A Go-based passwordless authentication system using OTP (One-Time Password) with enterprise-grade security features.
- Features
- Architecture
- Getting Started
- Configuration
- Security
- API Documentation
- Development
- Deployment
- License
- π OTP Generation and Verification
- π JWT-based Authentication
- π± Session Management
- π Refresh Token Support
- π‘οΈ Rate Limiting
- π¦ Security Headers
- π Request Logging
- βοΈ Configurable Security Settings
- π Prometheus Metrics Collection
- π Distributed Tracing with OpenTelemetry
- β‘ Circuit Breaker for External Services
- π₯ Health Checks and Service Status
- βοΈ Configuration Management with Viper
- π Graceful Shutdown
- π Metrics Dashboard Integration
- π Advanced Logging with Correlation IDs
- π Service Discovery Ready
- π₯ Container Health Probes
βββ cmd/
β βββ server/ # Application entry point
β βββ encrypt/ # Configuration encryption utility
βββ internal/
β βββ api/
β β βββ handlers/ # Request handlers
β β βββ routes/ # Router setup
β βββ auth/ # Authentication logic
β βββ config/ # Configuration
β βββ middleware/ # Security middleware
β βββ services/ # External services (SMS, etc.)
β βββ models/ # Data models
βββ pkg/ # Public packages
βββ README.md
- API Layer: HTTP handlers and route definitions
- Authentication: OTP and JWT management
- Services: External service integrations
- Middleware: Security and logging middleware
- Configuration: App configuration and encryption
- Storage: Data persistence layer
- Go 1.24 or later
- Docker and Docker Compose
- Redis (for session management)
- Twilio account (for SMS)
- Clone the repository:
git clone https://github.com/lmousom/passless-auth.git
cd passless-auth- Install dependencies:
go mod tidy- Set up encryption:
# Generate encryption key
./scripts/manage-keys.sh generate
# Set the encryption key
export PASSLESS_ENCRYPTION_KEY='your-generated-key'- Start the services:
docker-compose up --buildexport PASSLESS_SERVER_PORT=8080
export PASSLESS_JWT_SECRET=your-secret
export PASSLESS_SMS_ACCOUNT_SID=your-sid
export PASSLESS_ENCRYPTION_KEY=your-encryption-keySee config/config.yaml for detailed configuration options.
- AES-GCM encryption for sensitive values
- Rate limiting (20 requests/minute)
- Secure headers (HSTS, CSP, XSS)
- JWT-based session management
- Secure OTP generation
- Encrypted configuration
- SMS-based OTP delivery
- Never commit encryption keys
- Use different keys per environment
- Regular key rotation
- Monitor access attempts
- Keep dependencies updated
POST /api/v1/sendOtp- Send OTPPOST /api/v1/verifyOtp- Verify OTPPOST /api/v1/2fa/enable- Enable 2FAPOST /api/v1/2fa/verify- Verify 2FAGET /api/v1/login- Check auth statusPOST /api/v1/refreshToken- Refresh tokenPOST /api/v1/logout- Logout
Import passless-auth.postman_collection.json for API testing.
- Start dependencies:
docker-compose up -d redis prometheus otel-collector- Run the application:
go run cmd/server/main.godocker-compose up --buildMIT License - See LICENSE for details
