playbooks

home / skills / linehaul-ai / linehaulai-claude-marketplace / goth-echo-security

goth-echo-security skill

/plugins/goth-oauth/skills/goth-echo-security

This skill helps secure Goth integration with Echo by enabling safe session management, provider handling, and token storage across routes.

npx playbooks add skill linehaul-ai/linehaulai-claude-marketplace --skill goth-echo-security

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
11.1 KB
---
name: goth-echo-security
description: This skill should be used when the user asks to "integrate goth with echo", "oauth echo framework", "echo authentication", "goth session management", "oauth security", "secure oauth", "gorilla sessions", or needs help with session storage, security patterns, or Echo framework integration for Goth.
keywords: [goth, echo, oauth2, session-management, security]
disable-model-invocation: false
user-invocable: true
---

# Goth Echo Integration & Security

Expert guidance for integrating github.com/markbates/goth with the Echo web framework and implementing secure session management.

## Echo Framework Integration

### Basic Route Setup

```go
import (
    "github.com/labstack/echo/v4"
    "github.com/markbates/goth"
    "github.com/markbates/goth/gothic"
    "github.com/markbates/goth/providers/google"
)

func main() {
    e := echo.New()

    // Auth routes
    e.GET("/auth/:provider", handleAuth)
    e.GET("/auth/:provider/callback", handleCallback)
    e.GET("/logout", handleLogout)

    e.Start(":3000")
}
```

### Provider Name from Echo Context

Override Gothic's provider getter to use Echo's path parameters:

```go
func init() {
    gothic.GetProviderName = func(r *http.Request) (string, error) {
        // Extract from Echo's :provider path param
        // The request context contains Echo's params
        provider := r.URL.Query().Get(":provider")
        if provider == "" {
            // Fallback: parse from path
            parts := strings.Split(r.URL.Path, "/")
            for i, p := range parts {
                if p == "auth" && i+1 < len(parts) {
                    return parts[i+1], nil
                }
            }
        }
        if provider == "" {
            return "", errors.New("no provider specified")
        }
        return provider, nil
    }
}
```

### Echo Handler Wrappers

Wrap Gothic handlers for Echo compatibility:

```go
func handleAuth(c echo.Context) error {
    // Set provider in query for Gothic
    q := c.Request().URL.Query()
    q.Set(":provider", c.Param("provider"))
    c.Request().URL.RawQuery = q.Encode()

    gothic.BeginAuthHandler(c.Response(), c.Request())
    return nil
}

func handleCallback(c echo.Context) error {
    q := c.Request().URL.Query()
    q.Set(":provider", c.Param("provider"))
    c.Request().URL.RawQuery = q.Encode()

    user, err := gothic.CompleteUserAuth(c.Response(), c.Request())
    if err != nil {
        return c.String(http.StatusInternalServerError, err.Error())
    }

    // Store user in session, redirect to dashboard
    return c.JSON(http.StatusOK, map[string]interface{}{
        "name":  user.Name,
        "email": user.Email,
    })
}

func handleLogout(c echo.Context) error {
    gothic.Logout(c.Response(), c.Request())
    return c.Redirect(http.StatusTemporaryRedirect, "/")
}
```

### Echo Middleware for Auth

Create middleware to protect routes:

```go
func RequireAuth(next echo.HandlerFunc) echo.HandlerFunc {
    return func(c echo.Context) error {
        session, err := gothic.Store.Get(c.Request(), gothic.SessionName)
        if err != nil || session.Values["user_id"] == nil {
            return c.Redirect(http.StatusTemporaryRedirect, "/login")
        }
        return next(c)
    }
}

// Usage
e.GET("/dashboard", handleDashboard, RequireAuth)
```

## Session Management

### Default Cookie Store

Gothic uses gorilla/sessions CookieStore by default:

```go
import "github.com/gorilla/sessions"

func initSessionStore() {
    key := []byte(os.Getenv("SESSION_SECRET"))
    if len(key) < 32 {
        log.Fatal("SESSION_SECRET must be at least 32 bytes")
    }

    store := sessions.NewCookieStore(key)
    store.MaxAge(86400 * 30)  // 30 days
    store.Options.Path = "/"
    store.Options.HttpOnly = true
    store.Options.Secure = os.Getenv("ENV") == "production"
    store.Options.SameSite = http.SameSiteLaxMode

    gothic.Store = store
}
```

### Session Secret Generation

Generate a secure session secret:

```bash
# Generate 32-byte random secret
openssl rand -base64 32
```

### Storing User Data in Session

After successful authentication:

```go
func handleCallback(c echo.Context) error {
    user, err := gothic.CompleteUserAuth(c.Response(), c.Request())
    if err != nil {
        return err
    }

    // Get or create session
    session, _ := gothic.Store.Get(c.Request(), "user-session")

    // Store user data
    session.Values["user_id"] = user.UserID
    session.Values["email"] = user.Email
    session.Values["name"] = user.Name
    session.Values["access_token"] = user.AccessToken
    session.Values["provider"] = user.Provider

    // Save session
    if err := session.Save(c.Request(), c.Response()); err != nil {
        return err
    }

    return c.Redirect(http.StatusTemporaryRedirect, "/dashboard")
}
```

