feat: permissions, middleware authentication, migrations
This commit is contained in:
@@ -88,3 +88,18 @@ func (app *application) invalidAuthenticationTokenResponse(w http.ResponseWriter
|
||||
message := "invalid or missing authentication token"
|
||||
app.errorResponse(w, r, http.StatusUnauthorized, message)
|
||||
}
|
||||
|
||||
func (app *application) authenticationRequiredResponse(w http.ResponseWriter, r *http.Request) {
|
||||
message := "you must be authenticated to access this resource"
|
||||
app.errorResponse(w, r, http.StatusUnauthorized, message)
|
||||
}
|
||||
|
||||
func (app *application) inactiveAccountResponse(w http.ResponseWriter, r *http.Request) {
|
||||
message := "your user account must be activated to access this resource"
|
||||
app.errorResponse(w, r, http.StatusForbidden, message)
|
||||
}
|
||||
|
||||
func (app *application) notPermittedResponse(w http.ResponseWriter, r *http.Request) {
|
||||
message := "your user account doesn't have the necessary permissions to access this resource"
|
||||
app.errorResponse(w, r, http.StatusForbidden, message)
|
||||
}
|
||||
|
||||
@@ -181,3 +181,66 @@ func (app *application) authenticate(next http.Handler) http.Handler {
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// anonymous.
|
||||
func (app *application) requireAuthenticatedUser(next http.HandlerFunc) http.HandlerFunc {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
user := app.contextGetUser(r)
|
||||
|
||||
if user.IsAnonymous() {
|
||||
app.authenticationRequiredResponse(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// Checks that a user is both authenticated and activated.
|
||||
func (app *application) requireActivatedUser(next http.HandlerFunc) http.HandlerFunc {
|
||||
// Rather than returning this http.HandlerFunc we assign it to the variable fn.
|
||||
fn := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
user := app.contextGetUser(r)
|
||||
|
||||
// Check that a user is activated.
|
||||
if !user.Activated {
|
||||
app.inactiveAccountResponse(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
|
||||
// Wrap fn with the requireAuthenticatedUser() middleware before returning it.
|
||||
return app.requireAuthenticatedUser(fn)
|
||||
}
|
||||
|
||||
// Note that the first parameter for the middleware function is the permission code that
|
||||
// we require the user to have.
|
||||
func (app *application) requirePermission(code string, next http.HandlerFunc) http.HandlerFunc {
|
||||
fn := func(w http.ResponseWriter, r *http.Request) {
|
||||
// Retrieve the user from the request context.
|
||||
user := app.contextGetUser(r)
|
||||
|
||||
// Get the slice of permissions for the user.
|
||||
permissions, err := app.models.Permissions.GetAllForUser(user.ID)
|
||||
if err != nil {
|
||||
app.serverErrorResponse(w, r, err)
|
||||
return
|
||||
}
|
||||
|
||||
// Check if the slice includes the required permission. If it doesn't, then
|
||||
// return a 403 Forbidden response.
|
||||
if !permissions.Include(code) {
|
||||
app.notPermittedResponse(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// Otherwise they have the required permission so we call the next handler in
|
||||
// the chain.
|
||||
next.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
// Wrap this with the requireActivatedUser() middleware before returning it.
|
||||
return app.requireActivatedUser(fn)
|
||||
}
|
||||
|
||||
@@ -9,24 +9,24 @@ import (
|
||||
func (app *application) routes() http.Handler {
|
||||
router := httprouter.New()
|
||||
|
||||
// Convert the notFoundResponse() helper to a http.Handler using the
|
||||
// http.HandlerFunc() adapter, and then set it as the custom error handler for 404
|
||||
// Not Found responses.
|
||||
router.NotFound = http.HandlerFunc(app.notFoundResponse)
|
||||
|
||||
// Likewise, convert the methodNotAllowedResponse() helper to a http.Handler and set
|
||||
// it as the custom error handler for 405 Method Not Allowed responses.
|
||||
router.MethodNotAllowed = http.HandlerFunc(app.methodNotAllowedResponse)
|
||||
router.HandlerFunc(http.MethodGet, "/v1/movies", app.listMoviesHandler)
|
||||
|
||||
router.HandlerFunc(http.MethodGet, "/v1/healthcheck", app.healthcheckHandler)
|
||||
router.HandlerFunc(http.MethodPost, "/v1/movies", app.createMovieHandler)
|
||||
router.HandlerFunc(http.MethodGet, "/v1/movies/:id", app.showMovieHandler)
|
||||
router.HandlerFunc(http.MethodPatch, "/v1/movies/:id", app.updateMovieHandler)
|
||||
router.HandlerFunc(http.MethodDelete, "/v1/movies/:id", app.deleteMovieHandler)
|
||||
|
||||
// Use the requirePermission() middleware on each of the /v1/movies** endpoints,
|
||||
// passing in the required permission code as the first parameter.
|
||||
router.HandlerFunc(http.MethodGet, "/v1/movies", app.requirePermission("movies:read", app.listMoviesHandler))
|
||||
router.HandlerFunc(http.MethodPost, "/v1/movies", app.requirePermission("movies:write", app.createMovieHandler))
|
||||
router.HandlerFunc(http.MethodGet, "/v1/movies/:id", app.requirePermission("movies:read", app.showMovieHandler))
|
||||
router.HandlerFunc(http.MethodPatch, "/v1/movies/:id", app.requirePermission("movies:write", app.updateMovieHandler))
|
||||
router.HandlerFunc(http.MethodDelete, "/v1/movies/:id", app.requirePermission("movies:write", app.deleteMovieHandler))
|
||||
|
||||
router.HandlerFunc(http.MethodPost, "/v1/users", app.registerUserHandler)
|
||||
router.HandlerFunc(http.MethodPut, "/v1/users/activated", app.activateUserHandler)
|
||||
router.HandlerFunc(http.MethodPost, "/v1/tokens/authentication", app.createAuthenticationTokenHandler)
|
||||
// Wrap the router with the rateLimit() middleware.
|
||||
// Use the authenticate() middleware on all requests.
|
||||
|
||||
router.HandlerFunc(http.MethodPost, "/v1/tokens/authentication",
|
||||
app.createAuthenticationTokenHandler)
|
||||
|
||||
return app.recoverPanic(app.rateLimit(app.authenticate(router)))
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user