RequireRouteFeature returns a global middleware that checks the user has access to the feature required by the matched route. It uses the RouteFeatureRegistry to look up the required feature for each route pattern + HTTP method. If no entry matches, the request passes through (no restriction).
(db *gorm.DB)
| 235 | // to look up the required feature for each route pattern + HTTP method. |
| 236 | // If no entry matches, the request passes through (no restriction). |
| 237 | func RequireRouteFeature(db *gorm.DB) echo.MiddlewareFunc { |
| 238 | if db == nil { |
| 239 | return NoopMiddleware() |
| 240 | } |
| 241 | // Pre-build lookup map: "METHOD:pattern" -> feature |
| 242 | lookup := map[string]string{} |
| 243 | for _, rf := range RouteFeatureRegistry { |
| 244 | lookup[rf.Method+":"+rf.Pattern] = rf.Feature |
| 245 | } |
| 246 | return func(next echo.HandlerFunc) echo.HandlerFunc { |
| 247 | return func(c echo.Context) error { |
| 248 | path := c.Path() // Echo route pattern (e.g. "/v1/engines/:model/completions") |
| 249 | method := c.Request().Method |
| 250 | feature := lookup[method+":"+path] |
| 251 | if feature == "" { |
| 252 | feature = lookup["*:"+path] |
| 253 | } |
| 254 | if feature == "" { |
| 255 | return next(c) // no restriction for this route |
| 256 | } |
| 257 | user := GetUser(c) |
| 258 | if user == nil { |
| 259 | return next(c) // auth middleware handles unauthenticated |
| 260 | } |
| 261 | if user.Role == RoleAdmin { |
| 262 | return next(c) |
| 263 | } |
| 264 | perm, err := GetCachedUserPermissions(c, db, user.ID) |
| 265 | if err != nil { |
| 266 | return c.JSON(http.StatusInternalServerError, schema.ErrorResponse{ |
| 267 | Error: &schema.APIError{ |
| 268 | Message: "failed to check permissions", |
| 269 | Code: http.StatusInternalServerError, |
| 270 | Type: "server_error", |
| 271 | }, |
| 272 | }) |
| 273 | } |
| 274 | val, exists := perm.Permissions[feature] |
| 275 | if !exists { |
| 276 | if !isDefaultOnFeature(feature) { |
| 277 | return c.JSON(http.StatusForbidden, schema.ErrorResponse{ |
| 278 | Error: &schema.APIError{ |
| 279 | Message: "feature not enabled for your account: " + feature, |
| 280 | Code: http.StatusForbidden, |
| 281 | Type: "authorization_error", |
| 282 | }, |
| 283 | }) |
| 284 | } |
| 285 | } else if !val { |
| 286 | return c.JSON(http.StatusForbidden, schema.ErrorResponse{ |
| 287 | Error: &schema.APIError{ |
| 288 | Message: "feature not enabled for your account: " + feature, |
| 289 | Code: http.StatusForbidden, |
| 290 | Type: "authorization_error", |
| 291 | }, |
| 292 | }) |
| 293 | } |
| 294 | return next(c) |
no test coverage detected