index 3: i
Index 4: s
Index 5:

Index 6: f
Index 7: u
Index 8: n
Index 9: !

This shows each character in the string "Go is fun!" as a separate rune.
Practical Uses of Runes

Understanding runes is useful in several scenarios:

Supporting Multiple Languages: When your application needs to handle different languages, runes help manage text accurately.
Text Processing: For tasks like searching or formatting text, runes make it easier to work with individual characters.
Command-Line Tools: If your tool processes text input, runes ensure it works correctly with various characters.
Emoji Handling: Since emojis are Unicode characters, runes help you include them in your text without issues.

Conclusion

Runes are a powerful feature in Go that simplify working with text and characters. By representing each character as a Unicode code point, runes help you manage text in a flexible and clear way. With this guide, you should have a good start on understanding and using runes in your Go programs