A professional Go backend API for managing quotes with user authentication, role-based access control, and audit logging.
- User Registration & Authentication: API key-based authentication
- Role-based Access Control: Admin and User roles
- Quotes Management: Add, view quotes with author information
- Admin Panel: User management, deactivation/reactivation
- Audit Logging: Track all system activities
- SQLite Database: Lightweight, embedded database
- RESTful API: Clean, professional API design
quotes-api/
├── main.go # Main application file
├── go.mod # Go module dependencies
├── quotes.db # SQLite database (auto-created)
├── README.md # This file
└── Quotes_API.postman_collection.json # Postman test collection
- Go 1.21 or higher
- Git (for cloning)
mkdir quotes-api
cd quotes-apigo mod init quotes-apiCopy the provided main.go content into your project directory.
Copy the provided go.mod content or run:
go mod tidygo get github.com/gorilla/mux
go get github.com/mattn/go-sqlite3
go get github.com/rs/cors
go get golang.org/x/cryptogo run main.goThe server will start on http://localhost:8080
- Email:
Shariar@gmail.com - Password:
Alpha1234 - Role:
admin
| Method | Endpoint | Description |
|---|---|---|
| GET | /health |
Check API health status |
| GET | /quotes |
View all quotes (public) |
| GET | /quotes/{id} |
Get specific quote by ID |
| POST | /register |
Register new user |
| POST | /admin/login |
Admin login |
| Method | Endpoint | Description | Header Required |
|---|---|---|---|
| POST | /quotes |
Add new quote | X-API-Key |
| Method | Endpoint | Description | Header Required |
|---|---|---|---|
| GET | /admin/users |
View all users | X-API-Key (Admin) |
| PUT | /admin/users/{id}/deactivate |
Deactivate user | X-API-Key (Admin) |
| PUT | /admin/users/{id}/reactivate |
Reactivate user | X-API-Key (Admin) |
| GET | /admin/audit-logs |
View audit logs | X-API-Key (Admin) |
curl -X GET http://localhost:8080/healthcurl -X POST http://localhost:8080/admin/login \
-H "Content-Type: application/json" \
-d '{
"email": "Shariar@gmail.com",
"password": "Alpha1234"
}'curl -X POST http://localhost:8080/register \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "userpass123"
}'curl -X POST http://localhost:8080/quotes \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY_HERE" \
-d '{
"quote": "The only way to do great work is to love what you do.",
"author": "Steve Jobs"
}'curl -X GET http://localhost:8080/quotescurl -X GET http://localhost:8080/quotes/1id(INTEGER, PRIMARY KEY)email(TEXT, UNIQUE)password(TEXT, hashed)role(TEXT: 'user' or 'admin')api_key(TEXT, UNIQUE)is_active(BOOLEAN)created_at(DATETIME)
id(INTEGER, PRIMARY KEY)quote(TEXT)author(TEXT)user_id(INTEGER, FOREIGN KEY)created_at(DATETIME)
id(INTEGER, PRIMARY KEY)user_id(INTEGER, FOREIGN KEY)action(TEXT)details(TEXT)timestamp(DATETIME)
The API uses API key-based authentication:
- Registration: Users register and receive an API key
- API Key Usage: Include
X-API-Keyheader in requests - Role Verification: System checks user role for admin endpoints
- Account Status: Deactivated accounts cannot access API
Import the provided Quotes_API.postman_collection.json file into Postman for easy testing:
- Open Postman
- Click "Import"
- Select the JSON file
- The collection includes all endpoints with proper authentication
- Variables are automatically set for API keys
- Health Check - Verify API is running
- Admin Login - Get admin API key (auto-saved)
- Register User - Create user and get API key (auto-saved)
- Add Quotes - Test quote creation
- View Quotes - Test public access
- Admin Functions - Test user management
- Audit Logs - View system activities
The API returns consistent JSON responses:
{
"success": true/false,
"message": "Description of result",
"data": {} // Optional data payload
}200- Success400- Bad Request (invalid input)401- Unauthorized (invalid/missing API key)403- Forbidden (insufficient permissions/deactivated account)404- Not Found409- Conflict (duplicate email)500- Internal Server Error
- Password Hashing: bcrypt with default cost
- API Key Generation: Cryptographically secure random keys
- Role-based Access: Separate user and admin permissions
- Account Management: Deactivation/reactivation system
- Audit Logging: Complete activity tracking
- CORS Support: Cross-origin resource sharing enabled
- Define handler function
- Add route in
main()function - Apply appropriate middleware
- Add audit logging if needed
- Update Postman collection
- Use prepared statements (already implemented)
- Handle
sql.ErrNoRowsfor not found cases - Close result sets with
defer rows.Close()
- Use Postman collection for comprehensive testing
- Test both success and error scenarios
- Verify audit logs are created
- Test deactivated user scenarios
- Database locked: Ensure proper connection closing
- Port in use: Change port in
main()function - Dependencies: Run
go mod tidyto resolve - Permissions: Ensure write access for SQLite file
The application logs:
- Server startup information
- Default admin creation
- Audit activities (in database)
- Error conditions
- Use environment variables for sensitive data
- Implement rate limiting
- Add HTTPS/TLS support
- Use stronger password policies
- Implement JWT tokens instead of API keys
- Consider PostgreSQL for production
- Add database connection pooling
- Implement database migrations
- Add backup strategies
- Add structured logging
- Implement health checks
- Add metrics collection
- Monitor database performance
This project is provided as-is for educational and development purposes.