Best way to check user permissions in a Go web app router - go

My web app has URLs at three access levels:
Those accessible by anyone (login page and static assets)
Those accessible regular users and admins who are logged in
Those accessible only by admins who are logged in
I should specify the minimum access level for each URL pattern in my router, so that people below that level are blocked. (I suppose they should get HTTP error 401 or 403.)
How do I best implement these checks so that I don't have to remember to put them in every URL handler function separately (which is very easy to forget)? Ideally I'd like to do something like this:
router.Get("/someRegularPage", regularAccess(handleSomeRegularPage))
router.Get("/someAdminPage", adminAccess(handleSomeAdminPage))
router.Get("/", publicAccess(handleLoginPage))
Is there some semi-standard middleware to do this and how does that work? How hard would it be to write my own?
Additionally, it would be great if the default permission was to deny access to everybody in case I forget to specify the access level for some URL. A compiler warning or error would be ideal.

Writing your own is not hard. Assuming you store your admin token in an environment variable called ADMINTOKEN :
func AdminOnly(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, Authorization")
if r.Method == "OPTIONS" {
f(w, r)
return
}
h := r.Header.Get("Authorization")
token := strings.TrimPrefix(h, "Bearer ")
if token == os.Getenv("ADMINTOKEN") {
f(w, r)
return
}
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
}
}
OPTIONS method may have to be authorized regardless because of CORS.

The short answer is to write middleware to handle authorization. A longer answer that may help you out just as much in the long run would be to use appropriate routing paths for your endpoints alongside that middleware. For instance, you could prefix all of your admin routes with /api/admin and then wrap the router for individual routes after that with the relevant admin-auth middleware.

Related

Difference between middleware chi.Use vs chi.With

What is the difference between chi.Use and chi.With when setting up a middleware with Chi router.
Use must be declared before all routes under the same group, whereas r.With allows you to "inline" middlewares.
As a matter of fact, the function signatures are different. Use returns nothing, With returns a chi.Router.
Let's say you have a route and want to add a middleware only to one of them, you would use r.With:
r.Route("/myroute", func(r chi.Router) {
r.Use(someMiddleware) // can declare it here
r.Get("/bar", handlerBar)
r.Put("/baz", handlerBaz)
// r.Use(someMiddleware) // can NOT declare it here
}
r.Route("/other-route", func(r chi.Router) {
r.Get("/alpha", handlerBar)
r.Put("/beta", handlerBaz)
r.With(someMiddleware).Get("/gamma", handlerQuux)
}
In the first example, someMiddleware is declared for all sub-routes, whereas in the second example r.With allows you to add a middleware only for the /other-route/gamma route.
According to the documentation of chi.Use and chi.With.
Use appends a middleware handler to the Mux middleware stack.
The middleware stack for any Mux will execute before searching for a matching route to a specific handler, which provides opportunity to respond early, change the course of the request execution, or set request-scoped values for the next http.Handler.
With adds inline middlewares for an endpoint handler.
Let see how chi.Use and chi.With example
The use case is pretty straight forward with chi.Use the registered middleware will run before all the routes handler which are register with the Router
r := chi.NewRouter()
r.Use(middleware.Logger)
r.Get("/", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("welcome"))
})
http.ListenAndServe(":3000", r)
For eg: here Logger middleware will be called before all the register routes handler.
whereas with chi.With you are returned new route on which the middleware would be ran so if any routes is registered on the returned Router the registered middleware will run. Here the use case is very specific suppose if you want to run a specific middleware for a group of routes or want to perform some operation for specific routes then for the case you can use chi.Use
r.Route("/articles", func(r chi.Router) {
r.With(paginate).Get("/", listArticles) // GET /articles
r.With(paginate).Get("/{month}-{day}-{year}", listArticlesByDate) // GET /articles/01-16-2017
r.Post("/", createArticle) // POST /articles
r.Get("/search", searchArticles) // GET /articles/search
// Regexp url parameters:
r.Get("/{articleSlug:[a-z-]+}", getArticleBySlug) // GET /articles/home-is-toronto
// Subrouters:
r.Route("/{articleID}", func(r chi.Router) {
r.Use(ArticleCtx)
r.Get("/", getArticle) // GET /articles/123
r.Put("/", updateArticle) // PUT /articles/123
r.Delete("/", deleteArticle) // DELETE /articles/123
})
})
In the above example the paginate middleware will only be called for all the articles with /articles/ and /{month}-{day}-{year} day wise route for other routes chi.With won't be called if there any middlware registered with chi.Use over main route then that would be called.

show static image based on users in golang gin

I'm using the Gin framework. I have a database that contains some course info. Users can register in the courses and access the contents. The contents are image, video, and audio.
I store the relative location of these contents in my database like this:
Content\Courses\CourseOne\Unit_1\image\1.jpg
and change it to the actual location in gin:
route := gin.Default()
route.Static("/Content","./Media")
Everything works fine, but I am looking for a way to authenticate users before accessing the contents. In the above-mentioned way, all users can access any data by changing the desired pattern's address. But I want if the user is registered in the course, be able to access data, otherwise, get a 404 error.
how can I do that?
Edit
since it was asked to explain the implementation of authentication:
I used JWT for authentication. so each user has a HashID.
I have a table called UserCourses and the user info would be inserted after purchasing a course.
this is my course route:
route.GET("api/v1/courses", handler.GetCourses)
and my handler:
func GetCourses(context *gin.Context) {
hashID, status, err := repository.GetToken(context)
if err != nil {
context.IndentedJSON(status, err)
return
}
courses := make([]model.CourseAPI, 0)
userInfo := model.Users{HashID: hashID}
err = repository.DatabaseInstance.GetCourses(&courses, &userInfo)
if err != nil {
context.IndentedJSON(http.StatusServiceUnavailable, err)
return
}
context.IndentedJSON(http.StatusOK, gin.H{"courses": courses})
}
The JWT token is passed by the client in the header. so I get the token and validate it. The token contains the user HashID and I check for that HashID in the UserCourses table. besides the course info, there is a variable called isRegistered.if the HashID was registered for any course in UserCourses table,the isRegistered become true for that course otherwise false.
You can create group route and apply authentication middleware through it
r = gin.Default()
// public routes
r.GET("public", publicHandler)
// routes group
auth = r.Group("/")
// authentication middleware within group
auth.Use(AuthMiddleware())
// route before which auth middleware will be run
auth.Static("/Content","./Media")

