README
ΒΆ
CoreForge
CoreForge is a batteries-included Go platform module providing reusable identity, session, authorization, and feature flags for multi-tenant SaaS applications. Think of it as Django/Laravel-style conveniences for Go.
Features
Identity Module
- π€ Users - Email, password hash (Argon2id), platform admin flag
- π’ Organizations - Multi-tenant with name, slug, plan, settings
- π Memberships - User-org relationships with flexible roles
- π OAuth Accounts - External OAuth provider links (GitHub, Google)
- π API Keys - Machine-to-machine authentication with scopes
OAuth 2.0 Server (Fosite)
- π Authorization Code + PKCE - Secure browser-based auth
- π€ Client Credentials - Service-to-service auth
- π Refresh Token - With rotation and theft detection
- π JWT Bearer (RFC 7523) - Service account authentication
- βοΈ Service Accounts - Non-human identities with RSA/EC key pairs
- π Token Introspection & Revocation - RFC 7662/7009
Session Module
- π« JWT Service - Access/refresh token generation with HS256/RS256/ES256
- π DPoP (RFC 9449) - Proof-of-possession token binding
- π₯οΈ BFF Pattern - Backend for Frontend with server-side sessions
- π OAuth Handlers - GitHub and Google social login
- π‘οΈ Middleware - JWT Bearer and API key authentication
Authorization Module
- π₯ RBAC - Role-based access control with org-scoped permissions
- βοΈ Casbin Provider - Advanced policy rules with Casbin integration
- β¨ Simple Provider - Lightweight permission checking
- π§ HTTP Middleware - Route protection for Chi and stdlib
Feature Flags
- π© Flag Engine - Boolean, percentage, and user list flags
- π’ Organization Scoping - Per-org flag evaluation
- πΎ In-Memory Store - Development and testing
Row-Level Security (RLS)
- ποΈ PostgreSQL RLS - Policy generation and session variables
- π Tenant Isolation - Multi-tenant data separation
- π Ent Integration - Transaction helpers with tenant context
Installation
go get github.com/grokify/coreforge
Quick Start
Using Identity Schemas
CoreForge provides Ent schemas with cf_ table prefix for side-by-side migration.
Direct Schema Usage
package main
import (
"context"
"github.com/grokify/coreforge/identity/ent"
_ "github.com/lib/pq"
)
func main() {
client, err := ent.Open("postgres", "postgres://...")
if err != nil {
panic(err)
}
defer client.Close()
// Run migrations
if err := client.Schema.Create(context.Background()); err != nil {
panic(err)
}
// Create a user
user, err := client.User.Create().
SetEmail("[email protected]").
SetName("Example User").
Save(context.Background())
}
Mixin Composition (Recommended)
Compose CoreForge mixins into your own schemas:
// your-app/ent/schema/user.go
package schema
import (
"entgo.io/ent"
"entgo.io/ent/schema/field"
cfmixin "github.com/grokify/coreforge/identity/ent/mixin"
)
type User struct {
ent.Schema
}
func (User) Mixin() []ent.Mixin {
return []ent.Mixin{
cfmixin.UUIDMixin{}, // UUID primary key
cfmixin.TimestampMixin{}, // created_at, updated_at
}
}
func (User) Fields() []ent.Field {
return []ent.Field{
field.String("username").Unique(),
// App-specific fields...
}
}
JWT Authentication
import (
"github.com/grokify/coreforge/session/jwt"
"github.com/grokify/coreforge/session/middleware"
)
// Create JWT service
svc, err := jwt.NewService(&jwt.Config{
Secret: []byte("your-secret-key"),
AccessTokenExpiry: 15 * time.Minute,
RefreshTokenExpiry: 7 * 24 * time.Hour,
Issuer: "your-app",
})
// Generate tokens
pair, err := svc.GenerateTokenPair(userID, email, name)
// Middleware for protected routes
r.Use(middleware.JWT(svc))
DPoP Token Binding
import "github.com/grokify/coreforge/session/dpop"
// Generate DPoP key pair (BFF side)
keyPair, err := dpop.GenerateKeyPair()
// Create proof for API request
proof, err := dpop.CreateProofWithOptions(keyPair, "POST", "https://api.example.com/data", dpop.ProofOptions{
AccessToken: accessToken,
})
// Verify proof (API side)
verifier := dpop.NewVerifier(dpop.VerificationConfig{
MaxAge: 5 * time.Minute,
})
result, err := verifier.Verify(proofJWT, dpop.VerificationRequest{
Method: "POST",
URI: "https://api.example.com/data",
AccessToken: accessToken,
})
BFF Pattern
import "github.com/grokify/coreforge/session/bff"
// Create BFF proxy
proxy := bff.NewProxy(bff.ProxyConfig{
Backend: "https://api.internal.example.com",
AllowedOrigins: []string{"https://app.example.com"},
SessionStore: bff.NewMemoryStore(),
})
// Mount proxy handler
r.Handle("/api/*", proxy.Handler())
Authorization
import (
"github.com/grokify/coreforge/authz"
"github.com/grokify/coreforge/authz/simple"
)
// Create authorization provider
provider := simple.NewProvider(simple.Config{
AllowOwnerFullAccess: true,
AllowPlatformAdminAll: true,
})
// Add role permissions
provider.AddRolePermissions("admin", []string{
"users:read", "users:write",
"settings:read", "settings:write",
})
provider.AddRolePermissions("member", []string{
"users:read",
})
// Use middleware
mw := authz.NewMiddleware(provider)
r.With(mw.RequireAction(authz.ResourceType("users"), authz.ActionRead)).Get("/users", listUsers)
Module Structure
github.com/grokify/coreforge/
βββ identity/ # User, Organization, Membership, OAuth
β βββ ent/schema/ # Ent schemas with cf_ prefix
β βββ apikey/ # API key service
β βββ oauth/ # OAuth 2.0 server (Fosite)
