preface

This is the ninth day of my participation in the Wenwen Challenge. Hi, I am a composer Named Sun. In the last article, we talked about JWT validation and improved logon interface logic

The middleware we developed this time includes:

3. Permission authentication middleware (simple implementation)

1. Introduction

Cross-domain middleware: the back-end enables cross-domain functions. Permission authentication middleware: determines the user’s role and whether the user has permissions

2. Cross-domain introduction

Cross-domain means that the browser cannot execute scripts from other sites. It is caused by the same origin policy of the browser, a security restriction that the browser imposes on javascript. When does the browser issue options precheck requests? In the case of non-simple requests that cross domains, the browser will issue options precheck requests. Preflighted Requests is a transparent server validation mechanism in CORS. A precheck request first sends an HTTP OPTIONS header to a resource in another domain name to determine if the actual request is secure.

3. Cross-domain development

Written in Middlewares/Cers.go


package middlewares

import (
"github.com/gin-gonic/gin"
"net/http"
)

func Cors(a) gin.HandlerFunc {
	return func(c *gin.Context) {
		method := c.Request.Method

		c.Header("Access-Control-Allow-Origin"."*")
		c.Header("Access-Control-Allow-Headers"."Content-Type,AccessToken,X-CSRF-Token, Authorization, Token, x-token")
		c.Header("Access-Control-Allow-Methods"."POST, GET, OPTIONS, DELETE, PATCH, PUT")
		c.Header("Access-Control-Expose-Headers"."Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type")
		c.Header("Access-Control-Allow-Credentials"."true")

		if method == "OPTIONS" {
			c.AbortWithStatus(http.StatusNoContent)
		}
	}
}
Copy the code

Ps: 1. Add the convention header to the Response. 2. If the request mode is OPTIONS, 204 is returned

4. Use cross-domain middleware

Add to the Router function of Initialize/Router

    // Set up cross-domain middleware
    Router.Use(middlewares.Cors())
Copy the code

4. Middleware development of iIsAdminAuth

Add in middlewares/admin.go

package middlewares

import (
	"github.com/gin-gonic/gin"
	
	"net/http"
)

// IsAdminAuth Check permission
func IsAdminAuth(a) gin.HandlerFunc {
	return func(ctx *gin.Context) {
		// Obtain token information
		claims, _ := ctx.Get("claims")
		// Get current user information
		currentUser := claims.(*CustomClaims)

		// Check role permissions
		ifcurrentUser.AuthorityId ! =1 {
			ctx.JSON(http.StatusForbidden, gin.H{
				"msg": "User does not have permission",})// Interrupt the following middleware
			ctx.Abort()
			return
		}
		// Continue with the middleware below
		ctx.Next()
	}
}
Copy the code

ps; Principle Determines the AuthorityId of the token

5. Use IsAdminAuth middleware

Add it to router/user.go

UserRouter.GET("/list", middlewares.JWTAuth(), middlewares.IsAdminAuth(), api.GetUserList)
Copy the code

Note that JWT middleware comes before IsAdminAuth!

Finally – verification of results

Test isadmin middleware test a user whose role is 2, must carry the x-token header!

If you found any of these articles useful, please give them a thumbs up and leave a comment