How to get transformed session data outside of HTTP?

[Lakelimbo]

Hi, I'm really liking this library, and it's working quite nicely for me.
Right now I'm facing just one problem: my program has a permissions system, which is stored into the database, and I have a predefined SQL query to get the permissions a user has, so I put this into limen.WithHTTPSessionTransformer(), and it works. But as far as I can see, this only applies for actual endpoint requests, so on a middleware, for example, I can't access the custom field I added during transform with auth.GetSession().
Is there another way to get around this?

[krotname]

I think your reading is correct: WithHTTPSessionTransformer() is only on the HTTP response path, not on the session validation path.

The relevant flow is:

• WithHTTPSessionTransformer() stores sessionTransformer in the HTTP config.
• Responder.SessionResponse() calls it before writing the auth/session JSON response.
• auth.GetSession(r) just calls SessionManager.ValidateSession(...) and returns *ValidatedSession.
• MiddlewareRequireSession() also calls authInstance.GetSession(r) and then stores only User and Session in request context.

So the transformer does not mutate the stored session/user, and its extra fields will not appear later from auth.GetSession() or GetCurrentSessionFromCtx().

The cleanest workaround is to move the permission-loading logic into a shared helper, then call that helper from both places:

func LoadUserPermissions(ctx context.Context, db *sql.DB, userID any) ([]Permission, error) {
    // your existing query here
}

Then use it in the session transformer for the /auth/... response, and also in your own middleware after Limen has validated the session:

func PermissionsMiddleware(auth *limen.Limen, db *sql.DB) limen.Middleware {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            session, err := auth.GetSession(r)
            if err != nil {
                http.Error(w, "Unauthorized", http.StatusUnauthorized)
                return
            }

            perms, err := LoadUserPermissions(r.Context(), db, session.User.ID)
            if err != nil {
                http.Error(w, "Forbidden", http.StatusForbidden)
                return
            }

            ctx := context.WithValue(r.Context(), permissionsKey{}, perms)
            next.ServeHTTP(w, r.WithContext(ctx))
        })
    }
}

If the route is already protected by Limen's MiddlewareRequireSession(), you can also read the validated session with limen.GetCurrentSessionFromCtx(r) and then attach permissions to the context in the next middleware.

So short version: use the transformer for shaping the auth response; use a separate enrichment middleware/helper for authorization data needed during request handling.

[Lakelimbo]

thank you!

[thecodearcher]

Thanks @krotname this is exactly right, really appreciate the clear breakdown 🙏

WithHTTPSessionTransformer() is response-only (it shapes auth endpoint JSON), so it won’t affect auth.GetSession() / limen.GetCurrentSessionFromCtx() in middleware.
For permissions/roles needed during request handling, the right pattern is a separate enrichment middleware that loads permissions after session validation and stores them in request context.