OM Messenger backend (Go + Fiber + Postgres). 75% done This repo currently implements cookie-based auth suitable for intranet deployments:
- Short-lived access JWT in
om_access(HttpOnly) - Long-lived refresh token in
om_refresh(HttpOnly, stored hashed in DB) - CSRF protection using
om_csrf+X-OM-CSRFheader
POST /api/auth/registerPOST /api/auth/loginGET /api/auth/csrf(issues/rotates CSRF cookie)POST /api/auth/refresh(requires CSRF)POST /api/auth/logout(requires CSRF)GET /api/users/me
Required
JWT_SECRET: signing secret for access JWTs (server will refuse to start if missing)DB_HOST,DB_USER,DB_PASSWORD,DB_NAME,DB_PORT,DB_SSLMODE
Browser security
ALLOWED_ORIGINS: comma-separated allow-list for browserOriginchecks and CORSCOOKIE_SECURE: set totruebehind TLS (https:///wss://)COOKIE_DOMAIN: optional cookie domainCOOKIE_SAMESITE:Lax(default) |Strict|None
CSRF
CSRF_MODE:token(default) |origin|offtoken: requiresX-OM-CSRFto matchom_csrfcookie for unsafe methodsorigin: only enforcesALLOWED_ORIGINS
Limits
PASSWORD_MIN_LENGTH(default:10)MAX_MESSAGE_LENGTH(default:4000)
go build -o bin/server.exe -v .\cmd\servergo build -o bin/server -v ./cmd/server