feat(security): add BeforeHandle hook for auth checks after model resolution

- Implement BeforeHandle hook to enforce authentication based on model rules. - Integrate with existing security mechanisms to allow or deny access. - Update documentation to reflect new hook and its usage.
2026-03-07 05:58:55 +00:00 · 2026-03-01 09:15:30 +02:00
parent e7ab0a20d6
commit 79720d5421
22 changed files with 503 additions and 23 deletions
--- a/pkg/websocketspec/handler.go
+++ b/pkg/websocketspec/handler.go
@@ -177,6 +177,16 @@ func (h *Handler) handleRequest(conn *Connection, msg *Message) {
 		Metadata:   make(map[string]interface{}),
 	}

+	// Execute BeforeHandle hook - auth check fires here, after model resolution
+	hookCtx.Operation = string(msg.Operation)
+	if err := h.hooks.Execute(BeforeHandle, hookCtx); err != nil {
+		if hookCtx.Abort {
+			errResp := NewErrorResponse(msg.ID, "unauthorized", hookCtx.AbortMessage)
+			_ = conn.SendJSON(errResp)
+		}
+		return
+	}
+
 	// Route to operation handler
 	switch msg.Operation {
 	case OperationRead: