How to Control Router Access Permissions in Go Web Apps
2 min read Go Programming

How to Control Router Access Permissions in Go Web Apps

In this post I’m going to describe how can we limit user access to the specific url in golang web application. I will use chi router - a lightweight, idiomatic and composable router for building Go HTTP services.

Let’s create our main package.

package main

import (
	"net/http"
	"github.com/go-chi/chi"
)

func main() {
  r := chi.NewRouter()

  r.Get("/", homePageHandler)
  r.Get("/admin", adminPageHandler)
  http.ListenAndServe(":3000", r)
}

func homePageHandler(w http.ResponseWriter, r *http.Request) {
  w.Write([]byte("This is home page")) 
}

func adminPageHandler(w http.ResponseWriter, r *http.Request) {
  w.Write([]byte("This is admin page")) 
}

After this, if we go to the /admin page, we will see “This is admin page”.

Now, let’s make this path accessible only for admin.

We have to replace

r.Get("/admin", adminPageHandler) With r.Mount("/admin", adminRouter())

Mount attaches another http.Handler or chi Router as a subrouter along a routing path.

Then, we have to attach middleware inside adminRouter() function.

func adminRouter() http.Handler {
    r := chi.NewRouter()
    // Middleware with access rules for router.
    r.Use(AdminOnly)
    r.Get("/", adminPageHandler)

    return r
}

In this middleware we have a simple check is user authorized to access this page or not.

func AdminOnly(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        // If user is admin, allows access.
        if IsLoggedInAdmin(r) {
            next.ServeHTTP(w, r)
        } else {
            // Otherwise, 403.
            http.Error(w, http.StatusText(403), 403)
            return
        }

        return
    })
}

In sake of demonstration, I’m going just to use a random bool function to decide is used admin or not. You can modify this function according to your user authentication model.

func IsLoggedInAdmin(r *http.Request) bool {
    return rand.Float32() < 0.5
}

And that’s it. Looks really simple, Isn’t it?

Let’s go to to the /admin page again.

As you see, now, sometimes (depends on our random decider), user has no access to this page anymore.

You can find source code here

A

Alex

Passionate about web development and sharing knowledge with the community.

Share on X

You might also like

How to test database interactions in golang applications
2 min read

How to test database interactions in golang applications

Testing of functions with database interactions always was challenging. Recently, I found a wonderful library, which will simplify writing tests and mocking database queries in golang applications a lot. And I want to share a short example of how to work with it.

Read more