- Home
- Skills
- Linehaul Ai
- Linehaulai Claude Marketplace
- Goth Echo Security
goth-echo-security_skill
- Go
3
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill linehaul-ai/linehaulai-claude-marketplace --skill goth-echo-security- SKILL.md11.1 KB
Overview
This skill explains how to integrate the Goth OAuth library with the Echo web framework and implement secure session management. It provides concrete handler wrappers, provider lookup adjustments for Echo, and recommended session stores and security patterns. Use it to get a ready-to-use, secure authentication surface for Go web apps using Goth + Echo.
How this skill works
It adapts goth/gothic to Echo by overriding provider lookup and wrapping Gothic handlers so Echo path parameters and context work correctly. It shows how to initialize cookie, Redis, or Postgres-backed session stores and offers middleware for protected routes, token refresh, and session regeneration. Security guidance covers cookie options, CSRF via OAuth state, HTTPS enforcement, and rate limiting.
When to use it
- You need OAuth login integrated with Echo routes (e.g., /auth/:provider and callbacks).
- You must store sessions securely across single-instance or distributed deployments (cookies, Redis, Postgres).
- You want to protect auth routes with middleware, rate limiting, and CSRF safeguards.
- You need guidance on session secrets, cookie flags, and session regeneration to prevent hijacking.
- You want token-refresh and server-side token storage patterns for long-lived sessions.
Best practices
- Require a SESSION_SECRET of at least 32 random bytes and load it from a secure environment variable.
- Set cookie Options: Secure=true in production, HttpOnly=true, SameSite=Lax or Strict, and proper MaxAge and Path.
- Regenerate session IDs after successful authentication to mitigate session fixation; delete old session before creating a new one.
- Store access and refresh tokens server-side only; never return tokens to the browser or client JavaScript.
- Use HTTPS for callbacks and enable HTTPS redirect middleware in Echo for production.
- Add rate limiting to /auth endpoints and validate provider state (goth handles state but check errors and fail safe).
Example use cases
- Add Google, GitHub, or other providers to an Echo app with routes /auth/:provider and /auth/:provider/callback.
- Switch from CookieStore to Redis or Postgres when deploying multiple app instances behind a load balancer.
- Protect dashboard routes with RequireAuth middleware that checks session user_id and redirects to login.
- Implement token refresh on-demand in middleware to keep access tokens valid server-side.
- Enforce security checklist before production: secure cookies, strong secret, HTTPS, session regeneration, and rate limiting.
FAQ
Override gothic.GetProviderName to extract the provider from r.URL.Query() or parse the path segments. Set c.Param(":provider") into the request query before calling Gothic handlers.
Which session store should I use in production?
Use a distributed store (Redis or Postgres) for multi-instance deployments. CookieStore is fine for single-instance apps but ensure a strong SESSION_SECRET and secure cookie options.