Description
Implement a middleware called RequirePermissions to protect web routes (templates) based on permissions defined in the system.
-
RequirePermissions Middleware
- A middleware must be created called:
RequirePermissions(permission PermissionName)
-
Characteristics:
- It receives a parameter of type
PermissionName.
- Permissions of type
PermissionName are defined in: pkg/identity/permissions/domain/domain.go
-
The middleware must:
- Retrieve the user claims from the context.
- Verify that the user has the required permission.
- If the user does not have the permission, redirect to
/sign-in.
-
Correct Middleware Order
- The required order must be:
- Authenticate / Authorize middleware
- RequirePermissions middleware
This is necessary because:
- The authentication middleware validates the JWT.
- It extracts the claims.
- It inserts the claims into the context.
-
Middleware Location
- This middleware is exclusive to web templates (not for JSON APIs).
- It must be located at:
web/shared/api/middlewares/permissions.go
-
Testing in web/admin/api/handler/handler.go
- The routes to test are:
- In
RegisterRoutes inside web/admin/api/handler/handler.go, the middleware must be applied with the permission:
-
Complete Flow
- The user accesses a protected route (for example: http://localhost:8000/v1/admin/home).
- Authenticate validates the JWT and adds the claims to the context.
RequirePermissions(PAdminAccess):
- Retrieves the claims from the context.
- Verifies whether the user has the required permission.
- If not, redirects to
/sign-in.
- If everything is correct, the handler is executed.
Authorization Model: Roles and Permissions
- Only the administrator user has the
PAdminAccess role with all permissions.
- Permissions are defined in the system.
- Roles can be created dynamically.
- Each role contains multiple permissions.
- The middleware must validate against the user’s final permissions, not directly against the role.
Notes
- Questions or better solutions should be discussed in the issue comments.
Description
Implement a middleware called
RequirePermissionsto protect web routes (templates) based on permissions defined in the system.RequirePermissions Middleware
RequirePermissions(permission PermissionName)Characteristics:
PermissionName.PermissionNameare defined in:pkg/identity/permissions/domain/domain.goThe middleware must:
/sign-in.Correct Middleware Order
This is necessary because:
Middleware Location
web/shared/api/middlewares/permissions.goTesting in
web/admin/api/handler/handler.go/admin/home/admin/otherRegisterRoutesinsideweb/admin/api/handler/handler.go, the middleware must be applied with the permission:PAdminAccessComplete Flow
RequirePermissions(PAdminAccess):/sign-in.Authorization Model: Roles and Permissions
PAdminAccessrole with all permissions.Notes