Rene Nochebuena
3fcba82448
Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement. What's included: - cmd/todo-api: minimal main delegating to application.Run - internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart - internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions - internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc) - internal/service: TodoService, UserService with interface-based dependencies - internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation - internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate) - logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface - SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart - Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC) Tested-via: todo-api POC integration Reviewed-against: docs/adr/
43 lines
1.2 KiB
Go
43 lines
1.2 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"code.nochebuena.dev/go/rbac"
|
|
)
|
|
|
|
// Require guards a handler: it reads the rbac.Identity from context (set by Auth),
|
|
// resolves the permission mask from the provider, and rejects the request with 403
|
|
// if any of the required permission bits are not set.
|
|
//
|
|
// Must be chained after Auth so that an identity is guaranteed in context.
|
|
func Require(provider rbac.PermissionProvider, resource string, perms ...rbac.Permission) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
identity, ok := rbac.FromContext(r.Context())
|
|
if !ok {
|
|
http.Error(w, `{"code":"PERMISSION_DENIED","message":"no identity in context"}`,
|
|
http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
mask, err := provider.ResolveMask(r.Context(), identity.UID, resource)
|
|
if err != nil {
|
|
http.Error(w, `{"code":"INTERNAL","message":"could not resolve permissions"}`,
|
|
http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
for _, p := range perms {
|
|
if !mask.Has(p) {
|
|
http.Error(w, `{"code":"PERMISSION_DENIED","message":"insufficient permissions"}`,
|
|
http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|