lrstanley/entrest

docs: http handler: authentication & permissions

Opened this issue · 2 comments

fill out and complete the associated documentation for the page in question.

i have some role and data,how to reslove data permission for different role? I hope a best practice.

@wj-stack I have yet to write the documentation of course, however, my general recommendation is below. Note that until I have proper docs, this might be lacking in information, so sorry if it's not super helpful.

  1. as part of your authentication, insert the identity into the request context, before it gets to Ent. Some examples:
    • JWT on a per-request basis as an HTTP middleware, matching to an identity or role.
    • Cookies on an out-of-bounds authentication flow, and an HTTP middleware that reads those cookies and does session validation, matching to an identity or role.
  2. In Ent, use the privacy feature. Pull the authentication/authorization information out of the context for validation.
  3. For all non-request based database calls, you'll need to bypass authentication (unless you have a SYSTEM user or similar you could map things to). You can do this by telling the privacy layer to explicitly allow the query, skipping all privacy layer checks. Example: ctx = privacy.DecisionContext(ctx, privacy.Allow)

Another project, which is using entrest and authentication (though nothing crazy, it's my personal site, so there is only admin, or unauthenticated), if you want to poke around: https://github.com/lrstanley/liam.sh/blob/master/internal/database/schema/schema_post.go#L149-L159