goth-echo-security_skill

This skill helps secure Goth integration with Echo by enabling safe session management, provider handling, and token storage across routes.
  • Go

3

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill linehaul-ai/linehaulai-claude-marketplace --skill goth-echo-security

  • SKILL.md11.1 KB

Overview

This skill explains how to integrate the Goth OAuth library with the Echo web framework and implement secure session management. It provides concrete handler wrappers, provider lookup adjustments for Echo, and recommended session stores and security patterns. Use it to get a ready-to-use, secure authentication surface for Go web apps using Goth + Echo.

How this skill works

It adapts goth/gothic to Echo by overriding provider lookup and wrapping Gothic handlers so Echo path parameters and context work correctly. It shows how to initialize cookie, Redis, or Postgres-backed session stores and offers middleware for protected routes, token refresh, and session regeneration. Security guidance covers cookie options, CSRF via OAuth state, HTTPS enforcement, and rate limiting.

When to use it

  • You need OAuth login integrated with Echo routes (e.g., /auth/:provider and callbacks).
  • You must store sessions securely across single-instance or distributed deployments (cookies, Redis, Postgres).
  • You want to protect auth routes with middleware, rate limiting, and CSRF safeguards.
  • You need guidance on session secrets, cookie flags, and session regeneration to prevent hijacking.
  • You want token-refresh and server-side token storage patterns for long-lived sessions.

Best practices

  • Require a SESSION_SECRET of at least 32 random bytes and load it from a secure environment variable.
  • Set cookie Options: Secure=true in production, HttpOnly=true, SameSite=Lax or Strict, and proper MaxAge and Path.
  • Regenerate session IDs after successful authentication to mitigate session fixation; delete old session before creating a new one.
  • Store access and refresh tokens server-side only; never return tokens to the browser or client JavaScript.
  • Use HTTPS for callbacks and enable HTTPS redirect middleware in Echo for production.
  • Add rate limiting to /auth endpoints and validate provider state (goth handles state but check errors and fail safe).

Example use cases

  • Add Google, GitHub, or other providers to an Echo app with routes /auth/:provider and /auth/:provider/callback.
  • Switch from CookieStore to Redis or Postgres when deploying multiple app instances behind a load balancer.
  • Protect dashboard routes with RequireAuth middleware that checks session user_id and redirects to login.
  • Implement token refresh on-demand in middleware to keep access tokens valid server-side.
  • Enforce security checklist before production: secure cookies, strong secret, HTTPS, session regeneration, and rate limiting.

FAQ

Override gothic.GetProviderName to extract the provider from r.URL.Query() or parse the path segments. Set c.Param(":provider") into the request query before calling Gothic handlers.

Which session store should I use in production?

Use a distributed store (Redis or Postgres) for multi-instance deployments. CookieStore is fine for single-instance apps but ensure a strong SESSION_SECRET and secure cookie options.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
goth-echo-security skill by linehaul-ai/linehaulai-claude-marketplace | VeilStrat