Home >Backend Development >Golang >How to Set Up Authorization in a Bookstore Management System with Go, HTMX, and Permit.io
Authorization is important when building applications, as it determines what actions and resources a user is allowed to access after they authenticate.
In this article, we'll take a look at how to implement authorization using permit.io. To demonstrate it, we'll be building a simple bookstore app using Golang and HTMX (I'm a huge fan).
To follow through this tutorial, the following prerequisites should be met:
All users (admins included) can read books. Admins can also add, delete, and update books. Standard users are limited to reading books.
This tutorial will guide you through setting up a bookstore application with basic authorization. We’ll implement:
Authorization Logic: Define roles (Admin and Standard User) using Permit.io to restrict or grant access to different resources.
Database: Set up a PostgreSQL database to store book and user data.
Handlers: Implement routes for viewing, adding, updating, and deleting books with access control checks.
Frontend: Use HTMX to load book data dynamically.
In setting up the project, we’ll start by setting up permit.io. Navigate to your dashboard workspace and create a new project. I’ll give mine the name of bookstore.
This will create two environments: a development environment and a production environment.
Since we’re working locally, we’ll use the development environment. Click on Open dashboard in the Development environment and then on Create Policy. You’ll be asked to create a new resource first. Click create resource. Give it a name and state the actions. For this project, I’ll name mine books, and the action will be create, update, delete, and view.
Next, navigate to the policy editor section. By default, you should see an admin role already created. You just need to tick the view action we added, as it is not recognized by default. You need another role. This will be for users with only permission to read.
Click Create then Role and give it the name of user. Once created, you should see it in the policy editor and tick view in the user role you just created like so:
The next thing is to register the users who would be authorized by permit.io. Navigate back to your home menu through the sidebar menu you should still have something like this:
Click on Add users and then add, then add user. Fill in the details that will correspond to your users in the database.
Once that is done, navigate back to your project. In the Development For the environment for the bookstore project, click on the 3 dotted icon. You’ll see an option to copy the API key. Copy and save it somewhere, as you’ll be needing it for the project.
Create a PostgreSQL database called bookstore. You’ll need to set up two tables:
CREATE TABLE users ( id SERIAL PRIMARY KEY, username VARCHAR(255) NOT NULL, password_hash VARCHAR(255) NOT NULL, role VARCHAR(50) NOT NULL );
Go ahead and populate this, but make each user have a role of admin and user, respectively, and make sure they match the users added on Permit.io.
CREATE TABLE books ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), title VARCHAR(255) NOT NULL, author VARCHAR(255) NOT NULL, published_at DATE, created_at TIMESTAMPTZ DEFAULT now() );
You don’t need to populate this we’ll be doing that in the code.
You’ll need to install the following dependencies:
github.com/permitio/permit-golang: Provides tools for handling role-based access control (RBAC) and permission management with Permit.io in Go applications.
github.com/google/uuid: This provides functions to generate and work with universally unique identifiers (UUIDs).
github.com/gorilla/mux: Helps to Implement an HTTP request router and dispatcher for handling routes in a web application.
github.com/joho/godotenv: This loads environment variables from a .env. file into the application, making it easier to manage configuration settings.
github.com/lib/pq: This is Go’s Postgres driver for communicating with PostgreSQL databases.
golang.org/x/crypto: Implements supplementary cryptographic algorithms and libraries that are not included in Go's standard library.
To install these dependencies, you need to initialize initializes a new Go module. This is the starting point for dependency management in Go.
Run this command:
CREATE TABLE users ( id SERIAL PRIMARY KEY, username VARCHAR(255) NOT NULL, password_hash VARCHAR(255) NOT NULL, role VARCHAR(50) NOT NULL );
Next, run this command:
CREATE TABLE books ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), title VARCHAR(255) NOT NULL, author VARCHAR(255) NOT NULL, published_at DATE, created_at TIMESTAMPTZ DEFAULT now() );
This will install all the dependencies listed above.
