在Go Web App路由器中检查用户权限的最佳方法

My web app has URLs at three access levels:

Those accessible by anyone (login page and static assets)
Those accessible regular users and admins who are logged in
Those accessible only by admins who are logged in

I should specify the minimum access level for each URL pattern in my router, so that people below that level are blocked. (I suppose they should get HTTP error 401 or 403.)

How do I best implement these checks so that I don't have to remember to put them in every URL handler function separately (which is very easy to forget)? Ideally I'd like to do something like this:

router.Get("/someRegularPage", regularAccess(handleSomeRegularPage))
router.Get("/someAdminPage", adminAccess(handleSomeAdminPage))
router.Get("/", publicAccess(handleLoginPage))

Is there some semi-standard middleware to do this and how does that work? How hard would it be to write my own?

Additionally, it would be great if the default permission was to deny access to everybody in case I forget to specify the access level for some URL. A compiler warning or error would be ideal.

写回答
好问题 0 提建议
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

dongyi9484 2018-04-09 02:33

关注

Writing your own is not hard. Assuming you store your admin token in an environment variable called ADMINTOKEN :

func AdminOnly(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
    return func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, Authorization")
        if r.Method == "OPTIONS" {
            f(w, r)
            return
        }

        h := r.Header.Get("Authorization")
        token := strings.TrimPrefix(h, "Bearer ")
        if token == os.Getenv("ADMINTOKEN") {
            f(w, r)
            return
        }

        http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
    }
}