search

Dialvive / HandsApp-API

2 stars 0 forks source link

Group routes in main.go #23

Open Dialvive opened 3 years ago

Dialvive commented 3 years ago

Group routes in:

BrayanCaro commented 3 years ago

The routes that use x-api-key are for development only?

Examples https://github.com/Dialvive/SignaMundi-REST-API/blob/7d1c9b397c7147bd32a8c5019d99c20d0362002b/src/controllers/wordCtrl.go#L41-L47 https://github.com/Dialvive/SignaMundi-REST-API/blob/7d1c9b397c7147bd32a8c5019d99c20d0362002b/src/controllers/localeCtrl.go#L61-L67

If that's the case then I'm stuck with something else :cry:

Suppose the following routes:

GET    /foo    -> public
POST   /foo    -> dev only
DELETE /foo    -> dev only

GET    /bar    -> public
POST   /bar    -> dev only
DELETE /bar    -> dev only

How should I create the groups, I've designed 3 options with the following middleware to check the api key:

func MustHaveSecretKey(c *gin.Context) {
    if c.GetHeader("x-api-key") == "" {
        c.AbortWithStatus(http.StatusBadRequest)
    }
}
Option 1 (without sub-groups) ```go foo := r.Group("/foo") { foo.GET("", func(c *gin.Context) { // public }) foo.POST("", MustHaveSecretKey, func(c *gin.Context) { // ... dev uses only }) foo.DELETE("", MustHaveSecretKey, func(c *gin.Context) { // ... dev uses only }) } bar := r.Group("/bar") { bar.GET("", func(c *gin.Context) { // public }) bar.POST("", MustHaveSecretKey, func(c *gin.Context) { // ... dev uses only }) bar.DELETE("", MustHaveSecretKey, func(c *gin.Context) { // ... dev uses only }) } ```
Option 2 (sub-grouped) ```go foo := r.Group("/foo") { foo.GET("", func(c *gin.Context) { // public }) fooDev := foo.Group("", MustHaveSecretKey) fooDev.POST("", func(c *gin.Context) { // ... dev uses only }) fooDev.DELETE("", func(c *gin.Context) { // ... dev uses only }) } bar := r.Group("/bar") { bar.GET("", func(c *gin.Context) { // public }) barDev := bar.Group("", MustHaveSecretKey) barDev.POST("", func(c *gin.Context) { // ... dev uses only }) barDev.DELETE("", func(c *gin.Context) { // ... dev uses only }) } ```
Option 3 (grouped by visibility) ```go public := r.Group("") { public.GET("/foo", func(c *gin.Context) { // public }) public.GET("/bar", func(c *gin.Context) { // public }) } dev := r.Group("", MustHaveSecretKey) { foo := dev.Group("/foo") foo.POST("", func(c *gin.Context) { // ... dev uses only }) foo.DELETE("", func(c *gin.Context) { // ... dev uses only }) bar := dev.Group("/bar") bar.POST("", func(c *gin.Context) { // ... dev uses only }) bar.DELETE("", func(c *gin.Context) { // ... dev uses only }) } ```
Dialvive commented 3 years ago

There are two uses for x-api-keys now. Some operations that require x-api-key are admin-only operations, meaning that the webpage nor regular developers can invoke those operations. Examples of admin-only access:

Admin-only operations will continue to use x-api-key authentication header.

There are also operations that use the same api key for development purposes, these api key authentication will be deprecated in favor of JWT user authentication. These will be available to the website for user-invoked-operations. Examples of these operations:

One option is to group operations by admin-only, authenticated-user-only, and public-access. Needless to say, authenticated-user-only will only allow operations on the user itself, and not into other users, except when removing friends.

Dialvive commented 3 years ago

I have updated the issue.

Dialvive commented 3 years ago

Probably, the best would be to create a middleware for x-api-key authentication for all admin-only routes, and another middleware that verifies user auth token for authenticated-user-only routes.

BrayanCaro commented 3 years ago

I have another doubt

Should I add / as a prefix, because it can be omitted?

For example, the following code produces the same route /v1/bar

v1 := r.Group("v1")
public := v1.Group("")
public.GET("bar", myfunc)
v1 := r.Group("/v1")
public := v1.Group("/")
public.GET("/bar", myfunc)
Dialvive commented 3 years ago

It would be better if we explicitly add the '/'