To set up the PDP, you’ll need to start up docker. Once you do, open up your terminal and run this command:
go mod init bookstore
After which you need to run the container with this command:
go get github.com/google/uuid \ github.com/gorilla/mux \ github.com/joho/godotenv \ github.com/lib/pq \ github.com/permitio/permit-golang \ golang.org/x/crypto
Replace the part that says
To build the application, this is how our project structure will be:
docker pull permitio/pdp-v2:latest
Let's first add our API Key inside a .env file. Create one, and then your permit API key like so:
docker run -it -p 7766:7000 --env PDP_DEBUG=True --env PDP_API_KEY=<YOUR_API_KEY> permitio/pdp-v2:latest
Create a folder called config. Inside it, create a file called config.go. Add the following code:
Bookstore ├── config │ └── config.go │ ├── handlers │ └── handlers.go │ ├── middleware │ └── middleware.go │ ├── models │ └── models.go │ ├── templates │ ├── add.html │ ├── books.html │ ├── index.html │ ├── layout.html │ ├── login.html │ └── update.html │ ├── main.go └── .env
This is just us setting up a configuration to connect to a PostgreSQL database.
Next, create a folder called handlers, and inside it, create a file called handlers.go. Inside it, add the following code:
export PERMIT_API_KEY=”your_api_key”
Aside from importing the packages, what we’re trying to do here is create a structure that holds the database connection and permit.io. We are also providing an initialization function that sets up Permit.io with local PDP.
Right after the NewHandlers add this in:
package config import ( "database/sql" "fmt" _ "github.com/lib/pq" ) type Config struct { DB *sql.DB Port string DBConfig PostgresConfig } type PostgresConfig struct { Host string Port string User string Password string DBName string } func NewConfig() *Config { return &Config{ Port: "8080", DBConfig: PostgresConfig{ Host: "localhost", Port: "5432", User: "bookstore_user", Password: "your_password", DBName: "bookstore_db", }, } } func (c *Config) ConnectDB() error { connStr := fmt.Sprintf("host=%s port=%s user=%s password=%s dbname=%s sslmode=disable", c.DBConfig.Host, c.DBConfig.Port, c.DBConfig.User, c.DBConfig.Password, c.DBConfig.DBName, ) db, err := sql.Open("postgres", connStr) if err != nil { return fmt.Errorf("error opening database: %v", err) } if err := db.Ping(); err != nil { return fmt.Errorf("error connecting to database: %v", err) } c.DB = db return nil }
The LoginHandler does the following:
The next step is to add a book handler to access the books. It will also utilize permit.io to verify the user's role. Add the following code right after the LoginHandler:
package handlers import ( "bookstore/middleware" "bookstore/models" "context" "database/sql" "fmt" "html/template" "net/http" "strings" "time" "github.com/google/uuid" "github.com/permitio/permit-golang/pkg/config" "github.com/permitio/permit-golang/pkg/enforcement" permitModels "github.com/permitio/permit-golang/pkg/models" "github.com/permitio/permit-golang/pkg/permit" ) var tmpl = template.Must(template.ParseGlob("templates/*.html")) func StringPtr(s string) *string { return &s } type Handlers struct { db *sql.DB permitClient *permit.Client } func NewHandlers(db *sql.DB, apiKey string) *Handlers { permitConfig := config.NewConfigBuilder(apiKey). WithPdpUrl("http://localhost:7766"). Build() permitClient := permit.NewPermit(permitConfig) if permitClient == nil { panic("Failed to initialize Permit.io client") } return &Handlers{ db: db, permitClient: permitClient, } }
The BookHandler does the following:
Next, you need a handler to add books. It will also verify the user's role through Permit.io to ensure only authorized users can add books:
CREATE TABLE users ( id SERIAL PRIMARY KEY, username VARCHAR(255) NOT NULL, password_hash VARCHAR(255) NOT NULL, role VARCHAR(50) NOT NULL );
The AddBookHandler does the following:
You need two more handlers, one for deleting and the other for updating. Add this code right after the AddBookHandler function:
CREATE TABLE books ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), title VARCHAR(255) NOT NULL, author VARCHAR(255) NOT NULL, published_at DATE, created_at TIMESTAMPTZ DEFAULT now() );
The DeleteBookHandler does the following:
Right after the DeleteBookHandler function, add the following:
go mod init bookstore
The UpdateHandler does the following:
Throughout the code, you’ll notice that the authorization system is built around Permit.io's role-based access control framework, which provides sophisticated permission management.
