Implement Authentication/Authorization Filter

[jeffries]

The management API currently implements no authentication or access control logic; this is problematic, as it will be possible to push arbitrarily many messages to subscribers from this API. As such, authentication logic is necessary before initial deployment.

There is a hook in main.go in the form of the AuthenticateRequest function that is intended for this purpose (implemented as a filter loaded into the router). This method currently passes the request to the next handler; it should instead inspect the request and either pass the request on, or break the filter chain and return an unauthorized/forbidden response. The specific logic for authorization and access control is left to the implementor.

[hsluoyz]

Hi, I'm the author of casbin. It is an authorization library that supports models like ACL, RBAC, ABAC.

Related to RBAC, casbin has several advantages:

1. roles can be cascaded, aka roles can have roles.
2. support resource roles, so users have their roles and resource have their roles too. role = group here.
3. the permission assignments (or policy in casbin's language) can be persisted in files or database.

And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible.

So please consider using casbin when chatbotmgmt implements access control security. Also let me know if there's any question :)