@ninja-1/koa-authz
v1.0.3
Published
koa-authz is an authorization middleware for Koa
Downloads
6
Maintainers
Readme
Koa-Authz
Koa-Authz is an authorization middleware for Koa, it's based on Node-Casbin
: https://github.com/casbin/node-casbin.
Installation
npm install --save koa-authz
Simple Example
const { Enforcer } = require('casbin')
const Koa = require('koa')
const app = new Koa()
const authz = require('koa-authz')
// response
app.use(async (ctx, next) => {
const start = new Date()
await next()
console.log(new Date() - start)
})
// use authz middleware
app.use(authz({
newEnforcer: async() => {
// load the casbin model and policy from files, database is also supported.
const enforcer = await Enforcer.newEnforcer('authz_model.conf', 'authz_policy.csv')
return enforcer
}
}))
// reload routes
const router = require('koa-router')({prefix: '/user'})
router.get('/', (ctx) => {
ctx.body = {name: 'Chalin', age: 26}
})
router.put('/', (ctx) => {
ctx.body = {status: 'success'}
})
app.use(router.routes(), router.allowedMethods())
app.listen(3000)
Use a customized authorizer
This package provides BasicAuthorizer
, it uses HTTP Basic Authentication
as the authentication method.
If you want to use another authentication method like OAuth, you needs to extends BasicAuthorizer
as below:
class MyAuthorizer extends BasicAuthorizer {
// override function
getUserName () {
const { username } = this.ctx.state.user
return username
}
}
app.use(authz({
newEnforcer: async () => {
// load the casbin model and policy from files, database is also supported.
const enforcer = await Enforcer.newEnforcer('examples/authz_model.conf', 'examples/authz_policy.csv')
return enforcer
},
authorizer: (ctx, option) => new MyAuthorizer(ctx, option)
}))
How to control the access
The authorization determines a request based on {subject, object, action}
, which means what subject
can perform what action
on what object
. In this plugin, the meanings are:
subject
: the logged-on user nameobject
: the URL path for the web resource like "dataset1/item1"action
: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"
For how to write authorization policy and other details, please refer to the Casbin's documentation.
Getting Help
License
This project is licensed under the Apache 2.0 license.