jwtauth VS jwt

It's difficult to assess their security response because it doesn't seem that they've had any CVEs. A different project by the go-chi maintainers, jwtauth, did have to address moving away from a vulnerable dependency, which took them almost 3 months to fix. So, not ideal - but jwtauth isn't as active or used anywhere near as much as chi itself, so doesn't necessarily reflect their responsiveness to a chi vulnerability.

This release has a good deal of security improvements, with more to come in the next release. Also some very nice features implemented by our contributors. Thanks to [you all](https://github.com/navidrome/navidrome/graphs/contributors?from=2021-04-26&to=2021-05-24&type=c)! ## Highlights - [UI] Option to toggle fields in songs, albums & artists grids (#923). Thanks @aldrinjenson - [UI] Allow regular users to change their info, including passwords (#199) - [UI] Displays BPM info (#1087). Thanks @brianschrameck - [UI] Add Czech, Slovenian and Swedish translations. Thanks @plr20, @jernejml and @deeeeeebs respectively - [UI] Restart current song when clicking "Previous song" in its first seconds (#1104). Thanks @aniketbiswas21 - [UI] Show error message when adding duplicated username, and other user management improvements (#1101). Thanks @srichter - [Server] Never send passwords to the UI - [Server] Implement PermissionsPolicy security header (#1112). Thanks @Dnouv - [Server] Move away from unmaintained JWT library (see https://github.com/go-chi/jwtauth/issues/50) - [Server] Add `EnableLogRedacting` to mask sensitive info in logs. Enabled by default - [Server] Make server compilable on OmniOS/illumos (#1048) Thanks @whorfin - [Scanner] Various reliability and speed improvements (#1054) Thanks @whorfin - [Scanner] Add new `ScanSchedule` that replaces `ScanInterval` and allow [cron-like](https://en.wikipedia.org/wiki/Cron) schedules - [Subsonic API] Fix Bookmarks Subsonic support (#1099) Downloads are available in GitHub: https://github.com/navidrome/navidrome/releases/tag/v0.43.0

To add JWT authentication to our ToDo application, we'll be using the Golang-jwt library. The golang-jwt package simplifies the implementation of JWTs in Go applications, offering a suite of convenient functions that abstract away the complexities associated with token creation, verification, and management.

golang-jwt/jwt - GitHub

To create a secure Role-based authentication scheme, we need to generate a unique token when the user authenticates. This is then used to track their assigned role as they consume the availed resources. In this project we are going to use the jwt-go package to generate a JWT token that will encapsulate the user details, assigned role and permissions.

Yes. Currently maintained version is here: https://github.com/golang-jwt/jwt

Libraries used bcrypt: https://pkg.go.dev/golang.org/x/crypto/bcrypt golang-jwt: https://github.com/golang-jwt/jwt Gin (Http framework): https://github.com/gin-gonic/gin

We will implement Golang JWT authentication using a go-jwt package.

Authorization jwt

At least template-wise, I've developed pongo2 mimicking Django's template engine which I use myself for various projects. For the rest I usually stick with the standard library (net/http), golang-jwt, the Gorilla toolkit (note that it's been archived recently) and some software architecture patterns for middlewares, database abstraction, etc.

Either way, you will need to validate the signature of the JWT. You can do this with the public key and a library such as https://github.com/golang-jwt/jwt.