β βββ password.go # Argon2id hashing
β βββ service.go # Identity service interfaces
β
βββ session/ # Session management
β βββ jwt/ # JWT service with DPoP claims
β βββ dpop/ # DPoP proof-of-possession
β βββ bff/ # Backend for Frontend pattern
β βββ oauth/ # Social login handlers
β βββ middleware/ # Auth middleware
β
βββ authz/ # Authorization
β βββ simple/ # Simple RBAC provider
β βββ casbin/ # Casbin adapter
β βββ providertest/ # Provider test suite
β βββ middleware.go # HTTP middleware
β
βββ featureflags/ # Feature flag engine
β βββ stores/ # Flag stores
β
βββ rls/ # PostgreSQL Row-Level Security
βββ rls.go # Policy generation
βββ middleware.go # HTTP middleware
Design Decisions
| Decision | Choice | Rationale |
|---|---|---|
| Table prefix | cf_ |
Avoids conflicts, enables side-by-side migration |
| Role storage | String field | Apps define own vocabularies (owner/admin/member) |
| OAuth pattern | Fosite library | Production-ready, RFC-compliant OAuth 2.0 |
| Refresh tokens | Database-backed | Enables revocation, theft detection |
| Primary keys | UUID | Modern, distributed-friendly |
| Password hashing | Argon2id | OWASP recommended, memory-hard |
Database Tables
CoreForge creates the following tables (all prefixed with cf_):
| Table | Description |
|---|---|
cf_users |
User accounts |
cf_organizations |
Multi-tenant organizations |
cf_memberships |
User-organization relationships |
cf_oauth_accounts |
External OAuth provider links |
cf_refresh_tokens |
JWT refresh token tracking |
cf_api_keys |
Developer API keys |
cf_oauth_apps |
OAuth client applications |
cf_oauth_app_secrets |
Client secrets (hashed) |
cf_oauth_tokens |
Issued OAuth tokens |
cf_oauth_auth_codes |
Authorization codes |
cf_oauth_consents |
User consent records |
cf_service_accounts |
Non-human identities |
cf_service_account_key_pairs |
RSA/EC key pairs |
Migration Strategy
For existing apps, CoreForge supports side-by-side migration:
- Side-by-Side: Create
cf_*tables alongside existing tables - Dual-Write: Write to both old and new tables
- Cutover: Switch reads to CoreForge tables
- Cleanup: Remove old tables
Documentation
Full documentation is available via MkDocs:
# Install MkDocs
pip install mkdocs mkdocs-material
# Serve locally
mkdocs serve
# Build static site
mkdocs build
Contributing
Contributions are welcome! Please read the contributing guidelines before submitting PRs.
License
MIT License - see LICENSE file for details.
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
Package authz provides a pluggable authorization interface for CoreForge applications.
|
Package authz provides a pluggable authorization interface for CoreForge applications. |
|
casbin
Package casbin provides a Casbin-based authorization provider.
|
Package casbin provides a Casbin-based authorization provider. |
|
providertest
Package providertest provides conformance tests for authz.Provider implementations.
|
Package providertest provides conformance tests for authz.Provider implementations. |
|
simple
Package simple provides a simple role-based authorization provider.
|
Package simple provides a simple role-based authorization provider. |
|
Package featureflags provides a feature flag engine for CoreForge applications.
|
Package featureflags provides a feature flag engine for CoreForge applications. |
|
stores
Package stores provides feature flag storage implementations.
|
Package stores provides feature flag storage implementations. |
|
Package identity provides identity management for CoreForge applications.
|
Package identity provides identity management for CoreForge applications. |
|
apikey
Package apikey provides API key generation, validation, and management.
|
Package apikey provides API key generation, validation, and management. |
|
ent/mixin
Package mixin provides Ent mixins for composing CoreForge identity fields into application schemas.
|
Package mixin provides Ent mixins for composing CoreForge identity fields into application schemas. |
|
ent/schema
Package schema provides Ent schema definitions for CoreForge identity management.
|
Package schema provides Ent schema definitions for CoreForge identity management. |
|
Package rls provides PostgreSQL Row-Level Security helpers for CoreForge.
|
Package rls provides PostgreSQL Row-Level Security helpers for CoreForge. |
|
session
|
|
|
bff
Package bff implements the Backend for Frontend (BFF) pattern for secure session management.
|
Package bff implements the Backend for Frontend (BFF) pattern for secure session management. |
|
dpop
Package dpop implements Demonstrating Proof of Possession (DPoP) per RFC 9449.
|
Package dpop implements Demonstrating Proof of Possession (DPoP) per RFC 9449. |
|
jwt
Package jwt provides JWT token generation and validation for CoreForge applications.
|
Package jwt provides JWT token generation and validation for CoreForge applications. |
|
middleware
Package middleware provides HTTP middleware for authentication and authorization.
|
Package middleware provides HTTP middleware for authentication and authorization. |
|
oauth
Package oauth provides OAuth2 provider configuration and handlers for CoreForge.
|
Package oauth provides OAuth2 provider configuration and handlers for CoreForge. |
Click to show internal directories.
Click to hide internal directories.