How to Control Router Access Permissions in Go Web Apps
23 Dec 2020

How to Control Router Access Permissions in Go Web Apps

In this post I’m going to describe how can we limit user access to the specific url in golang web application. I will use chi router - a lightweight, idiomatic and composable router for building Go HTTP services.

Let’s create our main package.

package main

import (
	"net/http"
	"github.com/go-chi/chi"
)

func main() {
  r := chi.NewRouter()

  r.Get("/", homePageHandler)
  r.Get("/admin", adminPageHandler)
  http.ListenAndServe(":3000", r)
}

func homePageHandler(w http.ResponseWriter, r *http.Request) {
  w.Write([]byte("This is home page")) 
}

func adminPageHandler(w http.ResponseWriter, r *http.Request) {
  w.Write([]byte("This is admin page")) 
}

After this, if we go to the /admin page, we will see “This is admin page”.

Now, let’s make this path accessible only for admin.

We have to replace

r.Get("/admin", adminPageHandler) With r.Mount("/admin", adminRouter())

Mount attaches another http.Handler or chi Router as a subrouter along a routing path.

Then, we have to attach middleware inside adminRouter() function.

func adminRouter() http.Handler {
    r := chi.NewRouter()
    // Middleware with access rules for router.
    r.Use(AdminOnly)
    r.Get("/", adminPageHandler)

    return r
}

In this middleware we have a simple check is user authorized to access this page or not.

func AdminOnly(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        // If user is admin, allows access.
        if IsLoggedInAdmin(r) {
            next.ServeHTTP(w, r)
        } else {
            // Otherwise, 403.
            http.Error(w, http.StatusText(403), 403)
            return
        }

        return
    })
}

In sake of demonstration, I’m going just to use a random bool function to decide is used admin or not. You can modify this function according to your user authentication model.

func IsLoggedInAdmin(r *http.Request) bool {
    return rand.Float32() < 0.5
}

And that’s it. Looks really simple, Isn’t it?

Let’s go to to the /admin page again.

As you see, now, sometimes (depends on our random decider), user has no access to this page anymore.

You can find source code here

Related posts

A Simple Queue Implementation in Golang with channels
12 Jan 2021

A Simple Queue Implementation in Golang with channels

In this post, I’m going to show the way how we can implement a simple queue in Golang, using channels.

go queue channel goroutine
How to Sort Strings With Go Alphabetically in Any Language
4 Jan 2021

How to Sort Strings With Go Alphabetically in Any Language

In this article I’m going to show how easy we can sort strings alphabetically in different languages, using Go. It seems like an easy task if we want to sort English words, however, it’s not so trivial if we want to sort correctly strings with special characters or in other languages, i.e Cyrillic based.

go sorting alphabetical sort
How to test database interactions in golang applications
22 Dec 2020

How to test database interactions in golang applications

Testing of functions with database interactions always was challenging. Recently, I found a wonderful library go-sqlmock which will simplify writing tests and mocking database queries in golang applications a lot.

go testing sql
Go middleware example. How to alter a handler result
20 Dec 2020

Go middleware example. How to alter a handler result

Let’s imagine a situation when you want to alter the result, returned by some http handler to the client. Fortunately, Golang provides an easy mechanism for that, called a middleware. I’m going to dive directly to the source code, to save your time.

go middleware