Yes the handler are arranged as follows: OAuth2Middleware (JWT token creation on login / JWT validation) -> InputValidationMiddleware (decoding and validating user input and checks if the user has the rights to view/request the data according to the claims in the JWT) -> API Handler (decoding user input and talking to the backend, return response to the user)
You are right the OAuth2Middlware could instead of passing the token after validation also pass the claims using the request context. That's right. Thank you for the feedback. On Thu, 26 Sep 2019 at 21:36, burak serdar <bser...@computer.org> wrote: > On Thu, Sep 26, 2019 at 1:14 PM Martin Palma <m...@palma.bz> wrote: > > > > Hello, > > > > I'm in the process of writing an HTTP API with Go. I use a middleware > for generating and validating JWT tokens. On any incoming request the > middleware checks the JWT and validates it. If valid it adds it to the > request header and calls the next handler. > > > > Is it save to use the JWT in the next handler without validating it > again and using the claims? > > If you make sure you have those two handlers in that order, then the > answer is yes. > > Another approach is to validate the JWT in the first handler, and put > the claims into the request context for the next handler, so the next > handler doesn't even deal with the JWT, and gets the claims from the > context. This assumes the second handler won't be called if JWT > doesn't validate. > > > > > Best, > > Martin > > > > -- > > You received this message because you are subscribed to the Google > Groups "golang-nuts" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to golang-nuts+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/69d031e5-2a11-4904-84d6-1e67c0bc85a9%40googlegroups.com > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CANMxC7C_kXNmX1_RCCYwCS3X-7dTrLc_sfzLi-F8mLpcffMY2A%40mail.gmail.com.
