Go SDK for user monitoring


Sqreen protects your application users against major threats, such as account takeover, password bruteforce, suspicious activities coming from TOR or an unusual VPN.

The Go agent currently does not automatically detect your web framework. You are therefore required to install the middleware functions for the web framework you use to be able to use the SDK methods described below.

User monitoring SDK

The Sqreen SDK integration relies on methods such as TrackSignup() and TrackAuth() allowing you to track security-related events of a given user.

Here is a full example:

uid := sdk.EventUserIdentifiersMap{"uid": "my-uid"}
sqUser := sdk.FromContext(ctx).ForUser(uid)
sqUser.TrackSignup()

The Go documentation of the SDK can be found at https://godoc.org/github.com/sqreen/go-agent/sdk.

User scope

User-monitoring SDK methods are provided by ForUser():

uid := sdk.EventUserIdentifiersMap{"uid": "my-uid"}
sqreen := sdk.FromContext(ctx)
sqUser := sqreen.ForUser(uid)
sqUser.TrackEvent("my.user.event")

The user identifiers given to ForUser() should uniquely identify the user and are used in Sqreen's user interface to help you identify which users are at risk, or which are attacking your application. The hash keys and values should only be strings.

Login tracking

TrackAuth(), TrackAuthSuccess() and TrackAuthFailure() are SDK methods to call on user login activity.

uid := sdk.EventUserIdentifiersMap{"uid": "my-uid"}
sqUser := sdk.FromContext(ctx).ForUser(uid)
sqUser.TrackAuthSuccess()

Sqreen integration at signup and login

You should not call TrachAuth() or success/failure alternatives each time you check a user session in your application, but rather each time a user logs into your app.

Signup tracking

TrackSignup() is the SDK method to call when creating a new user account at signup.

uid := sdk.EventUserIdentifiersMap{"uid": "my-uid"}
sqUser := sdk.FromContext(ctx).ForUser(uid)
sqUser.TrackSignup()

User identification

User monitoring and PII

If you are concerned about sending sensitive data to us and not leaking any Personally Identifying Information (PII), visit this blogpost to learn some best practices around user tracking.

If your users are identified with a composite primary key (multiple values), all of them should be sent in order to identify them accurately on Sqreen's user interface.

For example, if you are are operating a whitelabel platform and your users are identified by their email and the shop ID, you can send these identifiers like this:

uid := sdk.EventUserIdentifiersMap{
    "email": user.email,
    "platform_id": user.platform_id,
}
sqUser := sdk.FromContext(ctx).ForUser(uid)
sqUser.TrackSignup()

Sqreen SDK only accepts user identifiers

Do not send any other information (like the auth failure reason). Sqreen will consider them as part of the user identifier, and will not be able to merge successful and failed authentications.

Primary key

Sqreen tries to determine a primary key amongst the keys you provided. The following keywords are used to determine the user primary identification key: email, mail, e-mail, username, login.

If none of those keys are found, Sqreen uses the first in alphabetic order.

If multiple keys are found, Sqreen uses the first in the sequence mentioned above.