I think its redundant. Here's a piece of code that does salting when bcrypt.GenerateFromPassword used.

Not sure if you are interested in merging it but I started a boltdb backend for this library. I can issue a pull request if you are interested when it is finished and has test code.

I want to use Sourcegraph code search and code review with httpauth. A project maintainer needs to enable it to set up a webhook so the code is up-to-date there.

Could you please enable httpauth on @sourcegraph by going to https://sourcegraph.com/github.com/apexskier/httpauth and clicking on Settings? (It should only take 15 seconds.)

Thank you!

This gives more information to the programmer, and could let them catch bugs somewhere else quicker.

Just safer overall to let any suspicious behavior be known.

Tests failing - https://github.com/apexskier/httpauth/blob/mjhall-mongodb/mongoBackend_test.go#L175

Updating user data results in incorrect user email for mongodb.

Instead of directly returning errors, prepend where they're coming from.

Should return errors.

See #7 (comment).

Should increase performance.

Such as

• Revel
• Martini
• Gorilla

There should be an option to make sure the cookie storage requires secure cookies for sites that have https available. It needs to be optional so that it would be supported in dev/testing environments that don't support https.

One possibility would be to add another argument to the NewAuthorizer:

func NewAuthorizer(backend AuthBackend, secureCookie bool, key []byte, defaultRole string, roles map[string]Role) (Authorizer, error) {
    var a Authorizer
    a.cookiejar = sessions.NewCookieStore([]byte(key))
    a.cookiejar.Options.Secure = secureCookie
...
}

or make it secure by default and require calling a Method to make it insecure (best practice):

func NewAuthorizer(backend AuthBackend, key []byte, defaultRole string, roles map[string]Role) (Authorizer, error) {
    var a Authorizer
    a.cookiejar = sessions.NewCookieStore([]byte(key))
    a.cookiejar.Options.Secure = true
...
}

func (a Authorizer) AllowNonHttpsCookie() {
    a.cookiejar.Options.Secure = false
}

One related issue to cover is that currently a login seems to fail silently if a.cookiejar.Options.Secure is set to true and it is on a site that does not support https.

You use a bcrypt cost of 8 (https://github.com/apexskier/httpauth/blob/master/auth.go#L177). Go's default bcrypt cost is 10 (https://github.com/golang/crypto/blob/master/bcrypt/bcrypt.go#L23). Not really an important issue. You may want to make this configurable.

https://github.com/dghubble/sessions looks like a better alternative session handling library than gorilla/sessions -- Have we considered it?

Reopen after closing and verify all data still exists.

Hello! Could you state what license this project has?

Checking the string is a very bad idea, and it is a much better idea to create exported error types, such as ErrorAlreadyAuthenticated that we can check for instead of relying on checking the string contents of err.Error(). err.Error() is for the user to read, not the machines.

http://dave.cheney.net/2016/04/27/dont-just-check-errors-handle-them-gracefully is a good read detailing how it's best to go about this. :-)

He is also involved in a package that follows the rules he suggests in the blogpost https://github.com/pkg/errors

Tests failing - https://github.com/apexskier/httpauth/blob/mjhall-mongodb/mongoBackend_test.go#L70

The intent of this test is to connect to an existing mongoldb with saved data and pull correct info out of it.

I read the documentation but i didn't find how to modify UserData Model.