feat: add permissions on user create, CORS middleware, cors server playground.

2026-04-24 10:55:40 +02:00
parent d629bd52eb
commit 2fd3a1d57b
8 changed files with 179 additions and 3 deletions
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"flag"
 	"os"
+	"strings"
 	"sync"
 	"time"

@@ -48,6 +49,10 @@ type config struct {
 		password string
 		sender   string
 	}
+	// Add a cors struct and trustedOrigins field with the type []string.
+	cors struct {
+		trustedOrigins []string
+	}
 }

 // Define an application struct to hold the dependencies for our HTTP handlers, helpers,
@@ -101,6 +106,17 @@ func main() {
 	flag.StringVar(&cfg.smtp.password, "smtp-password", "d06a774b484ca3", "SMTP password")
 	flag.StringVar(&cfg.smtp.sender, "smtp-sender", "Greenlight <no-reply@greenlight.debuggingjon.dev>", "SMTP sender")

+	// Use the flag.Func() function to process the -cors-trusted-origins command line
+	// flag. In this we use the strings.Fields() function to split the flag value into a
+	// slice based on whitespace characters and assign it to our config struct.
+	// Importantly, if the -cors-trusted-origins flag is not present, contains the empty
+	// string, or contains only whitespace, then strings.Fields() will return an empty
+	// []string slice.
+	flag.Func("cors-trusted-origins", "Trusted CORS origins (space separated)", func(val string) error {
+		cfg.cors.trustedOrigins = strings.Fields(val)
+		return nil
+	})
+
 	flag.Parse()

 	// Call the openDB() helper function (see below) to create the connection pool,
@@ -244,3 +244,30 @@ func (app *application) requirePermission(code string, next http.HandlerFunc) ht
 	// Wrap this with the requireActivatedUser() middleware before returning it.
 	return app.requireActivatedUser(fn)
 }
+
+func (app *application) enableCORS(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Add the "Vary: Origin" header.
+		w.Header().Add("Vary", "Origin")
+
+		// Get the value of the request's Origin header.
+		origin := r.Header.Get("Origin")
+
+		// Only run this if there's an Origin request header present AND at least one
+		// trusted origin is configured.
+		if origin != "" && len(app.config.cors.trustedOrigins) != 0 {
+			// Loop through the list of trusted origins, checking to see if the request
+			// origin exactly matches one of them.
+			for i := range app.config.cors.trustedOrigins {
+				if origin == app.config.cors.trustedOrigins[i] {
+					// If there is a match, then set a "Access-Control-Allow-Origin
+					// response header with the request origin as the value.
+					w.Header().Set("Access-Control-Allow-Origin", origin)
+				}
+			}
+		}
+
+		// Call the next handler in the chain.
+		next.ServeHTTP(w, r)
+	})
+}
@@ -28,5 +28,5 @@ func (app *application) routes() http.Handler {
 	router.HandlerFunc(http.MethodPost, "/v1/tokens/authentication",
 		app.createAuthenticationTokenHandler)

-	return app.recoverPanic(app.rateLimit(app.authenticate(router)))
+	return app.recoverPanic(app.enableCORS(app.rateLimit(app.authenticate(router))))
 }
@@ -63,6 +63,13 @@ func (app *application) registerUserHandler(w http.ResponseWriter, r *http.Reque
 		return
 	}

+	// Add the "movies:read" permission for the new user.
+	err = app.models.Permissions.AddForUser(user.ID, "movies:read")
+	if err != nil {
+		app.serverErrorResponse(w, r, err)
+		return
+	}
+
 	// After the user record has been created in the database, generate a new activation
 	// token for the user.
 	token, err := app.models.Tokens.New(user.ID, 3*24*time.Hour, data.ScopeActivation)
@@ -0,0 +1,58 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+)
+
+// Define a string constant containing the HTML for the webpage. This consists of a <h1>
+// header tag, and some JavaScript which calls our POST /v1/tokens/authentication
+// endpoint and writes the response body to inside the <div id="output"></div> tag.
+const html = `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+</head>
+<body>
+    <h1>Preflight CORS</h1>
+    <div id="output"></div>
+    <script>
+        document.addEventListener('DOMContentLoaded', function() {
+            fetch("http://localhost:4000/v1/tokens/authentication", {
+                method: "POST",
+                headers: {
+                    'Content-Type': 'application/json'
+                },
+                body: JSON.stringify({
+                    email: 'alice@example.com',
+                    password: 'pa55word'
+                })
+            }).then(
+                function (response) {
+                    response.text().then(function (text) {
+                        document.getElementById("output").inner
+t.getElementById("output").innerHTML = text;
+                    });
+                }, 
+                function(err) {
+                    document.getElementById("output").innerHTML = err;
+                }
+            );
+        });
+    </script>
+</body>
+</html>`
+
+func main() {
+	addr := flag.String("addr", ":9000", "Server address")
+	flag.Parse()
+
+	log.Printf("starting server on %s", *addr)
+
+	err := http.ListenAndServe(*addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(html))
+	}))
+	log.Fatal(err)
+}
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+)
+
+// Define a string constant containing the HTML for the webpage. This consists of a <h1>
+// header tag, and some JavaScript which fetches the JSON from our GET /v1/healthcheck
+// endpoint and writes it to inside the <div id="output"></div> element.
+const html = `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+</head>
+<body>
+    <h1>Simple CORS</h1>
+    <div id="output"></div>
+   <script>
+        document.addEventListener('DOMContentLoaded', function() {
+            fetch("http://localhost:4000/v1/healthcheck").then(
+                function (response) {
+                    response.text().then(function (text) {
+                        document.getElementById("output").innerHTML = text;
+                    });
+                }, 
+                function(err) {
+                    document.getElementById("output").innerHTML = err;
+                }
+            );
+        });
+    </script>
+</body>
+</html>`
+
+func main() {
+	// Make the server address configurable at runtime via a command-line flag.
+	addr := flag.String("addr", ":9000", "Server address")
+	flag.Parse()
+
+	log.Printf("starting server on %s", *addr)
+
+	// Start a HTTP server listening on the given address, which responds to all
+	// requests with the webpage HTML above.
+	err := http.ListenAndServe(*addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(html))
+	}))
+	log.Fatal(err)
+}
@@ -10,8 +10,8 @@ http:
    type: json
    data: |-
      {
-        "name": "Bob",
-        "email": "bob@example.com",
+        "name": "Grace",
+        "email": "grace@example.com",
        "password": "pa55word"
      }
  auth: inherit
@@ -4,6 +4,8 @@ import (
 	"context"
 	"database/sql"
 	"time"
+
+	"github.com/lib/pq"
 )

 // Define a Permissions slice, which we will use to will hold the permission codes (like
@@ -64,3 +66,18 @@ func (m PermissionModel) GetAllForUser(userID int64) (Permissions, error) {

 	return permissions, nil
 }
+
+// AddForUser - Add the provided permission codes for a specific user. Notice that we're using a
+// variadic parameter for the codes so that we can assign multiple permissions in a
+// single call.
+func (m PermissionModel) AddForUser(userID int64, codes ...string) error {
+	query := `
+        INSERT INTO users_permissions
+        SELECT $1, permissions.id FROM permissions WHERE permissions.code = ANY($2)`
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	_, err := m.DB.ExecContext(ctx, query, userID, pq.Array(codes))
+	return err
+}