@narando/authorization
v0.36.0
Published
Opinionated authorization framework with Promises based on narando architecture.
Downloads
72
Readme
@narando/authorization
Opinionated authorization framework with Promises based on narando architecture.
Getting Started
You need to have nodejs
and npm
installed.
$ npm install @narando/authorization
Usage
Activities take the form service:scope:method:item
, eg.:
api:articles:get:list
. A Permission is an Activity that is linked to a user
and contains additional information:
// Permission
{
// Name of Activity
"name": "service:scope:method:item",
// Wether this permission only applies to objects that
// the user owns/has control of.
"onlyAssociated": true
}
To create an instance of the authorization module you have to invoke authorize
import Authorization from "@narando/toolkit";
import model from "app/model";
// You can preconfigure options for the authorization.
// If you are in a specific express controller the scope
// of all checked permissions is usually the same, so you
// can set it once and then only need to overwrite it if it
// differs.
const auth = Authorization.authorize({ scope: "articles" });
// Now you can use the auth object to perform different kinds of
// authorization
await auth.action({
method: "get",
item: "list",
user: req.user,
});
// This will throw if the user does not have to required permissions for this activity
Express Middleware
// You can also use the express middleware to allow/deny access to parts of the interface
import express from "express";
const app = express();
app.use(
auth.middleware({
/* ... */
})
);
app.get("/restricted", (req, res) => {
/* ... */
});
// This will either call the next middleware if the user has sufficient permission
// or send a response with the appropriate HTTP response code associated to the
// thrown error as defined in @narando/errors
Decorator
If you have a function and you want to restrict access to it, you can use the decorator pattern.
To use it you have to have the babel plugin
babel-plugin-transform-decorators-legacy
installed and configured.
@auth.decorate({
method: 'get',
item: 'list'
})
function getArticles(req) {
/* ... */
}
This will either throw on the invocation of the method if the user does not have sufficient permissions, or call the decorated function if he does.
Association Checks
In some cases a black/white authorization strategy might be insufficient. A user might have access to his own articles, but not to articles created by other users. For these cases you can supply the auth method with a model class and a model instance that will be queried for the association with the user.
These checks are only executed if the matching user permission has the flag
onlyAssociated: true
. This allows administrators to bypass them, while normal
users will be stopped.
With a Model
When you have not yet found the instance of the requested resource, but want to restrict access to the controller, you can set the model for the check in the options:
@auth.decorate({
method: 'get',
item: 'list',
model: model.Article // { isAssociated: async ({ reqParams, user }) => boolean }
})
function getArticles(req) {
/* ... */
}
If the user has a permission with the right activity (api:articles:get:list
here) and a flag onlyAssociated: true
, the Authorization module will call the
method async model.isAssociated({reqParams, user}) => boolean
that you have
to implement. This method will get the path parameters and the user that is
making the request.
As the naming of the path parameters is up to the service it can be quite inconsistent for different routes, so a one-size-fits-all implementation of this variant is quite hard. The alternative is, to use the instance based checks.
With an Instance
When you already have the instance, or you do not want to rely on the path parameters you can can use the instance based association check. As with the model based association check you have to supply the instance to the authorization check:
await auth.action({
method: 'put',
item: 'item',
user: req.user,
instance: article // { isAssociated: async ({ user }) => boolean }
})
article.update(newArticle);
Similar to the model based asssociation check, if the user has a permission
with the right activity (api:articles:put:item
here) and a flag
onlyAssociated: true
, the Authorization module will call the method
async instance.isAssociated({user}) => boolean
that you have to implement.
This method will receive the user that is making the request and is expected to
return true
if the user is associated and false
otherwise.
Disable association checks
Association checks are enabled by default (disableAssociationCheck: false
). If you wish to disable it you can pass disableAssociationCheck
with a value of true
via the options and it will ignore association checks. Examples are below.
@auth.decorate({
method: 'get',
item: 'list',
disableAssociationCheck: true
})
function getArticles(req) {
/* ... */
}
await auth.action({
method: 'put',
item: 'item',
disableAssociationCheck: true
})
article.update(newArticle);
const auth = Authorization.authorize({
scope: "job",
disableAssociationCheck: true
});
Development
As this package is part of the toolkit monorepo, please refer to the top-level README to learn about hacking on this package.
Built With
- @narando/errors - Collection of semantic errors