fiber
SKILL.md
Fiber Framework Guide
Applies to: Fiber v2.50+, Go 1.21+, High-Performance REST APIs, Microservices
Overview
Fiber is an Express-inspired web framework built on top of Fasthttp, the fastest HTTP engine for Go. It is designed for ease of use with zero memory allocation and performance in mind.
Key Features:
- Express-like API (familiar to Node.js developers)
- Built on Fasthttp (10x faster than net/http)
- Zero memory allocation in hot paths
- Built-in middleware collection
- WebSocket support, rate limiting, template engines
When to use Fiber:
- High-throughput APIs requiring maximum performance
- Teams familiar with Express.js migrating to Go
- Real-time applications with WebSockets
- Microservices requiring low latency
Project Structure
myapi/
├── cmd/
│ └── api/
│ └── main.go # Application entry point
├── internal/
│ ├── config/
│ │ └── config.go # Configuration management
│ ├── handler/
│ │ ├── handler.go # Handler container
│ │ ├── user_handler.go # User handlers
│ │ └── health_handler.go # Health check handlers
│ ├── middleware/
│ │ ├── auth.go # JWT authentication
│ │ ├── logger.go # Request logging
│ │ └── recover.go # Panic recovery
│ ├── model/
│ │ ├── user.go # User model
│ │ └── dto.go # Data transfer objects
│ ├── repository/
│ │ ├── repository.go # Repository interface
│ │ └── user_repository.go # User repository
│ ├── service/
│ │ ├── service.go # Service container
│ │ ├── user_service.go # User business logic
│ │ └── auth_service.go # Authentication service
│ └── router/
│ └── router.go # Route definitions
├── pkg/
│ ├── validator/
│ │ └── validator.go # Custom validator
│ └── response/
│ └── response.go # Response helpers
├── go.mod
├── go.sum
└── README.md
internal/for private application code (not importable externally)pkg/for reusable shared librariescmd/for application entry points- Handlers are thin; business logic lives in services
- Data access isolated in repositories
Application Setup
// cmd/api/main.go
package main
import (
"context"
"log"
"os"
"os/signal"
"syscall"
"time"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/cors"
"github.com/gofiber/fiber/v2/middleware/helmet"
"github.com/gofiber/fiber/v2/middleware/limiter"
"github.com/gofiber/fiber/v2/middleware/requestid"
"myapi/internal/config"
"myapi/internal/handler"
"myapi/internal/middleware"
"myapi/internal/repository"
"myapi/internal/router"
"myapi/internal/service"
)
func main() {
cfg, err := config.Load()
if err != nil {
log.Fatalf("Failed to load config: %v", err)
}
db, err := config.NewDatabase(cfg)
if err != nil {
log.Fatalf("Failed to connect to database: %v", err)
}
app := fiber.New(fiber.Config{
AppName: cfg.AppName,
ReadTimeout: cfg.ReadTimeout,
WriteTimeout: cfg.WriteTimeout,
IdleTimeout: cfg.IdleTimeout,
BodyLimit: cfg.BodyLimit,
Prefork: cfg.Prefork,
ErrorHandler: customErrorHandler,
})
// Global middleware stack
app.Use(requestid.New())
app.Use(middleware.Logger())
app.Use(middleware.Recover())
app.Use(cors.New(cors.Config{
AllowOrigins: cfg.CORSAllowOrigins,
AllowMethods: "GET,POST,PUT,DELETE,PATCH,OPTIONS",
AllowHeaders: "Origin,Content-Type,Accept,Authorization",
AllowCredentials: true,
}))
app.Use(helmet.New())
app.Use(limiter.New(limiter.Config{
Max: cfg.RateLimitMax,
Expiration: cfg.RateLimitExpiration,
KeyGenerator: func(c *fiber.Ctx) string {
return c.IP()
},
LimitReached: func(c *fiber.Ctx) error {
return c.Status(fiber.StatusTooManyRequests).JSON(fiber.Map{
"error": "Rate limit exceeded",
})
},
}))
// Initialize layers (dependency injection)
repos := repository.NewRepositories(db)
services := service.NewServices(repos, cfg)
handlers := handler.NewHandlers(services)
router.Setup(app, handlers, services.Auth)
// Graceful shutdown
go func() {
if err := app.Listen(":" + cfg.Port); err != nil {
log.Fatalf("Failed to start server: %v", err)
}
}()
