Home

04 middleware

7a.4 Middleware – using the policies

The HTTP middleware (and the WebSocket dispatcher) is a thin adapter: it loads the entities, hands them to the relevant *SecurityContext, and translates Decision.Reason into an HTTP / WebSocket error code.

// pkgs/bigfred/server/http/middleware.go
//
// RequireRole consults the EFFECTIVE role set inside the JWT-pinned
// layout (§7a.2). Sudo admins pass the same gate as permanent admins
// — there is no "non-sudo" carve-out (§7a.7).
func RequireRole(auth *service.AuthService, roles ...domain.Role) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            id, _ := IdentityFromContext(r.Context())
            eff, err := auth.Effective(r.Context(), id.User, id.Layout.ID)
            if err != nil {
                http.Error(w, "internal_error", http.StatusInternalServerError)
                return
            }
            for _, role := range roles {
                if eff.Has(role) {
                    next.ServeHTTP(w, r)
                    return
                }
            }
            http.Error(w, "forbidden", http.StatusForbidden)
        })
    }
}

// RequireVehicleDrive loads the loco, the active lease and the active
// takeover, then defers to LocoSecurityContext.CanDriveLoco.
func RequireVehicleDrive(repo VehicleAccessRepo) func(http.Handler) http.Handler {
    var sec security.LocoSecurityContext // stateless – zero value is fine
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            id   := auth.FromCtx(r.Context())
            addr := uint16(chiParamInt(r, "addr"))
            loco, lease, takeover, err := repo.LoadDriveContext(r.Context(), addr)
            if err != nil {
                http.Error(w, "not found", http.StatusNotFound); return
            }
            d := sec.CanDriveLoco(security.LocoDriveInput{
                Actor: id.User, Loco: loco,
                ActiveLease: lease, ActiveTakeover: takeover,
                Now: time.Now(),
            })
            if !d.Allowed {
                http.Error(w, d.Reason, http.StatusForbidden); return
            }
            next.ServeHTTP(w, r)
        })
    }
}

The WebSocket dispatcher uses the same security context directly:

func (c *Client) handle(ctx context.Context, env Envelope) {
    switch env.Type {
    case "loco.setSpeed":
        var p struct{ Addr uint16; Speed uint8; Forward bool }
        _ = json.Unmarshal(env.Payload, &p)

        loco, lease, takeover, err := c.repo.LoadDriveContext(ctx, p.Addr)
        if err != nil { c.ack(env.ID, err); return }

        d := c.sec.Loco.CanDriveLoco(security.LocoDriveInput{
            Actor: c.identity.User, Loco: loco,
            ActiveLease: lease, ActiveTakeover: takeover,
            Now: time.Now(),
        })
        if !d.Allowed {
            c.ack(env.ID, fmt.Errorf("forbidden: %s", d.Reason)); return
        }
        // …call LocoService.SetSpeed…
    }
}