README
ΒΆ
CrydenSync π
Embeddable authentication engine for Go β offline-first, framework-agnostic.
π― The Problem
Authentication is not business logic, yet every project rewrites it. Developers face three painful choices:
- Rewrite auth logic for every project β risky, inconsistent, time-consuming
- Use hosted auth services β vendor lock-in, users aren't yours, requires internet
- Use framework-specific tools β tied to Express, Django, Next.js β not reusable
π‘ The Solution
CrydenSync is an embeddable authentication engine that gives you a standard, reusable auth system you control:
package main
import (
"context"
"fmt"
"log"
"github.com/crydensync/cryden"
)
func main() {
// Create context
ctx := context.Background()
// 1. Create engine (in-memory storage - perfect for testing)
engine := cryden.New()
fmt.Println("β
Engine created")
// 2. Sign up a new user
email := "alice@example.com"
password := "SecurePass123"
user, err := cryden.SignUp(ctx, engine, email, password)
if err != nil {
log.Fatalf("β SignUp failed: %v", err)
}
fmt.Printf("β
User created: %s (%s)\n", user.ID, user.Email)
// 3. Login
tokens, rateLimit, err := cryden.Login(ctx, engine, email, password)
if err != nil {
log.Fatalf("β Login failed: %v", err)
}
fmt.Printf("β
Login successful!\n")
fmt.Printf(" Access Token: %s...\n", tokens.AccessToken[:50])
fmt.Printf(" Refresh Token: %s...\n", tokens.RefreshToken[:50])
fmt.Printf(" Rate Limit Remaining: %d\n", rateLimit.Remaining)
// 4. Verify token
userID, err := cryden.VerifyToken(engine, tokens.AccessToken)
if err != nil {
log.Fatalf("β Token verification failed: %v", err)
}
fmt.Printf("β
Token verified for user: %s\n", userID)
// 5. Logout
err = cryden.Logout(ctx, engine, tokens.RefreshToken)
if err != nil {
log.Fatalf("β Logout failed: %v", err)
}
fmt.Println("β
Logout successful")
// 6. Try to use logged out token (should fail)
_, err = cryden.RefreshToken(ctx, engine, tokens.RefreshToken)
if err != nil {
fmt.Printf("β
Expected error after logout: %v\n", err)
}
fmt.Println("\nπ All tests passed!")
}
β¨ Features
β v1.0.0 (Current)
Β· Email/password authentication β Secure, bcrypt hashed Β· JWT access tokens β Short-lived, stateless Β· Opaque refresh tokens β Stored in DB for revocation Β· Rate limiting β Per IP with headers (X-RateLimit-*) Β· Audit logging β Track every auth event Β· Session management β Logout single device or all devices Β· Multiple storage backends β Memory, SQLite, PostgreSQL, MongoDB Β· Complete test suite β 90%+ coverage Β· Offline-first β Works without internet, SQLite by default
π§ Coming Soon
Feature Status Target gRPC API π§ Planned v1.1.0 CLI tool (csax) π§ Planned v1.1.0 Language SDKs (JS, Python, PHP) π§ Planned v1.2.0 MFA/2FA (TOTP) π Future v1.3.0 Magic Links π Future v1.3.0 WebAuthn/Passkeys π Future v2.0.0
π¦ Installation
go get github.com/crydensync/cryden@v1.0.0
π Documentation
Section Description π Getting Started 60-second working auth π― Philosophy Why Cryden exists ποΈ Architecture How it works π Design Decisions Why we built it this way π§ Guide Installation, config, middleware, testing π Adapters Interface implementations π API Reference Complete API docs π‘ Examples Copy-paste working code
π§ͺ Testing
CrydenSync is designed for maximum testability:
func TestLogin(t *testing.T) {
engine := cryden.New() // In-memory storage
// Optional: Use mock hasher for faster tests
engine.WithHasher(&core.MockHasher{})
// Optional: Disable rate limiting
engine.WithRateLimiter(&core.NoopRateLimiter{})
ctx := context.Background()
cryden.SignUp(ctx, engine, "test@example.com", "pass")
tokens, _, err := cryden.Login(ctx, engine, "test@example.com", "pass")
assert.NoError(t, err)
assert.NotEmpty(t, tokens.AccessToken)
}
π Testing Guide β
π§ Configuration
// With SQLite persistence
engine, err := cryden.WithSQLite("users.db")
// With custom JWT secret (required in production)
cryden.WithJWTSecret(engine, os.Getenv("JWT_SECRET"))
// With custom rate limiter
engine.WithRateLimiter(redis.NewRateLimiter())
// With custom audit logger
engine.WithAuditLogger(file.NewAuditLogger("auth.log"))
π Storage Backends
Backend Status Use Case Memory β Stable Testing SQLite β Stable Offline-first, development PostgreSQL β Stable Production MongoDB β Stable Document stores MySQL π§ Planned v1.1.0 Redis π§ Planned v1.1.0 (rate limiting)
π About the Name
CrydenSync is the full name of the project, but the Go package is simply cryden for brevity.
import "github.com/crydensync/cryden" // Notice: crydensync/cryden
auth := cryden.New() // Short and sweet!
