I wrote a Go Web Application with authentication and an API to learn Golang.
I must say, writing an API and some other services (SMTP pipe listener) was much nicer in Go than Authentication.
There is gorilla/sessions for sessions, but there's a lot to be desired here. A weak secret here means other people can decrypt the SessionStore Blob and possibly get secret information as a passive attacker or authenticate as another user. This sessionstore passphrase is the key to your entire webapp.
There's also nothing built in to Go for CSRF tokens, and HTMLTemplates are nice for preventing XSS but a pain in the butt for embedding, generating, and storing/regenerating (depending on how big you are) CSRF tokens.
Overall though....Writing Go has been pure joy for me. These are super knitpicky things to complain about.
I think those issues will improve over time with maturity. Golang seems to not like to do things in more than one way, as the article stated. Currently there is competing solutions to all of those problems[1]. I suspect you won't see built in solutions until community libs and users choose the prevailing standard solution to each problem.
To also be fair, web apps are nodes bread and butter, not so much so for Golang (apart from maybe api's - which tend to have pretty straight forward auth mechanisms and dont require csrf, xss or templating solutions, traditionally anyway). With that in mind I wouldn't be surprised if go's devs continue to leave web solutions up to the community. I expect to see a lot of frameworks come along similar to pythons django, rubys rails, and phps laravel.
Disclaimer: non elitist node dev, closely watching go
I don't think you can really beat node for static web-apps.
Its just too strong. The development loop is great when using a build chain like gulp, deployment is relatively easy, scaling up and out is easy (by nature of it being a static webapp), single toolchain, single language (well at its core anyway) etc etc.
Writing API's, specifically restful ones, can be done, and for small stuff its quite nice, but as soon as you start adding processes, services and anything more complex than crud functionality it falls over development wise.
I must say, writing an API and some other services (SMTP pipe listener) was much nicer in Go than Authentication.
There is gorilla/sessions for sessions, but there's a lot to be desired here. A weak secret here means other people can decrypt the SessionStore Blob and possibly get secret information as a passive attacker or authenticate as another user. This sessionstore passphrase is the key to your entire webapp.
There's also nothing built in to Go for CSRF tokens, and HTMLTemplates are nice for preventing XSS but a pain in the butt for embedding, generating, and storing/regenerating (depending on how big you are) CSRF tokens.
Overall though....Writing Go has been pure joy for me. These are super knitpicky things to complain about.