### Retrieving User from Session

```go
func getCurrentUser(c echo.Context) (*UserInfo, error) {
    session, err := gothic.Store.Get(c.Request(), "user-session")
    if err != nil {
        return nil, err
    }

    userID, ok := session.Values["user_id"].(string)
    if !ok || userID == "" {
        return nil, errors.New("not authenticated")
    }

    return &UserInfo{
        UserID:   userID,
        Email:    session.Values["email"].(string),
        Name:     session.Values["name"].(string),
        Provider: session.Values["provider"].(string),
    }, nil
}
```

## Alternative Session Stores

### Redis Session Store

For distributed deployments:

```go
import "github.com/rbcervilla/redisstore/v9"

func initRedisStore() {
    client := redis.NewClient(&redis.Options{
        Addr: os.Getenv("REDIS_URL"),
    })

    store, err := redisstore.NewRedisStore(context.Background(), client)
    if err != nil {
        log.Fatal(err)
    }

    store.KeyPrefix("session_")
    store.Options(sessions.Options{
        Path:     "/",
        MaxAge:   86400 * 30,
        HttpOnly: true,
        Secure:   true,
        SameSite: http.SameSiteLaxMode,
    })

    gothic.Store = store
}
```

### Database Session Store

For PostgreSQL with pgx:

```go
import "github.com/antonlindstrom/pgstore"

func initPgStore() {
    store, err := pgstore.NewPGStoreFromPool(
        dbPool,
        []byte(os.Getenv("SESSION_SECRET")),
    )
    if err != nil {
        log.Fatal(err)
    }

    store.Options = &sessions.Options{
        Path:     "/",
        MaxAge:   86400 * 30,
        HttpOnly: true,
        Secure:   true,
    }

    gothic.Store = store
}
```

See `references/session-storage-options.md` for detailed comparison.

## Security Best Practices

### CSRF Protection with State Parameter

Goth automatically handles the OAuth state parameter for CSRF protection. Verify it's working:

```go
// Gothic handles state internally, but verify in callback
func handleCallback(c echo.Context) error {
    // State is validated by gothic.CompleteUserAuth
    user, err := gothic.CompleteUserAuth(c.Response(), c.Request())
    if err != nil {
        // State mismatch will cause error here
        log.Printf("Auth failed (possible CSRF): %v", err)
        return c.Redirect(http.StatusTemporaryRedirect, "/login?error=invalid_state")
    }
    // ...
}
```

### Secure Cookie Configuration

```go
store.Options = &sessions.Options{
    Path:     "/",
    Domain:   "",                       // Current domain only
    MaxAge:   86400 * 7,               // 7 days
    Secure:   true,                    // HTTPS only
    HttpOnly: true,                    // No JavaScript access
    SameSite: http.SameSiteLaxMode,    // CSRF protection
}
```

### HTTPS Requirements

In production, always use HTTPS:
- Set `Secure: true` on cookies
- Use HTTPS callback URLs in provider configuration
- Redirect HTTP to HTTPS

```go
// Echo HTTPS redirect middleware
e.Pre(middleware.HTTPSRedirect())
```

### Token Storage Security

Never expose access tokens to the client:

```go
// DON'T: Send token to frontend
return c.JSON(200, map[string]string{
    "access_token": user.AccessToken,  // Dangerous!
})

// DO: Store token server-side only
session.Values["access_token"] = user.AccessToken
```

### Session Hijacking Prevention

Regenerate session ID after authentication:

```go
func handleCallback(c echo.Context) error {
    user, err := gothic.CompleteUserAuth(c.Response(), c.Request())
    if err != nil {
        return err
    }

    // Get existing session
    oldSession, _ := gothic.Store.Get(c.Request(), "user-session")

    // Copy values to new session (forces new ID)
    oldSession.Options.MaxAge = -1  // Delete old session
    oldSession.Save(c.Request(), c.Response())

    newSession, _ := gothic.Store.New(c.Request(), "user-session")
    newSession.Values["user_id"] = user.UserID
    newSession.Values["email"] = user.Email
    newSession.Save(c.Request(), c.Response())

    return c.Redirect(http.StatusTemporaryRedirect, "/dashboard")
}
```

### Rate Limiting Auth Endpoints

Protect against brute force:

```go
import "github.com/labstack/echo/v4/middleware"

// Limit auth endpoints
authGroup := e.Group("/auth")
authGroup.Use(middleware.RateLimiter(middleware.NewRateLimiterMemoryStore(
    rate.Limit(10),  // 10 requests per second
)))
```

