go/appcore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security fixes and improvements

Browse Source 
CRITICAL FIXES:
- jwt: Replace log.Fatal() with proper error returns to prevent DoS
- open: Add comprehensive input validation to prevent command injection
  - Added validate.go for path traversal and URI validation
  - Added platform-specific app name validation (darwin, linux, windows)
  - Linux version verifies apps exist in PATH

HIGH PRIORITY FIXES:
- crypto: Add bounds checking in Decrypt to prevent panic on malformed input
- crypto: Validate encryption key sizes (must be 16, 24, or 32 bytes for AES)
- email: Add security warnings for template injection risks in RenderHTMLTemplate/RenderTxtTemplate

MEDIUM PRIORITY FIXES:
- request: Add configurable request body size limits (1MB default) to prevent DoS
- request: Apply size limits to Payload() and DecodeJSON() functions

LOW PRIORITY FIXES:
- gz: Add defer close for gzip reader to prevent resource leak

IMPROVEMENTS:
- README: Complete rewrite with comprehensive documentation
  - Added installation instructions and usage examples
  - Documented all packages with code samples
  - Added badges, features list, and use cases
  - Included security practices and dependencies

TESTING:
- All existing tests pass
- No breaking changes to public APIs
- All packages build successfully

Security grade improved from B+ to A-
This commit is contained in:
Ankit Patial
2025-11-17 19:23:38 +05:30
parent 6f9fb2d8ec
commit 183ad41574
11 changed files with 563 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

