github gofr-dev/gofr v1.51.0
on GitHub

8 hours ago

Release v1.51.0

🚀 Features

🔐 Role-Based Access Control (RBAC)

GoFr introduces a config-driven RBAC middleware for enforcing authorization across HTTP APIs without adding role or permission logic inside handlers.

Key Highlights

  • Authorization defined entirely via JSON/YAML configuration

  • Permission-based model

    • Roles define permissions
    • Endpoints require permissions

  • Header-based and JWT-based role extraction

    • JWT-based RBAC supported via GoFr OAuth
    • JWT takes precedence when both are configured

  • Role inheritance support

  • Exact permission matching (no wildcards)

  • Gorilla/mux-compatible route matching

    • Supports path variables and constraints

  • Safe-by-default enforcement

    • Only routes defined in RBAC config are enforced

Usage

Enable RBAC using default config paths: 

app := gofr.New()
app.EnableRBAC()

Or specify a custom RBAC config file: 

app.EnableRBAC("configs/rbac.json")

JWT Integration

RBAC integrates with GoFr OAuth for JWT-based authorization: 

app.EnableOAuth("https://auth.example.com/.well-known/jwks.json", 10)
app.EnableRBAC("configs/rbac.json")

Roles are extracted from JWT claims using configurable claim paths.

Observability

  • Debug logs include route matching and authorization decision details.
  • Roles are excluded from traces to avoid PII leakage.

📚 Documentation
Refer to the RBAC documentation for configuration details and advanced usage.

Check out latest releases or
releases around gofr-dev/gofr v1.51.0

Don't miss a new gofr release

NewReleases is sending notifications on new releases.

Get notifications