## Token Refresh Pattern

Keep access tokens fresh:

```go
func refreshTokenIfNeeded(c echo.Context) error {
    session, _ := gothic.Store.Get(c.Request(), "user-session")

    expiresAt, ok := session.Values["expires_at"].(time.Time)
    if !ok || time.Until(expiresAt) > 5*time.Minute {
        return nil  // Token still valid
    }

    providerName := session.Values["provider"].(string)
    provider, _ := goth.GetProvider(providerName)

    if !provider.RefreshTokenAvailable() {
        return nil
    }

    refreshToken := session.Values["refresh_token"].(string)
    token, err := provider.RefreshToken(refreshToken)
    if err != nil {
        // Refresh failed - force re-login
        return c.Redirect(http.StatusTemporaryRedirect, "/logout")
    }

    session.Values["access_token"] = token.AccessToken
    session.Values["expires_at"] = token.Expiry
    if token.RefreshToken != "" {
        session.Values["refresh_token"] = token.RefreshToken
    }
    session.Save(c.Request(), c.Response())

    return nil
}
```

## Security Checklist

Before deploying:

- [ ] SESSION_SECRET is at least 32 random bytes
- [ ] Cookies use `Secure: true` in production
- [ ] Cookies use `HttpOnly: true`
- [ ] Cookies use `SameSite: Lax` or `Strict`
- [ ] HTTPS is enforced in production
- [ ] Callback URLs use HTTPS
- [ ] Access tokens stored server-side only
- [ ] Rate limiting on auth endpoints
- [ ] Session regeneration after login
- [ ] Error messages don't leak sensitive info

See `references/security-checklist.md` for complete checklist.

## Quick Reference

| Task | Code |
|------|------|
| Set session store | `gothic.Store = store` |
| Get session | `gothic.Store.Get(r, "name")` |
| Save session | `session.Save(r, w)` |
| Delete session | `session.Options.MaxAge = -1` |
| Secure cookie | `Secure: true, HttpOnly: true` |

## Related Skills

- **goth-fundamentals** - Core Goth concepts
- **goth-providers** - Provider configuration

## Reference Documentation

- `references/session-storage-options.md` - Storage comparison
- `references/security-checklist.md` - Security verification

Overview

This skill explains how to integrate the Goth OAuth library with the Echo web framework and implement secure session management. It provides concrete handler wrappers, provider lookup adjustments for Echo, and recommended session stores and security patterns. Use it to get a ready-to-use, secure authentication surface for Go web apps using Goth + Echo.

How this skill works

It adapts goth/gothic to Echo by overriding provider lookup and wrapping Gothic handlers so Echo path parameters and context work correctly. It shows how to initialize cookie, Redis, or Postgres-backed session stores and offers middleware for protected routes, token refresh, and session regeneration. Security guidance covers cookie options, CSRF via OAuth state, HTTPS enforcement, and rate limiting.

When to use it

  • You need OAuth login integrated with Echo routes (e.g., /auth/:provider and callbacks).
  • You must store sessions securely across single-instance or distributed deployments (cookies, Redis, Postgres).
  • You want to protect auth routes with middleware, rate limiting, and CSRF safeguards.
  • You need guidance on session secrets, cookie flags, and session regeneration to prevent hijacking.
  • You want token-refresh and server-side token storage patterns for long-lived sessions.

Best practices

  • Require a SESSION_SECRET of at least 32 random bytes and load it from a secure environment variable.
  • Set cookie Options: Secure=true in production, HttpOnly=true, SameSite=Lax or Strict, and proper MaxAge and Path.
  • Regenerate session IDs after successful authentication to mitigate session fixation; delete old session before creating a new one.
  • Store access and refresh tokens server-side only; never return tokens to the browser or client JavaScript.
  • Use HTTPS for callbacks and enable HTTPS redirect middleware in Echo for production.
  • Add rate limiting to /auth endpoints and validate provider state (goth handles state but check errors and fail safe).

Example use cases

  • Add Google, GitHub, or other providers to an Echo app with routes /auth/:provider and /auth/:provider/callback.
  • Switch from CookieStore to Redis or Postgres when deploying multiple app instances behind a load balancer.
  • Protect dashboard routes with RequireAuth middleware that checks session user_id and redirects to login.
  • Implement token refresh on-demand in middleware to keep access tokens valid server-side.
  • Enforce security checklist before production: secure cookies, strong secret, HTTPS, session regeneration, and rate limiting.

FAQ

How do I make Gothic read :provider from Echo routes?

Override gothic.GetProviderName to extract the provider from r.URL.Query() or parse the path segments. Set c.Param(":provider") into the request query before calling Gothic handlers.

Which session store should I use in production?

Use a distributed store (Redis or Postgres) for multi-instance deployments. CookieStore is fine for single-instance apps but ensure a strong SESSION_SECRET and secure cookie options.