In this post I'm going to describe how can we limit user access to the specific url in golang web application. I will use chi router - a lightweight, idiomatic and composable router for building Go HTTP services.

Let's create our main package.

package main

import (
	"net/http"
	"github.com/go-chi/chi"
)

func main() {
  r := chi.NewRouter()

  r.Get("/", homePageHandler)
  r.Get("/admin", adminPageHandler)
  http.ListenAndServe(":3000", r)
}

func homePageHandler(w http.ResponseWriter, r *http.Request) {
  w.Write([]byte("This is home page")) 
}

func adminPageHandler(w http.ResponseWriter, r *http.Request) {
  w.Write([]byte("This is admin page")) 
}

After this, if we go to the /admin page, we will see this:

Now, let's make this path accessible only for admin.

We have to replace

r.Get("/admin", adminPageHandler)

With

r.Mount("/admin", adminRouter())

Mount attaches another http.Handler or chi Router as a subrouter along a routing path.

Then, we have to attach middleware inside adminRouter() function.

func adminRouter() http.Handler {
    r := chi.NewRouter()
    // Middleware with access rules for router.
    r.Use(AdminOnly)
    r.Get("/", adminPageHandler)

    return r
}

In this middleware we have a simple check is user authorized to access this page or not.

func AdminOnly(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        // If user is admin, allows access.
        if IsLoggedInAdmin(r) {
            next.ServeHTTP(w, r)
        } else {
            // Otherwise, 403.
            http.Error(w, http.StatusText(403), 403)
            return
        }

        return
    })
}

In sake of demonstration, I'm going just to use a random bool function to decide is used admin or not. You can modify this function according to your user authentication model.

func IsLoggedInAdmin(r *http.Request) bool {
    return rand.Float32() < 0.5
}

And that's it. Looks really simple, Isn't it?

Let's go to to the /admin page again.

As you see, now, sometimes (depends on our random decider), user has no access to this page anymore.


You can find source code here