How to Control Router Access Permissions in Go Web Apps
In this post I’m going to describe how can we limit user access to the specific url in golang web application. I will use chi router - a lightweight, idiomatic and composable router for building Go HTTP services.
Let’s create our main package.
package main
import (
"net/http"
"github.com/go-chi/chi"
)
func main() {
r := chi.NewRouter()
r.Get("/", homePageHandler)
r.Get("/admin", adminPageHandler)
http.ListenAndServe(":3000", r)
}
func homePageHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("This is home page"))
}
func adminPageHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("This is admin page"))
}
After this, if we go to the /admin page, we will see “This is admin page”.
Now, let’s make this path accessible only for admin.
We have to replace
r.Get("/admin", adminPageHandler)
With
r.Mount("/admin", adminRouter())
Mount attaches another http.Handler or chi Router as a subrouter along a routing path.
Then, we have to attach middleware inside adminRouter() function.
func adminRouter() http.Handler {
r := chi.NewRouter()
// Middleware with access rules for router.
r.Use(AdminOnly)
r.Get("/", adminPageHandler)
return r
}
In this middleware we have a simple check is user authorized to access this page or not.
func AdminOnly(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// If user is admin, allows access.
if IsLoggedInAdmin(r) {
next.ServeHTTP(w, r)
} else {
// Otherwise, 403.
http.Error(w, http.StatusText(403), 403)
return
}
return
})
}
In sake of demonstration, I’m going just to use a random bool function to decide is used admin or not. You can modify this function according to your user authentication model.
func IsLoggedInAdmin(r *http.Request) bool {
return rand.Float32() < 0.5
}
And that’s it. Looks really simple, Isn’t it?
Let’s go to to the /admin page again.
As you see, now, sometimes (depends on our random decider), user has no access to this page anymore.
You can find source code here
Related posts
One of The Easiest Ways to Host your Go Web App
Hello! In this post, I will explain the cost-effective method I use to host my Go web applications with varying levels of complexity, all starting from as low as $5 per month. This method also allows to easy deploy and scale your golang application.
go hosting digitalocean docker
103 Early Hints in Go, or the new Way of How to Improve Performance of a Web Page written in Go
Since Go 1.19 we can use a new 103 (Early Hints) http status code when we create web applications. Let’s figure out how and when this could help us.
We are going to create a simple golang web server that servers some html content. One html page will be served with 103 header and another one without.
After loading comparison we will see how early hints can improve page performance.
Example of how Golang generics minimize the amount of code you need to write
I guess that almost everyone in the go community was exciting when Go 1.18 was released, especially because of generics. Some days ago I decided to try generics in the real-world application, by refactoring some of its pieces, related to a caching logic.
go generics redis cache
Concurrent Map Writing and Reading in Go, or how to deal with the data races.
This time, I will show you how to work with the maps in go effectively and prevent the occurrence of the data race errors. Data races happen when several goroutines access the same resource concurrently and at least one of the accesses is a write.
go concurrent map data race
Ristretto - the Most Performant Concurrent Cache Library for Go
Recently, I discovered a surprisingly reliable memory caching solution, which I’m planning to use in all my further applications to increase performance. In this blog post, I will share some code examples of how you can integrate Ristretto caching library into your application.
go caching ristretto performance