First, a note: don't even consider using HTTP basic auth in your public-facing page unless you have it served behind an HTTPS reverse proxy! The username and password, sent to and fro from client to server in the HTTP headers, is in plaintext by default, and only HTTPS with TLS will guarantee that the credentials in those HTTP headers are encrypted.
Given that caveat, here is a complete minimal example of using HTTP basic auth to gate access to a Go web app.
Go Playground Example <-- this won't work in the Playground -- copy and build locally
FAQ
Q: Go's http lib supports TLS to serve out endpoints. Why didn't you just do that instead of serving out an HTTP app behind a reverse proxy?
A: HTTP basic auth seems to be mutually exclusive with direct use of the HTTPS protocol (see my comment at start of this post about the 'basic auth' mechanism being neglected...). Perhaps I missed something. Let me know if I'm wrong, and how to do it securely without an HTTPS reverse proxy! Thanks.
Q: How do I support multiple users/roles using the example you give?
A: No idea. I think it could be done, with auxiliary logic to track separate session users/passwords, but this is left as an exercise for the reader. [Meaning, like all my college profs ... I forget/I can't be arsed to work it out right now.]
-R.