What's new in v3

• sqlx migration: Replaced go-gorp with sqlx for a thinner database layer. All raw SQL queries unchanged.
• Middleware extraction: Moved CORS, RequestID, and JWT auth middleware from main.go into middleware/ package. Auth middleware calls models directly to avoid import cycles.
• Reusable form validation: Replaced duplicated per-field error methods with a single forms.Translate(err, messages) function and declarative message maps.
• Invoice example: Added invoice/ package with HTML preview and PDF download using maroto (pure Go, no external binaries).
• Dependency upgrades: gin 1.11, crypto 0.49, validator 10.28, gzip 1.2.5, swag 1.16.6. Removed go-gorp.
• README refreshed for v3 with API endpoint table, project structure, and new sections for invoice demo, trusted proxies, and CORS.

Security fixes

• Authorization bypass fixed: Article Update/Delete now enforce user_id in SQL queries (previously any authenticated user could modify any article by ID).
• DB SSL: PostgreSQL connection respects SSL env var (sslmode=require when SSL=TRUE).
• Logout route: Now uses TokenAuth middleware for consistent 401 responses.
• Login error handling: CreateAuth failure now returns error instead of silently issuing unusable tokens.
• Token validation: ExtractTokenMetadata returns explicit errors instead of nil, nil on invalid claims.
• Test credential leak: Removed fmt.Println(DB_PASS) from test output.
• Trusted proxies: Added SetTrustedProxies(nil) to prevent proxy header trust warning.

Other improvements

• Added DB_HOST and DB_PORT env vars for flexible DB connection
• Removed dead TokenValid method from models and controllers
• Replaced deprecated ioutil.ReadAll with io.ReadAll in tests
• Fixed UserLoginResponse.Token Swagger type (was string, now Token struct)
• Added invoice integration tests
• Regenerated Swagger docs

Changes:

• Removed session-cookies auth (It can be found here if needed v1-session-cookies-auth)

• JWT instead of session-cookies

  • Token validation middleware
  • Token generation
  • Authorization and refresh token

• Redis as a database not as a session storage

• Go Modules

• Environment (.env)

• Updated unit test

• Code and structure enhancements

• Middleware:

  • TokenAuthMiddleware
  • RequestIDMiddleware
  • gzip.Gzip Middleware

• Golang in travis:

  • 1.10.x
  • 1.13.x
  • 1.14.x
  • master

• SSL Support
  • Generating the certifications in ./cert folder from:

$ sh generate-certificate.sh

- SSL=TRUE | FALSE in .env
- SSL implementation in the server in **main.go**

• Postman:
  • https://www.postman.com/collections/7f941b400a88ddd9c137
  • Renamed APIs
  • Added Auth -> Refresh Token API (using the refresh_token)

Capture both access_token & refresh_token and put it in the global variable from the Login API in Tests tab

requests.

pm.test("Status code is 200", function () {
    pm.response.to.have.status(200);
    
    var jsonData = JSON.parse(responseBody);
    pm.globals.set("token", jsonData.token.access_token);
    pm.globals.set("refresh_token", jsonData.token.refresh_token);

});

To be used in:

Authorization -> Bearer Token
Value: {{token}} (Comes from global variables)

• PostgreSQL:
  • 2 trigger functions:
    • public.created_at_column()
    • public.update_at_column()

Those are added to updated_at and created_at columns to update the latest timestamp automatically in both user and article tables. You can explore the tables and public schema for more info.

HTTP Status update closing #7

This release will be the last to include the "session & cookies" authentication stored in Redis. Next versions & releases will be having the JWT as authentication.

If you still want the old school auth, you can either refer to this release or this v1-session-cookies-auth branch

Add serving HTML static & dynamic pages with 404 and landing pages