Secure API with Role-Based Authorization in Go

This challenge focuses on implementing a basic role-based authorization system for a Go API. Authorization is crucial for securing applications and ensuring that users only have access to the resources and functionalities they are permitted to use. This exercise will help you understand how to integrate authorization logic into your Go applications.

Problem Description

You are tasked with building a simple API endpoint that requires authorization based on user roles. The API will have a single endpoint, /admin/data, which should only be accessible to users with the "admin" role. Other roles, such as "user" or "guest," should be denied access.

The authorization logic should be implemented as middleware. The middleware will receive a request, extract the user's role from the request (simulated for this exercise - see Notes), and determine whether the user is authorized to access the requested resource.

Key Requirements:

• Middleware Implementation: Create a Go middleware function that checks the user's role.
• Role-Based Access Control: The /admin/data endpoint should only be accessible to users with the "admin" role.
• Error Handling: Return a 403 Forbidden error if the user is not authorized.
• Simulated User Role: For simplicity, the user's role will be passed as a query parameter in the request (e.g., /admin/data?role=admin). Do not implement authentication or user management. Focus solely on the authorization middleware.
• HTTP Handler: Create a simple HTTP handler function that serves a message when access is granted.

Expected Behavior:

• A request to /admin/data?role=admin should return a 200 OK status code and a success message.
• A request to /admin/data?role=user or /admin/data?role=guest should return a 403 Forbidden status code and an appropriate error message.
• A request to /admin/data without a role query parameter should return a 400 Bad Request status code and an error message indicating the missing role.

Edge Cases to Consider:

• Missing role query parameter.
• Invalid role value (e.g., a role that doesn't exist). For this exercise, only "admin" is a valid role.
• Empty role value.

Examples

Example 1:

Input: GET /admin/data?role=admin
Output: 200 OK, Body: "Access granted to admin data."
Explanation: The user has the "admin" role, so access is granted.

Example 2:

Input: GET /admin/data?role=user
Output: 403 Forbidden, Body: "Unauthorized: Insufficient privileges."
Explanation: The user has the "user" role, which is not authorized for this endpoint.

Example 3:

Input: GET /admin/data
Output: 400 Bad Request, Body: "Missing role parameter."
Explanation: The request is missing the required 'role' query parameter.

Constraints

• The solution must be written in Go.
• The solution must use the net/http package for handling HTTP requests.
• The solution must implement middleware using the http.Handler interface.
• The solution should handle errors gracefully and return appropriate HTTP status codes.
• The solution should be concise and readable.
• The solution should not implement any authentication mechanisms. Role is passed as a query parameter.

Notes

• The user's role is simulated by a query parameter. Do not implement any user authentication or database interaction.
• Focus on the middleware logic and the HTTP handler.
• Consider using the fmt package for formatting responses.
• You can use the log package for logging errors (optional).
• The role query parameter is case-sensitive. Only "admin" is a valid role.
• Think about how to extract the role from the request and validate it.
• The goal is to demonstrate the basic principles of role-based authorization in Go.