Add end-point for checking access in a bunch

1 files changed, 52 insertions, 20 deletions

diff --git a/README.md b/README.md
index 7795fd2..65f6839 100644
--- a/README.md
+++ b/README.md
@@ -140,32 +140,36 @@ Keep in mind that:
 - SQL wildcards (`_` and `%`) are supported for emails, paths (this _will_ change in future versions).
 
 
-HTTP headers passed to the back-end server
-------------------------------------------
+Checking access in a bunch
+--------------------------
 
-All Sproxy headers are UTF8-encoded.
+There is an API end-point for checking access rights in a single POST query:
+`/.sproxy/access`.  Users should be authenticated to use this end-point,
+otherwise the respond will be HTTP 511.
 
+The request body shall be a JSON object like this:
 
-header               | value
--------------------- | -----
-`From:`              | visitor's email address, lower case
-`X-Groups:`          | all groups that granted access to this resource, separated by commas (see the note below)
-`X-Given-Name:`      | the visitor's given (first) name
-`X-Family-Name:`     | the visitor's family (last) name
-`X-Forwarded-Proto:` | the visitor's protocol of an HTTP request, always `https`
-`X-Forwarded-For`    | the visitor's IP address (added to the end of the list if header is already present in client request)
+```json
+{
+  "tag1": {"path": "/foo", "method": "GET"},
+  "tag2": {"path": "/bar", "method": "GET"}
+}
+```
 
+And the respond will contain a JSON array with tag matching path and method
+pairs allowed to the user.  For example:
 
-`X-Groups` denotes an intersection of the groups the visitor belongs to and the groups that granted access:
+```sh
+$ curl -d '{"foo": {"path":"/get", "method":"GET"}, "bar": {"path":"/post", "method":"POST"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ...
+["foo","bar"]
 
-Visitor's groups | Granted groups | `X-Groups`
----------------- | -------------- | ---------
-all              | all, devops    | all
-all, devops      | all            | all
-all, devops      | all, devops    | all,devops
-all, devops      | devops         | devops
-devops           | all, devops    | devops
-devops           | all            | Access denied
+$ curl -d '{"foo": {"path":"/get", "method":"POST"}, "bar": {"path":"/post", "method":"POST"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ...
+["bar"]
+
+$ curl -d '{"foo": {"path":"/", "method":"POST"}, "bar": {"path":"/post", "method":"GET"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ...
+[]
+
+```
 
 
 Logout
@@ -188,6 +192,34 @@ Disallow: /
 ```
 
 
+HTTP headers passed to the back-end server
+------------------------------------------
+
+All Sproxy headers are UTF8-encoded.
+
+
+header               | value
+-------------------- | -----
+`From:`              | visitor's email address, lower case
+`X-Groups:`          | all groups that granted access to this resource, separated by commas (see the note below)
+`X-Given-Name:`      | the visitor's given (first) name
+`X-Family-Name:`     | the visitor's family (last) name
+`X-Forwarded-Proto:` | the visitor's protocol of an HTTP request, always `https`
+`X-Forwarded-For`    | the visitor's IP address (added to the end of the list if header is already present in client request)
+
+
+`X-Groups` denotes an intersection of the groups the visitor belongs to and the groups that granted access:
+
+Visitor's groups | Granted groups | `X-Groups`
+---------------- | -------------- | ---------
+all              | all, devops    | all
+all, devops      | all            | all
+all, devops      | all, devops    | all,devops
+all, devops      | devops         | devops
+devops           | all, devops    | devops
+devops           | all            | Access denied
+
+
 Requirements
 ============
 Sproxy2 is written in Haskell with [GHC](http://www.haskell.org/ghc/).