In this post I'm going to describe how can we limit user access to the specific url in golang web application. I will use chi router - a lightweight, idiomatic and composable router for building Go HTTP services.
Let's create our main package.
package main import ( "net/http" "github.com/go-chi/chi" ) func main() { r := chi.NewRouter() r.Get("/", homePageHandler) r.Get("/admin", adminPageHandler) http.ListenAndServe(":3000", r) } func homePageHandler(w http.ResponseWriter, r *http.Request) { w.Write([]byte("This is home page")) } func adminPageHandler(w http.ResponseWriter, r *http.Request) { w.Write([]byte("This is admin page")) } After this, if we go to the /admin page, we will see "This is admin page".
Now, let's make this path accessible only for admin.
We have to replace
r.Get("/admin", adminPageHandler)
With
r.Mount("/admin", adminRouter())
Mount attaches another http.Handler or chi Router as a subrouter along a routing path.
Then, we have to attach middleware inside adminRouter() function.
func adminRouter() http.Handler { r := chi.NewRouter() // Middleware with access rules for router. r.Use(AdminOnly) r.Get("/", adminPageHandler) return r } In this middleware we have a simple check is user authorized to access this page or not.
func AdminOnly(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // If user is admin, allows access. if IsLoggedInAdmin(r) { next.ServeHTTP(w, r) } else { // Otherwise, 403. http.Error(w, http.StatusText(403), 403) return } return }) } In sake of demonstration, I'm going just to use a random bool function to decide is used admin or not. You can modify this function according to your user authentication model.
func IsLoggedInAdmin(r *http.Request) bool { return rand.Float32() < 0.5 } And that's it. Looks really simple, Isn't it?
Let's go to to the /admin page again.
As you see, now, sometimes (depends on our random decider), user has no access to this page anymore.
You can find source code here
Top comments (0)