gofr icon indicating copy to clipboard operation
gofr copied to clipboard
verified publisher icon gofr-dev

RBAC middleware support

Open goginenibhavani2000 opened this issue 4 months ago • 9 comments

Description:

  • Added a declarative RBAC middleware with JSON‑defined roles, flexible role extraction, pattern matching, and helper functions enables consistent, reusable, and easy‑to‑maintain authorization across routes.
  • Addresses https://github.com/gofr-dev/gofr/issues/2000
  • GoFr has no native RBAC, forcing manual, repetitive route‑level authorization that risks inconsistency and increases maintenance. Expected Benefits include centralized, configurable, and reusable access control that’s easier to maintain, more flexible, and improves security.

Breaking Changes (if applicable):

  • None

Additional Information:

  • No relevant dependencies effected or external libraries used.

Checklist:

  • [ ] I have formatted my code using goimport and golangci-lint.
  • [ ] All new code is covered by unit tests.
  • [ ] This PR does not decrease the overall code coverage.
  • [ ] I have reviewed the code comments and documentation for clarity.

goginenibhavani2000 avatar Aug 11 '25 20:08 goginenibhavani2000

We would like to keep RBAC as a separate module. Hence add go.mod in it. So that it does not get added in the binary of the gofr framework.

@coolwednesday What's the advantage of having RBAC in another module, unless we move the auth middlewares into a separate module as well?

akshat-kumar-singhal avatar Aug 13 '25 18:08 akshat-kumar-singhal

@goginenibhavani2000 please go ahead and resolve the review comments given by the reviewer. While we decide whether to keep it inside or outside like a separate module i think we can focus on completing the implementation, testing, documentation etc. Please let us know if you know any more help.

Umang01-hash avatar Aug 20 '25 11:08 Umang01-hash

We would like to keep RBAC as a separate module. Hence add go.mod in it. So that it does not get added in the binary of the gofr framework.

@coolwednesday What's the advantage of having RBAC in another module, unless we move the auth middlewares into a separate module as well?

@akshat-kumar-singhal We see RBAC as a layer beneath Auth—more specialized and not universally required. Auth is core to GoFr and widely used, which is why its middlewares are bundled. RBAC, on the other hand, is optional and domain-specific, so we’re keeping it modular to avoid unnecessary coupling and binary weight.

Umang01-hash avatar Aug 20 '25 11:08 Umang01-hash

Won’t it be taken care of by the dead code elimination done during build? I agree that RBAC shouldn’t be a default, but an easy to include module/package. What we could consider is having the interface for RBAC within gofr and the external module implementing that interface.

On Wed, 20 Aug 2025 at 16:58, Umang Mundhra @.***> wrote:

Umang01-hash left a comment (gofr-dev/gofr#2144) https://github.com/gofr-dev/gofr/pull/2144#issuecomment-3205786539

We would like to keep RBAC as a separate module. Hence add go.mod in it. So that it does not get added in the binary of the gofr framework.

@coolwednesday https://github.com/coolwednesday What's the advantage of having RBAC in another module, unless we move the auth middlewares into a separate module as well?

@akshat-kumar-singhal https://github.com/akshat-kumar-singhal We see RBAC as a layer beneath Auth—more specialized and not universally required. Auth is core to GoFr and widely used, which is why its middlewares are bundled. RBAC, on the other hand, is optional and domain-specific, so we’re keeping it modular to avoid unnecessary coupling and binary weight.

— Reply to this email directly, view it on GitHub https://github.com/gofr-dev/gofr/pull/2144#issuecomment-3205786539, or unsubscribe https://github.com/notifications/unsubscribe-auth/APUGM5WLZAMQTTVY4YHXRRD3ORLXVAVCNFSM6AAAAACDUPRBZSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEMBVG44DMNJTHE . You are receiving this because you were mentioned.Message ID: @.***>

akshat-kumar-singhal avatar Aug 20 '25 11:08 akshat-kumar-singhal

taken care of by the dead code elimination done during build? I agree that RBAC shouldn’t be a default, but an easy to include module/package. What we could consider is having the interface for RBAC

Yes that makes sense. WE can have the interface in GoFr and implementation outside.

Umang01-hash avatar Aug 20 '25 11:08 Umang01-hash

@goginenibhavani2000 Are you still working on the issue. Please let us know in case you need any further help for the same.

Umang01-hash avatar Sep 03 '25 06:09 Umang01-hash

@goginenibhavani2000 Are you still working on the issue. Please let us know in case you need any further help for the same.

Yes, i have completed the suggested changes except the change in having interface. Would like to confirm if the RBAC interface is like below

type RBAC interface { RoleExtractor(r *http.Request, args ...any) (string, error) IsPathAllowed(role string, path string) bool }

goginenibhavani2000 avatar Sep 03 '25 15:09 goginenibhavani2000

@goginenibhavani2000, So Sorry for the delay. I will be prioritising this issue review for the next week's release. Let me know if you are interested to tale this further if not, I myself will pick up this issue.

coolwednesday avatar Sep 17 '25 06:09 coolwednesday

@coolwednesday I’d be happy to take this further and help with the changes. Let me know if there's anything specific you'd like me to focus on.

goginenibhavani2000 avatar Sep 18 '25 14:09 goginenibhavani2000