Skip to content

Create permission middleware for templates #28

Description

@amorindev

Description

Implement a middleware called RequirePermissions to protect web routes (templates) based on permissions defined in the system.

  1. RequirePermissions Middleware

    • A middleware must be created called:
    • RequirePermissions(permission PermissionName)
  2. Characteristics:

    • It receives a parameter of type PermissionName.
    • Permissions of type PermissionName are defined in: pkg/identity/permissions/domain/domain.go
  3. The middleware must:

    • Retrieve the user claims from the context.
    • Verify that the user has the required permission.
    • If the user does not have the permission, redirect to /sign-in.
  4. Correct Middleware Order

    • The required order must be:
    • Authenticate / Authorize middleware
    • RequirePermissions middleware
      This is necessary because:
      • The authentication middleware validates the JWT.
      • It extracts the claims.
      • It inserts the claims into the context.
  5. Middleware Location

    • This middleware is exclusive to web templates (not for JSON APIs).
    • It must be located at: web/shared/api/middlewares/permissions.go
  6. Testing in web/admin/api/handler/handler.go

    • The routes to test are:
      • /admin/home
      • /admin/other
    • In RegisterRoutes inside web/admin/api/handler/handler.go, the middleware must be applied with the permission:
      • PAdminAccess
  7. Complete Flow

    • The user accesses a protected route (for example: http://localhost:8000/v1/admin/home).
    • Authenticate validates the JWT and adds the claims to the context.
    • RequirePermissions(PAdminAccess):
      • Retrieves the claims from the context.
      • Verifies whether the user has the required permission.
      • If not, redirects to /sign-in.
      • If everything is correct, the handler is executed.

Authorization Model: Roles and Permissions

  • Only the administrator user has the PAdminAccess role with all permissions.
  • Permissions are defined in the system.
  • Roles can be created dynamically.
  • Each role contains multiple permissions.
  • The middleware must validate against the user’s final permissions, not directly against the role.

Notes

  • Questions or better solutions should be discussed in the issue comments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions