This project demonstrates a sample Google Docs API with access control enforced via an integration with Auth0 FGA.
- Start a Postgres container
docker run -e POSTGRES_PASSWORD=password -p 5432:5432 -d postgres:14
- Bootstrap the database tables
PGPASSWORD=password psql -h localhost -p 5432 -U postgres -d postgres -f schema.sql
- Define the Authorization Model in Auth0 FGA
Using the Model Explorer in the Auth0 FGA Dashboard, upload the following model for this app:
model
schema 1.1
type user
type group
relations
define member: [user]
type folder
relations
define owner: [user, group#member]
define viewer: [user, group#member] or owner
type document
relations
define owner: [user, group#member]
define parent: [folder]
define viewer: [user, group#member] or owner or viewer from parent
- Start the app
export FGA_STORE_ID=<storeID>
export FGA_CLIENT_ID=<clientID>
export FGA_CLIENT_SECRET=<secret>
go run main.go
The FGA_STORE_ID
, FGA_CLIENT_ID
, and FGA_CLIENT_SECRET
can be found in the Settings page of the Auth0 FGA Dashboard in your FGA account.
Download the Postman collection for the sample API if you'd like.
Every endpoint is protected with bearer token based authentication. Use jwt.io to craft tokens with a sub
claim. The token's secret should be mysecret
for the auth middleware to verify it correctly.
Include the Authorization: Bearer <token>
header in each request. For example,
curl -X POST -H "Authorization: Bearer <token>" http:localhost:8080/folders -d '{"name":"folderX"}'
POST http://localhost:8080/folders
{"name": "folderX"}
GET http://localhost:8080/folders/:id
POST http://localhost:8080/documents
{"parent": "folder:folderX", "name": "mydoc"}
GET http://localhost:8080/documents/:id
GET http://localhost:8080/documents
POST http://localhost:8080/groups
{"name": "engineering", "members": ["jill@auth0.com"]}
POST http://localhost:8080/share
{"object": "folder:folderX", "relation": "viewer", "user": "group:engineering#member"}