docs: http handler: authentication & permissions
Opened this issue · 2 comments
lrstanley commented
fill out and complete the associated documentation for the page in question.
wj-stack commented
i have some role and data,how to reslove data permission for different role? I hope a best practice.
lrstanley commented
@wj-stack I have yet to write the documentation of course, however, my general recommendation is below. Note that until I have proper docs, this might be lacking in information, so sorry if it's not super helpful.
- as part of your authentication, insert the identity into the request context, before it gets to Ent. Some examples:
- JWT on a per-request basis as an HTTP middleware, matching to an identity or role.
- Cookies on an out-of-bounds authentication flow, and an HTTP middleware that reads those cookies and does session validation, matching to an identity or role.
- In Ent, use the privacy feature. Pull the authentication/authorization information out of the context for validation.
- This project does not use entrest at the moment, but the privacy feature still applies for authz/authn logic.
- Example of a schema that is protected: https://github.com/lrstanley/spectrograph/blob/c01e7cb127ae9b1db2605218e463eb075e3517c6/internal/database/schema/guild_event.go#L44-L57
- Privacy helpers that can be stringed together to control access: https://github.com/lrstanley/spectrograph/blob/c01e7cb127ae9b1db2605218e463eb075e3517c6/internal/database/schema/helpers.go#L41-L141
- This project uses one of my other projects, chix for auth and storing data in the context, however you could do the inserting into context yourself quite easy.
- This project does not use entrest at the moment, but the privacy feature still applies for authz/authn logic.
- For all non-request based database calls, you'll need to bypass authentication (unless you have a
SYSTEM
user or similar you could map things to). You can do this by telling the privacy layer to explicitly allow the query, skipping all privacy layer checks. Example:ctx = privacy.DecisionContext(ctx, privacy.Allow)
Another project, which is using entrest and authentication (though nothing crazy, it's my personal site, so there is only admin, or unauthenticated), if you want to poke around: https://github.com/lrstanley/liam.sh/blob/master/internal/database/schema/schema_post.go#L149-L159