Attach middleware to routes mounted to the router

This might just be because of my inexperience, but I've taken over a webserver solution written in Go and I have some issues.
The routing is set up in such a way that each "top" route is mounted to the router with router.Mount() with a handler attached to each mounted route. Example:
router.Mount("/group", (handler.NewGroupHandler(groupSrv, render)).Router())
So, within this mounted route I want to add a middleware to get a specific URL parameter. I've tried around, and followed this guide https://medium.com/#szablowska.patrycja/chi-and-missing-urlparam-in-middleware-9435c48a063b which seems to have worked for other. However, this haven't worked for me, which I now suspect is because of the approach with mounting.
The idea of the middleware is quite simple, just check the URL param against some requirements. I could of course do this manually in every path, but a middleware would be better both for readability and future development. How the middleware is written:
func GroupMiddleware() func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
groupIDStr := chi.URLParam(r, "group_id")
if checkAgainstGroupID {
// Do something, raise error
} else {
next.ServeHTTP(w, r)
}
}
return http.HandlerFunc(fn)
}
}
And then applied like this:
r.With(subhandler.GroupMiddleware).Route("/{group_id}", func(r chi.Router) {
r.Get("/", h.get)
})
Which obviously doesn't work. Any help would be appreciated because I can't believe that mounting routes makes it impossible to add middleware to subgroups.
Edit: This worked perfectly, it was just me that didn't register that I called an unaffected route. So in case someone else should end up with this same question, know that this actually is a valid approach.

Getting JWT data in Gorilla CustomLoggingHandler

I am using a custom logging handler in my Go web server like this:
func main() {
// ... Set up everything
router = mux.NewRouter()
router.Handle("/apilookup",
raven.Recoverer(
jwtMiddleware.Handler(
http.HandlerFunc(
doApiLookup)))).Methods("GET")
loggedRouter := handlers.CustomLoggingHandler(os.Stdout, router, writeLog)
http.ListenAndServe(listenAddr, loggedRouter)
}
In the writeLog function, I have made my own version of the Gorilla handlers.LoggingHandler, which logs a lot of additional information.
One thing I would like to do is log the user for authenticated requests. Users authenticate to this server using JWT (using the Authorization: Bearer ... header). I am using Auth0's go-jwt-middleware to parse the token and set its value in the Request's context.
I tried to log the user's email address (one of the claims in the JWT) like this, based on the middleware's documentation:
func writeLog(writer io.Writer, params handlers.LogFormatterParams) {
// ... SNIP
// If we can't identify the user
username := "-"
if userJwt := params.Request.Context().Value("user"); userJwt != nil {
claims := userJwt.(*jwt.Token).Claims.(*jwtClaims)
username = claims.Email
}
// ... SNIP
}
The problem is that username is always the initial value - and not the expected value from the JWT.
By adding log.Printf("%+v\n", params.Request.Context()) above the if, I see that the context doesn't actually contain the parsed JWT data here.
As far as I can tell, the reason this is not working is because the middleware creates a new Request with the updated context, so only middleware further down the chain can see it. Because the logging middleware is above the JWT middleware, it does not have that same context.
I know that I can re-parse the JWT in the logging handler (because I do have access to all the headers), but that seems like a lot of overhead for logging.
Is there a better way to do this that will allow me to have access to this data where I want it?

Golang request middleware library?

I'm using gorrilla mux for my mux for my routing setup.
Is there any open source library that will provide some sort of request middleware?
router.HandleFunc("/products", GetProducts).Methods("GET")
So currently I have the GetProducts function that will return the products etc.
But this is a REST api that I am building, so I have to handle things like loading the user, verifying the 'api token' for the request etc.
I don't want to do this for each and every method so I was hoping I there was some request middleware when I can do this before/after execution, along with adding things like User, Permissions to the context in each middleware function.
You can use Go Gin HTTP web framework that supports middlewares as well as you want:
Using middleware:
func main() {
// Creates a router without any middleware by default
r := gin.New()
// Global middleware
// Logger middleware will write the logs to gin.DefaultWriter even you set with GIN_MODE=release.
// By default gin.DefaultWriter = os.Stdout
r.Use(gin.Logger())
// Recovery middleware recovers from any panics and writes a 500 if there was one.
r.Use(gin.Recovery())
// Per route middleware, you can add as many as you desire.
r.GET("/benchmark", MyBenchLogger(), benchEndpoint)
// Authorization group
// authorized := r.Group("/", AuthRequired())
// exactly the same as:
authorized := r.Group("/")
// per group middleware! in this case we use the custom created
// AuthRequired() middleware just in the "authorized" group.
authorized.Use(AuthRequired())
{
authorized.POST("/login", loginEndpoint)
authorized.POST("/submit", submitEndpoint)
authorized.POST("/read", readEndpoint)
// nested group
testing := authorized.Group("testing")
testing.GET("/analytics", analyticsEndpoint)
}
// Listen and serve on 0.0.0.0:8080
r.Run(":8080")
}

Resources