Skip to content
Anvil Anvil

Auth Middleware

Put auth in middleware policies when the same check applies to more than one handler.

type WritePolicy struct {
  _ sdk.Use[RequireActor]
  _ sdk.Use[RequireWritePermission]
}
func (RequireActor) HandleHTTP(ctx sdk.Ctx) (any, error) {
  token := ctx.Request().Header("Authorization")
  if token == "" {
    return nil, ctx.Errors().Failure(http.StatusUnauthorized, "missing authorization")
  }


  actor, err := parseActor(token)
  if err != nil {
    return nil, ctx.Errors().Failure(http.StatusUnauthorized, "invalid authorization")
  }


  ctx.Locals().Set("actor", actor)
  return ctx.Next()
}

Request models can bind middleware locals:

type CreateProjectRequest struct {
  Actor Actor `local:"actor" validate:"required"`
  Name  string `json:"name" validate:"required"`
}

This keeps auth reusable without hiding it in generated code.

Read Middleware for group inheritance, route policies, and protocol-specific middleware contracts.