This system also enables fine-grained control over user actions and allows different levels of access for viewing, creating, updating, and deleting resources. Each operation in the application undergoes detailed permission checking and ensures that users can only perform actions for which they're authorized.
Now we’re done with the handlers. Create a folder called middleware, and inside it, create a file called middleware.go. Add the following code:
go get github.com/google/uuid \ github.com/gorilla/mux \ github.com/joho/godotenv \ github.com/lib/pq \ github.com/permitio/permit-golang \ golang.org/x/crypto
This middleware package helps provide secure password hashing and authentication, along with CRUD operations for managing books in a bookstore application. It uses bcrypt to hash passwords for secure storage and verifies password hashes during login. It also prevents the exposure of sensitive data.
The LoginUser function authenticates users by comparing their input with stored password hashes and retrieves the full user profile on successful login, excluding the password hash for added security.
Also, CRUD operations allow you to create, update, retrieve, and delete book records in the database, with access control to ensure only authorized users can modify or delete entries they created. The package also includes a GetUserRole function to retrieve user roles, facilitating role-based access control.
Create another folder called models, and inside it, create a file called models.go. And add the following:
CREATE TABLE users ( id SERIAL PRIMARY KEY, username VARCHAR(255) NOT NULL, password_hash VARCHAR(255) NOT NULL, role VARCHAR(50) NOT NULL );
This package defines several data models for a bookstore application, including User, Book, and LoginRequest structures, along with a custom NullUUID type for handling nullable UUIDs in the database.
Almost done. The next thing you need to do is create the templates for your project. You’ll need to create templates for login and index, to add books, view books, delete books, and update books.
Create a folder called templates. This is where your html templates will be.
For login, create a file called login.html, and inside it, paste this:
CREATE TABLE books ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), title VARCHAR(255) NOT NULL, author VARCHAR(255) NOT NULL, published_at DATE, created_at TIMESTAMPTZ DEFAULT now() );
This main package serves as the entry point for a bookstore application. It sets up database connectivity, environment configuration, and HTTP routes for handling user login and book management.
In the main function, routes are registered using the Gorilla Mux router. The handlers.NewHandlers function initializes handlers with the database and Permit.io API key. It enables functionality such as user authentication (/login) and book management (/books, /add, /delete, /update). Each route is mapped to specific HTTP methods, organizing the endpoints for different actions.
Finally, the server starts on port 8080, listening for incoming requests and logging any errors that occur. This setup ensures a structured API endpoint configuration and secure handling of environment variables.
Now that's about everything! Let's start up our app to see. the result. To start the server, run this command:
go mod init bookstore
Visit http://localhost:8080/login in your browser.
Let's start by testing just the permissions of the standard_user:
You'll see that the standard_user is restricted to viewing books only and cannot add, delete, or update a book.
Let's now log in using the admin_user to see what happens:
You'll see that the admin has permission to do just about anything! That's how solid and easy to use Permit is!
You can check out these resources to learn more about Permit’s authorization:
In this tutorial, we built a simple bookstore management app to implement role-based access control using Go, HTMX, and Permit.io. Authorization is fundamental aspect of application security, as it ensures that users can only access what they’re allowed to.
Implementing an effective access control model like RBAC or ABAC into your application would not only secure your application but also enhance its scalability and compliance.
The above is the detailed content of How to Set Up Authorization in a Bookstore Management System with Go, HTMX, and Permit.io. For more information, please follow other related articles on the PHP Chinese website!