quit := make(chan os.Signal, 1)
signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
<-quit
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
if err := app.ShutdownWithContext(ctx); err != nil {
log.Fatalf("Server forced to shutdown: %v", err)
}
sqlDB, _ := db.DB()
sqlDB.Close()
}
func customErrorHandler(c *fiber.Ctx, err error) error {
code := fiber.StatusInternalServerError
message := "Internal Server Error"
if e, ok := err.(*fiber.Error); ok {
code = e.Code
message = e.Message
}
return c.Status(code).JSON(fiber.Map{
"error": message,
"code": code,
"request": c.Locals("requestid"),
})
}
Routing and Grouping
// internal/router/router.go
func Setup(app *fiber.App, h *handler.Handlers, authService service.AuthService) {
// Health checks (public)
app.Get("/health", h.Health.Health)
app.Get("/ready", h.Health.Ready)
// API v1
v1 := app.Group("/api/v1")
// Auth routes (public)
auth := v1.Group("/auth")
auth.Post("/login", h.User.Login)
auth.Post("/register", h.User.Create)
// Protected auth routes
authProtected := auth.Group("", middleware.Auth(authService))
authProtected.Get("/profile", h.User.GetProfile)
// User routes (protected)
users := v1.Group("/users", middleware.Auth(authService))
users.Get("/", h.User.GetAll)
users.Get("/:id", h.User.GetByID)
users.Put("/:id", h.User.Update)
users.Delete("/:id", middleware.RequireRole("admin"), h.User.Delete)
}
Routing rules:
- Group routes by resource and version (
/api/v1/users) - Apply auth middleware at the group level, not per-route
- Use role-based middleware for fine-grained access control
- Health and readiness checks always public, at root level
Middleware
Authentication Middleware
func Auth(authService service.AuthService) fiber.Handler {
return func(c *fiber.Ctx) error {
authHeader := c.Get("Authorization")
if authHeader == "" {
return fiber.NewError(fiber.StatusUnauthorized, "Missing authorization header")
}
parts := strings.SplitN(authHeader, " ", 2)
if len(parts) != 2 || parts[0] != "Bearer" {
return fiber.NewError(fiber.StatusUnauthorized, "Invalid authorization format")
}
claims, err := authService.ValidateToken(parts[1])
if err != nil {
return fiber.NewError(fiber.StatusUnauthorized, "Invalid token")
}
c.Locals("userID", claims.UserID)
c.Locals("userEmail", claims.Email)
c.Locals("userRole", claims.Role)
return c.Next()
}
}
Role-Based Access
func RequireRole(roles ...string) fiber.Handler {
return func(c *fiber.Ctx) error {
userRole, ok := c.Locals("userRole").(string)
if !ok {
return fiber.NewError(fiber.StatusForbidden, "Access denied")
}
for _, role := range roles {
if userRole == role {
return c.Next()
}
}
return fiber.NewError(fiber.StatusForbidden, "Insufficient permissions")
}
}
Custom Logger and Recovery
func Logger() fiber.Handler {
return func(c *fiber.Ctx) error {
start := time.Now()
err := c.Next()
log.Printf("[%s] %s %s %d %s",
c.Method(), c.Path(), c.IP(),
c.Response().StatusCode(), time.Since(start))
return err
}
}
func Recover() fiber.Handler {
return func(c *fiber.Ctx) error {
defer func() {
if r := recover(); r != nil {
log.Printf("Panic recovered: %v\n%s", r, debug.Stack())
c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
"error": "Internal server error",
})
}
}()
return c.Next()
}
}
Request Handling and Validation
Generic Body Validator
func ValidateBody[T any](c *fiber.Ctx, v *CustomValidator) (*T, error) {
var body T
if err := c.BodyParser(&body); err != nil {
return nil, fiber.NewError(fiber.StatusBadRequest, "Invalid request body")
}
if err := v.Validate(&body); err != nil {
return nil, err
}
return &body, nil
}
DTO Pattern with Validation Tags
type CreateUserRequest struct {
Email string `json:"email" validate:"required,email,max=255"`
Password string `json:"password" validate:"required,min=8,max=72"`
Name string `json:"name" validate:"required,min=2,max=100"`
}
type UpdateUserRequest struct {
