Appearance
Authorization (Gates)
Authorization is handled through gates — functions that check the authenticated user's permissions before allowing a request.
The Gate Signature
cpp
using http_gate_t = std::function<bool(const http_request&)>;1
A gate receives the HTTP request and returns true (allowed) or false (denied, HTTP 403).
Built-in Gate
The built-in admin gate is in framework::clients::http::gates:
cpp
using namespace framework;
using namespace framework::clients::http;
using namespace framework::clients::http::gates;
app.register_endpoint(
http_verb_t::get,
"/admin/stats",
handler,
nullptr,
is_admin_all,
true // requires JWT authentication
);1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
Custom Gate
Access the configuration from the request state and check JWT claims:
cpp
app.register_endpoint(
http_verb_t::get,
"/admin/users",
handler,
nullptr,
[](const http_request& req) -> bool {
auto& config = req.state_->get_configuration();
auto& jwt = req.http_connection_.get_jwt();
return jwt.is_valid(config) && jwt.has_claims("admin", "users");
},
true
);1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
JWT Grant Checking
The jwt object provides methods to check specific permissions.
cpp
using namespace framework::support::auth;
jwt jwt;
jwt.set_token(token);
// Check resource-level grants
if (jwt.has_grant("channels:private-chat-42", "read")) {
// Can read channel
}
// Check watcher grants — the watchable identifies
// which resource (node, channel, cache key, etc.) to check
auto watchable = /* construct from session and resource */;
bool can_watch = jwt.has_watcher_grant(watchable);
// Check role-based claims
bool is_admin = jwt.has_claims("admin", "all");
// Get quota limits from JWT (returns map of limit name → value)
auto limits = jwt.get_quota_limits();
uint32_t window = jwt.get_quota_window(); // window in seconds1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21