Authentication¶
Dashforge supports OAuth 2.0 authentication with GitHub and Google providers, using JWT tokens for session management.
Overview¶
┌─────────┐ ┌───────────┐ ┌──────────────┐
│ Browser │────▶│ Dashforge │────▶│ GitHub/Google│
│ │◀────│ Server │◀────│ OAuth │
└─────────┘ └───────────┘ └──────────────┘
│ │
│ JWT Tokens │
└────────────────┘
- User clicks "Login with GitHub/Google"
- Dashforge redirects to OAuth provider
- User authenticates with provider
- Provider redirects back with authorization code
- Dashforge exchanges code for user info
- Dashforge creates/updates user and returns JWT tokens
Setting Up OAuth¶
GitHub¶
- Go to GitHub Developer Settings
- Click "New OAuth App"
- Fill in:
- Application name: Dashforge
- Homepage URL:
https://your-domain.com - Authorization callback URL:
https://your-domain.com/api/v1/auth/github/callback - Save and note the Client ID and Client Secret
Google¶
- Go to Google Cloud Console
- Create a new project or select existing
- Go to "Credentials" → "Create Credentials" → "OAuth client ID"
- Configure consent screen if prompted
- Select "Web application"
- Add authorized redirect URI:
https://your-domain.com/api/v1/auth/google/callback - Note the Client ID and Client Secret
Authentication Endpoints¶
Initiate Login¶
Redirect users to start the OAuth flow:
Optional query parameter:
redirect: URL to redirect after successful login
Example:
OAuth Callbacks¶
These are called by the OAuth provider (not directly by users):
Get Current User¶
Response:
{
"id": 1,
"email": "user@example.com",
"name": "John Doe",
"role": "viewer",
"active": true,
"lastLoginAt": "2024-01-15T10:30:00Z",
"createdAt": "2024-01-01T00:00:00Z"
}
Refresh Tokens¶
Response:
{
"accessToken": "new-access-token",
"refreshToken": "new-refresh-token",
"expiresIn": 900,
"tokenType": "Bearer"
}
Logout¶
Returns 204 No Content.
JWT Tokens¶
Token Structure¶
Access tokens contain:
{
"iss": "dashforge",
"sub": "1",
"exp": 1705312200,
"iat": 1705311300,
"uid": 1,
"email": "user@example.com",
"role": "admin",
"tid": 1
}
| Claim | Description |
|---|---|
| iss | Issuer (always "dashforge") |
| sub | Subject (user ID as string) |
| exp | Expiration timestamp |
| iat | Issued at timestamp |
| uid | User ID (number) |
| User email | |
| role | User role |
| tid | Tenant ID (for multi-tenancy) |
Using Tokens¶
Include the access token in the Authorization header:
Token Expiration¶
| Token Type | Default Lifetime |
|---|---|
| Access Token | 15 minutes |
| Refresh Token | 7 days |
User Roles¶
Dashforge uses role-based access control:
| Role | Permissions |
|---|---|
| viewer | View dashboards, run saved queries |
| editor | viewer + create/edit dashboards |
| admin | editor + manage users, data sources |
| owner | admin + tenant settings, billing |
Role Hierarchy¶
Protecting API Routes¶
Authenticated routes require a valid JWT:
// Protected route
mux.Handle("/api/v1/dashboards",
jwtService.Middleware(dashboardHandler))
// Role-restricted route
mux.Handle("/api/v1/admin/users",
jwtService.Middleware(
auth.RequireJWTRole("admin", "owner")(userHandler)))
Security Best Practices¶
JWT Secret¶
- Use a cryptographically random secret (minimum 32 bytes)
- Never commit secrets to version control
- Rotate secrets periodically
- Use environment variables or secrets manager
HTTPS¶
Always use HTTPS in production:
Cookie Security¶
OAuth state cookies are configured with:
HttpOnly: Prevents JavaScript accessSecure: Only sent over HTTPSSameSite=Lax: CSRF protectionMaxAge=600: 10-minute expiration
CORS¶
Configure CORS for your frontend domain:
# config.yaml
cors:
allowed_origins:
- https://app.example.com
allowed_methods:
- GET
- POST
- PUT
- DELETE
allowed_headers:
- Authorization
- Content-Type
Disabling Authentication¶
For development only:
Warning
Never disable authentication in production. This flag is for local development only.