Email string `json:"email" validate:"omitempty,email,max=255"`
Name string `json:"name" validate:"omitempty,min=2,max=100"`
}
Response Helpers
func Success(c *fiber.Ctx, data interface{}) error {
return c.JSON(fiber.Map{"success": true, "data": data})
}
func Created(c *fiber.Ctx, data interface{}) error {
return c.Status(fiber.StatusCreated).JSON(fiber.Map{"success": true, "data": data})
}
func Error(c *fiber.Ctx, code int, message string) error {
return c.Status(code).JSON(fiber.Map{"success": false, "error": message})
}
func Paginated(c *fiber.Ctx, data interface{}, page, pageSize int, total int64) error {
totalPages := int(total) / pageSize
if int(total)%pageSize > 0 {
totalPages++
}
return c.JSON(fiber.Map{
"success": true,
"data": data,
"meta": fiber.Map{
"page": page, "page_size": pageSize,
"total_items": total, "total_pages": totalPages,
},
})
}
Error Handling
- Use
fiber.NewError(code, message)for HTTP errors in handlers - Implement a custom
ErrorHandleron the app for consistent responses - Return domain errors from services; map them to HTTP codes in handlers
- Never expose internal error details to clients
func (h *UserHandler) Create(c *fiber.Ctx) error {
req, err := validator.ValidateBody[model.CreateUserRequest](c, h.validator)
if err != nil {
if _, ok := err.(*fiber.Error); ok {
return err
}
return response.ValidationError(c, err)
}
user, err := h.service.Create(c.Context(), req)
if err != nil {
if errors.Is(err, service.ErrUserAlreadyExists) {
return response.Error(c, fiber.StatusConflict, "User already exists")
}
return err // Falls through to custom error handler
}
return response.Created(c, user.ToResponse())
}
Best Practices
Performance
- Enable
Preforkfor multi-core utilization in production - Use Fasthttp's zero-allocation patterns
- Configure appropriate read/write/idle timeouts
- Use connection pooling for databases (25 max open, 5 min lifetime)
- Use
fiber.Ctx.Context()for request-scoped context
Security
- Use
helmetmiddleware for security headers - Implement rate limiting per IP (built-in
limitermiddleware) - Validate all inputs via
go-playground/validator - Use CORS middleware with explicit origins in production
- Hash passwords with bcrypt; use JWT HS256 for tokens
Code Organization
- Follow clean architecture: handler -> service -> repository
- Use dependency injection (no global state)
- Keep handlers thin (parse, validate, delegate, respond)
- Define interfaces where consumed, not where implemented
- Use DTO structs for request/response serialization
Error Handling
- Use a custom error handler on the Fiber app
- Return consistent JSON error responses with
success,error,code - Log errors with request context (request ID, method, path)
- Do not expose stack traces or internal details to clients
Commands
# Development
go run cmd/api/main.go
# Build
go build -o bin/api cmd/api/main.go
# Production build
CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o bin/api cmd/api/main.go
# Tests
go test ./...
go test -cover ./...
go test -race ./...
# Swagger docs (with swag)
swag init -g cmd/api/main.go
# Database migrations (with golang-migrate)
migrate -path migrations -database "$DATABASE_URL" up
migrate -path migrations -database "$DATABASE_URL" down 1
# Lint
golangci-lint run
Dependencies
Core: fiber/v2, gofiber/swagger | Database: gorm, gorm/driver/postgres | Validation: go-playground/validator/v10 | Auth: golang-jwt/jwt/v5, x/crypto/bcrypt | Testing: stretchr/testify | Docs: swaggo/swag
Advanced Topics
For detailed patterns and examples, see:
- references/patterns.md -- Handler examples, database, WebSocket, testing, and performance patterns
External References
Weekly Installs
10
Repository
ar4mirez/samuelGitHub Stars
3
First Seen
14 days ago
Security Audits
Installed on
opencode10
gemini-cli10
github-copilot10
codex10
amp10
cline10