π Security Notes v1.0.0
β Implemented
- Password hashing with bcrypt
- JWT signing with HMAC-SHA256
- Rate limiting to prevent brute force
- Audit logging for all auth events
β οΈ Planned for v1.1.0
- Refresh token hashing in database
- Session token hashing
- Device fingerprinting
- Argon2id hasher option
Future Security Enhancements
- Email verification (v1.1)
- Password reset flow (v1.1)
- MFA/2FA (v1.2)
- Login notifications (v1.2)
- Breached password detection (v1.2)
π Best Practices
- Always use HTTPS in production
- Set strong JWT secrets via environment variables
- Monitor audit logs for suspicious activity
- Add email verification before sensitive actions
π€ Contributing
We welcome contributions! See CONTRIBUTING.md for:
Β· Code of Conduct Β· Development setup Β· Pull request process Β· Coding standards
π License
MIT Β© Crydensync
β Support
If you find Cryden useful, please star the repo!
πΊοΈ Roadmap
Current: v1.0.0 (March 2026)
β Core authentication with email/password. β JWT + refresh tokens. β Rate limiting & audit logs. β Multiple databases (SQLite, PostgreSQL, MongoDB)
Coming in v1.1.0 (Q2 2026)
π CLI tool (csax)
π± Device tracking (IP, user agent, last seen)
π Argon2id hasher
β‘ Redis rate limiter
le audit logger
π¬ MySQL support
Coming in v1.2.0 (Q3 2026)
π gRPC API π Language SDKs (JS, Python, PHP) π Webhooks π Migration tools (Clerk, Auth0, Supabase)
Coming in v1.3.0 (Q4 2026)
π Multi-Factor Authentication (TOTP) π§ Magic links & passwordless π WebAuthn / Passkeys π Social login (OAuth2)
Future (2027+)
βοΈ Optional cloud sync π Enterprise features π More adapters π v2.0.0 (breaking changes if needed)
Documentation
ΒΆ
Overview ΒΆ
Package cryden is the main entry point for the CrydennSync authentication engine.
Index ΒΆ
- Variables
- func ChangeEmail(ctx context.Context, engine *Engine, userID, newEmail string) error
- func ChangePassword(ctx context.Context, engine *Engine, userID, oldPassword, newPassword string) error
- func DeleteAccount(ctx context.Context, engine *Engine, userID string) error
- func Login(ctx context.Context, engine *Engine, email, password string) (*TokenPair, *LimitResult, error)
- func Logout(ctx context.Context, engine *Engine, refreshToken string) error
- func LogoutAll(ctx context.Context, engine *Engine, userID string) error
- func RevokeSession(ctx context.Context, engine *Engine, sessionID string) error
- func VerifyToken(engine *Engine, tokenString string) (string, error)
- type AuditEntry
- type AuditLogger
- type Claims
- type Engine
- func New() *Engine
- func WithAuditLogger(engine *Engine, logger AuditLogger) *Engine
- func WithHasher(engine *Engine, hasher Hasher) *Engine
- func WithJWTSecret(engine *Engine, secret string) *Engine
- func WithRateLimiter(engine *Engine, limiter RateLimiter) *Engine
- func WithSQLite(dbPath string) (*Engine, error)
- type Hasher
- type LimitResult
- type RateLimiter
- type Session
- type SessionStore
- type TokenPair
- type User
- type UserStore
Constants ΒΆ
This section is empty.
Variables ΒΆ
var ( ErrUserExists = core.ErrUserExists ErrUserNotFound = core.ErrUserNotFound ErrInvalidCredentials = core.ErrInvalidCredentials ErrInvalidEmail = core.ErrInvalidEmail ErrPasswordTooShort = core.ErrPasswordTooShort ErrPasswordTooLong = core.ErrPasswordTooLong ErrPasswordNoUpper = core.ErrPasswordNoUpper ErrPasswordNoLower = core.ErrPasswordNoLower ErrPasswordNoNumber = core.ErrPasswordNoNumber ErrTooManyAttempts = core.ErrTooManyAttempts ErrInvalidToken = core.ErrInvalidToken ErrSessionNotFound = core.ErrSessionNotFound )
Functions ΒΆ
func ChangeEmail ΒΆ
ChangeEmail updates user's email
func ChangePassword ΒΆ
func ChangePassword(ctx context.Context, engine *Engine, userID, oldPassword, newPassword string) error
ChangePassword updates user's password and logs out all devices
func DeleteAccount ΒΆ
DeleteAccount removes user and all sessions
func Login ΒΆ
func Login(ctx context.Context, engine *Engine, email, password string) (*TokenPair, *LimitResult, error)
Login authenticates a user and returns tokens
func RevokeSession ΒΆ
RevokeSession manually revokes a specific session
Types ΒΆ
type AuditEntry ΒΆ
type AuditEntry = core.AuditEntry
type AuditLogger ΒΆ
type AuditLogger = core.AuditLogger
type Engine ΒΆ
Engine is the main authentication engine
func WithAuditLogger ΒΆ
func WithAuditLogger(engine *Engine, logger AuditLogger) *Engine
WithAuditLogger sets a custom audit logger
func WithHasher ΒΆ
WithHasher sets a custom password hasher
func WithJWTSecret ΒΆ
WithJWTSecret sets a custom JWT secret
func WithRateLimiter ΒΆ
func WithRateLimiter(engine *Engine, limiter RateLimiter) *Engine
WithRateLimiter sets a custom rate limiter
func WithSQLite ΒΆ
WithSQLite creates an engine with persistent SQLite storage
type LimitResult ΒΆ
type LimitResult = core.LimitResult
type RateLimiter ΒΆ
type RateLimiter = core.RateLimiter
type SessionStore ΒΆ
type SessionStore = core.SessionStore
Source Files
Directories