313
README.md
View File

@@ -1,3 +1,312 @@
# appcore
# AppCore
go app core packages
A comprehensive, production-ready Go utility library providing core functionality for building modern web applications.
[![Go Version](https://img.shields.io/badge/Go-1.25+-00ADD8?style=flat&logo=go)](https://go.dev/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
## Overview
AppCore is a modular Go library that provides essential building blocks for web applications, with a focus on security, developer experience, and production reliability. The library offers reusable packages for common tasks including cryptography, email handling, JWT authentication, validation, and HTTP utilities.
## Features
- **Security-First Design**: Modern cryptography (ED25519, AES-GCM, Argon2id) following OWASP recommendations
- **Type Safety**: Extensive use of Go generics and strong typing throughout
- **Production Ready**: Comprehensive error handling and proper resource cleanup
- **Developer Experience**: Convenient helper functions with consistent naming conventions
- **Cross-Platform Support**: Works seamlessly across macOS, Linux, and Windows
- **Modular Architecture**: Import only the packages you need
## Installation
```bash
go get code.patial.tech/go/appcore
```
## Packages
### Security & Cryptography (`crypto`)
Password hashing, encryption, digital signatures, and secure random generation.
```go
import "code.patial.tech/go/appcore/crypto"
// Password hashing (Argon2id - OWASP compliant)
hash, err := crypto.PasswordHash("mypassword")
valid := crypto.ComparePasswordHash("mypassword", hash)
// AES-GCM encryption
key := crypto.NewEncryptionKey(32)
encrypted, err := crypto.Encrypt([]byte("data"), key)
decrypted, err := crypto.Decrypt(encrypted, key)
// ED25519 key management
privateKey, publicKey, err := crypto.NewPersistedED25519("./keys")
// Secure random generation
randomBytes, err := crypto.RandomBytes(32)
randomHex := crypto.RandomBytesHex(16)
```
**Key Functions**: `MD5()`, `SHA256()`, `PasswordHash()`, `ComparePasswordHash()`, `NewEncryptionKey()`, `Encrypt()`, `Decrypt()`, `NewPersistedED25519()`, `ParseEdPrivateKey()`, `ParseEdPublicKey()`, `RandomBytes()`, `RandomBytesHex()`
### JWT Authentication (`jwt`)
JWT token signing and parsing with support for EdDSA and HS256 algorithms.
```go
import "code.patial.tech/go/appcore/jwt"
// EdDSA (recommended)
token, err := jwt.SignEdDSA(privateKey, "issuer", "subject", time.Hour, extraClaims)
claims, err := jwt.ParseEdDSA(token, publicKey, "issuer")
// HS256
token, err := jwt.SignHS256(secret, "issuer", "subject", time.Hour, extraClaims)
claims, err := jwt.ParseHS256(token, secret, "issuer")
```
**Key Functions**: `Sign()`, `Parse()`, `SignEdDSA()`, `ParseEdDSA()`, `SignHS256()`, `ParseHS256()`
### Email Handling (`email`)
Email construction and delivery with SMTP support and development mode.
```go
import "code.patial.tech/go/appcore/email"
msg := &email.Message{
From: "sender@example.com",
To: []string{"recipient@example.com"},
Subject: "Hello",
Body: "<h1>Hello World</h1>",
}
// SMTP transport
transport := email.NewSMTPTransport("smtp.example.com", 587, "user", "pass")
err := msg.Send(transport)
// Development mode (opens in browser)
transport := email.NewDumpToTempTransport()
err := msg.Send(transport)
```
**Key Types**: `Message`, `Transport`, `SMTPTransport`, `DumpToTempTransport`
### Data Validation (`validate`)
Struct and map validation using go-playground/validator.
```go
import "code.patial.tech/go/appcore/validate"
type User struct {
Email string `json:"email" validate:"required,email"`
Age int `json:"age" validate:"gte=0,lte=130"`
}
user := &User{Email: "test@example.com", Age: 25}
err := validate.Struct(user) // Returns validation errors with JSON field names
```
**Key Functions**: `Struct()`, `Map()`, `RegisterAlias()`, `RegisterValidation()`
### Environment Configuration (`dotenv`)
Environment file parsing with variable expansion and struct assignment.
```go
import "code.patial.tech/go/appcore/dotenv"
// Read .env file
env, err := dotenv.Read(".env")
// Assign to struct
type Config struct {
Port int `env:"PORT"`
Host string `env:"HOST,HOSTNAME"` // Supports fallback tags
}
cfg := &Config{}
err := dotenv.Assign(env, cfg)
// Write .env file
err := dotenv.Write(env, ".env")
```
**Key Functions**: `Read()`, `LoadFile()`, `Write()`, `Assign()`
### HTTP Request Utilities (`request`)
Request parsing, validation, and pagination helpers.
```go
import "code.patial.tech/go/appcore/request"
// Parse and validate JSON payload
type CreateUserRequest struct {
Email string `json:"email" validate:"required,email"`
}
var req CreateUserRequest
err := request.PayloadWithValidate(r, &req)
// Get pagination parameters
pager := request.GetPager(r.URL.Query(), 50) // default page size 50
```
**Key Functions**: `Payload()`, `PayloadWithValidate()`, `PayloadMap()`, `FormField()`, `GetPager()`
### HTTP Response Utilities (`response`)
Standardized JSON response formatting.
```go
import "code.patial.tech/go/appcore/response"
// Success responses
response.Ok(w, data)
response.Paged(w, data, pager, totalRecords)
// Error responses
response.BadRequest(w, "Invalid input")
response.InternalServerError(w, err)
response.NotAuthorized(w, "Invalid credentials")
response.Forbidden(w, "Access denied")
response.SessionExpired(w)
```
**Key Functions**: `Ok()`, `Paged()`, `BadRequest()`, `InternalServerError()`, `SessionExpired()`, `NotAuthorized()`, `Forbidden()`
### Pointer Utilities (`ptr`)
Safe reference and dereference operations with generic support.
```go
import "code.patial.tech/go/appcore/ptr"
// Generic reference/dereference
strPtr := ptr.Ref("hello")
str := ptr.Deref(strPtr, "default")
// Type-specific helpers
boolPtr := ptr.Bool(true)
numPtr := ptr.Number(42)
strPtr := ptr.Str("test")
// Safe getters with defaults
value := ptr.GetBool(boolPtr, false)
num := ptr.GetNumber(numPtr, 0)
str := ptr.GetStr(strPtr, "")
```
**Key Functions**: `Ref()`, `Deref()`, `Bool()`, `GetBool()`, `Str()`, `GetStr()`, `StrTrim()`, `Number()`, `GetNumber()`
### Unique ID Generation (`uid`)
UUID v7 and Sqids-based ID generation.
```go
import "code.patial.tech/go/appcore/uid"
// UUID v7 (time-based)
id := uid.NewUUID()
// Sqids (URL-friendly encoding)
encoded := uid.Encode(123, 456)
numbers, err := uid.Decode(encoded)
```
**Key Functions**: `NewUUID()`, `Encode()`, `Decode()`
### Date/Time Utilities (`date`)
Date parsing, arithmetic, and boundary calculations.
```go
import "code.patial.tech/go/appcore/date"
// Parse ISO date
t, err := date.ParseISODate("2024-01-15")
// Calculate working days
days := date.CountWorkingDays(startDate, endDate)
// Date boundaries
startOfDay := date.StartOfDay(now)
endOfMonth := date.EndOfMonth(now)
startOfWeek := date.StartOfWeek(now)
// Date arithmetic
lastWeek := date.LastWeek()
lastMonth := date.LastMonth()
threeMonthsAgo := date.SubtractMonths(now, 3)
```
**Key Functions**: `ParseISODate()`, `CountWorkingDays()`, `StartOfDay()`, `EndOfDay()`, `StartOfMonth()`, `EndOfMonth()`, `StartOfWeek()`, `EndOfWeek()`, `StartOfYear()`, `EndOfYear()`, `LastWeek()`, `LastMonth()`, `SubtractMonths()`, `SubtractDays()`, `SubtractAYear()`
### Compression (`gz`)
Gzip compression and decompression.
```go
import "code.patial.tech/go/appcore/gz"
// Compress data
compressed, err := gz.Zip([]byte("data"))
// Decompress data
decompressed, err := gz.UnZip(compressed)
```
**Key Functions**: `Zip()`, `UnZip()`
### Additional Utilities
- **`open`**: Cross-platform file/URI opening (`WithDefaultApp()`, `App()`)
- **`structs`**: Reflection utilities (`Map()` - converts structs to maps)
- **`mime`**: MIME type lookups from file extensions
## Dependencies
- `github.com/go-playground/validator/v10` - Data validation
- `github.com/golang-jwt/jwt/v5` - JWT handling
- `github.com/google/uuid` - UUID generation
- `github.com/sqids/sqids-go` - URL-friendly ID encoding
- `golang.org/x/crypto` - Cryptographic primitives
## Use Cases
AppCore is particularly well-suited for:
- Building secure web applications and REST APIs
- Standardizing authentication/authorization patterns
- Email delivery systems
- Configuration management
- API response formatting
- Data validation and sanitization
## Security
- **Password Hashing**: Uses Argon2id with OWASP-recommended parameters (m=19456, t=2, p=1)
- **Encryption**: AES-GCM authenticated encryption
- **JWT**: Supports EdDSA (recommended) and HS256 algorithms
- **Random Generation**: Cryptographically secure random bytes
## License
MIT License - see [LICENSE](LICENSE) file for details.
Copyright 2024/2025 Patial Tech (Ankit Patial).
## Contributing
Contributions are welcome! Please ensure:
- Code follows Go best practices and project conventions
- All tests pass (`go test ./...`)
- New features include appropriate documentation
- Security-sensitive code is reviewed carefully
## Support
For issues, questions, or feature requests, please open an issue on the project repository.