improve security middleware

configs/struct.go

@@ -4,7 +4,7 @@ type (
 	User struct {
 		Id    string
 		Email string
-		Role  string
+		Role  int
 	}
 
 	Env struct {
@@ -34,6 +34,7 @@ type (
 		HeaderUserId       string
 		HeaderUserEmail    string
 		HeaderUserRole     string
+		MaximumRole        int
 		CacheLifetime      int
 		User               *User
 		TemplateLocation   string

dics/core.go

@@ -120,6 +120,7 @@ var Core = []dingo.Def{
 			env.HeaderUserId = os.Getenv("HEADER_USER_ID")
 			env.HeaderUserEmail = os.Getenv("HEADER_USER_EMAIL")
 			env.HeaderUserRole = os.Getenv("HEADER_USER_ROLE")
+			env.MaximumRole, _ = strconv.Atoi(os.Getenv("MAXIMUM_ROLE"))
 
 			env.CacheLifetime, _ = strconv.Atoi(os.Getenv("CACHE_LIFETIME"))
 

middlewares.yaml

@@ -1,2 +1,2 @@
 middlewares:
-    - core:middleware:auth
+    # - core:middleware:auth

middlewares/auth.go

@@ -2,6 +2,7 @@ package middlewares
 
 import (
 	"net/http"
+	"strconv"
 
 	configs "github.com/crowdeco/skeleton/configs"
 )
@@ -13,7 +14,13 @@ type Auth struct {
 func (a *Auth) Attach(request *http.Request, response http.ResponseWriter) bool {
 	a.Env.User.Id = request.Header.Get(a.Env.HeaderUserId)
 	a.Env.User.Email = request.Header.Get(a.Env.HeaderUserEmail)
-	a.Env.User.Role = request.Header.Get(a.Env.HeaderUserRole)
+	a.Env.User.Role, _ = strconv.Atoi(request.Header.Get(a.Env.HeaderUserRole))
+
+	if a.Env.User.Role == 0 || a.Env.User.Role > a.Env.MaximumRole {
+		http.Error(response, "Unauthorization", http.StatusUnauthorized)
+
+		return true
+	}
 
 	return false
 }