RBAC(Role-Based Access Control) Support

[goginenibhavani2000]

Problem:

GoFr lacks built-in role-based access control, forcing developers to implement custom authorization logic for each route. This leads to inconsistent security implementations and code duplication.

Goal :

Create a declarative RBAC middleware that integrates seamlessly with GoFr.

1. JSON Configuration: Define roles and permissions declaratively
2. Multiple Usage Patterns:

•   app.Use(rbac.Middleware(config))  // Global
  

•  app.GET("/admin", rbac.RequireRole("admin")(handler)) // Route-specific
  

3. Flexible Role Extraction: Support JWT claims, sessions, and custom extractors
4. Pattern Matching: Handle wildcards () and path patterns (/users/)
5. Helper Functions: IsAdmin(), HasRole(), GetUserRoles()

Implementation Plan

• Models-

// RoleConfig defines the roles and their allowed paths/permissions.
type RoleConfig struct {
Roles map[string][]string json:"roles" // e.g., {"admin": ["*"], "editor": ["/edit", "/update"]}
}

// Options allow flexible configuration.
type Options struct {
RoleExtractor func(*Context) ([]string, error) // customized function can be passed
Config RoleConfig
}

• func to load RoleConfig (LoadRoleConfig(path string) (rbac.RoleConfig, error)) and validate config
• Implement func Middleware(opt Options) http.Handler for global use
• Implement route-specific like RequireRole(role string) http.Handler
• isAuthorized function should support pattern match(match(pattern, path string) bool) for wildcard and prefix matching
• Implement helper functions: IsAdmin(c *Context) bool , HasRole(c *Context, role string), GetUserRoles(c *Context) ([]string, error)

[coolwednesday]

Sure Assigning it to you. However I would need other maintainers @aryanmehrotra & @Umang01-hash, opinion on your implementation design.

[coolwednesday]

You can start working on it. Please ensure you implement an optional parameter design pattern to avoid this from becoming a breaking change.

Tag me here ! if you have any doubts.

[goginenibhavani2000]

@coolwednesday Can you please check the draft PR for RBAC support- #2049

Follow up Questions:

1. The customized RoleExtractorFunc needs gofr.ctx as a parameter, can it be generalized or anything to be changed?
2. What should be the default logic to extract roles for an HTTP reqquest?
3. Can we use os.ReadFile(path) to read the json configured file of roles with permissions?

Please let me know for any further issues present in the PR or suggestions that we can discuss. Ignore the sample main.go file changes and go.mod file changes.

[aryanmehrotra]

Hey, can you share how it would look like when the user uses, what are the things user might need to setup.

[goginenibhavani2000]

@aryanmehrotra Please check this is how it will look like for users

[Umang01-hash]

@goginenibhavani2000 We need tp use app.UseMiddleware(rbac.Middleware(rbacConfigs)) else it will not be applied as global middleware.

[goginenibhavani2000]

@Umang01-hash I have pushed my changes to a branch, can you please check it, tested few use cases, 1 use case is not working as expected, want help on the same. Also i have raised few questions in discord discussions. Can you please look into it and confirm if my changes are as expected.
Discord post link- https://discord.com/channels/1156248707931590666/1394236937824505866
my branch comparison with development- https://github.com/gofr-dev/gofr/compare/development...goginenibhavani2000:gofr:RBAC-middleware-support?expand=1

RBAC use cases tested in local:

• Global middleware with admin in config.json and exact req path- passed
• Global middleware with role in config.json and suffix pattern matching for path- passed
• Global middleware with role in config.json and prefix pattern matching for path- passed
• Overriding of Global middleware with route specific- failed- (ex- user1 role is required for /greet but that role is not present in config.json or path is not allowed via config.json file)- it fails at main middleware, to fix, we can skip global check if provided in middleware as a config
• Using just route specific - failed- r.cloneContext(ctx) is not working with gofr.Context

[coolwednesday]

@goginenibhavani2000, Please raise the PR. It is easier to compare the changes and suggest changes through that. The review process will get much more faster.

Thank you !

[goginenibhavani2000]

@Umang01-hash @coolwednesday Please review #2144