npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@potient/logos-authorization

v0.1.0-alpha.3

Published

Entity / model management system for logos

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

wardlemwardlem

Keywords

Readme

Logos Authorization

This module provides the authorization object used by Logos services.

In a Logos project, authentication is performed by a central authentication service. However, each service is responsible for defining and enforcing its own authorization rules. Since communication happens over asynchronous channels, the authentication information must be passed in each request, and the authorization object constructed by the receiving service based on this information. This module does not provide any authentication logic, but it does provide the logic for taking authentication information and converting it to authorization data based on the service's authorization rules.

Authentication Information

To produce an authorization object, authentication data must be provided. This section provides an overview of the authentication data the authorization expects to produce an authorization object.

User

Basic user information must be provided with the following properties:

  • id - The id of the user
  • name - The name of the user
  • roles - Roles the user has within the active zone

Scopes

Scopes are a mechanism for limiting the access of an authentication credential. Each scope is a string. The special scope * can be used to signify all scopes.

Scopes are especially useful for granting third-party applications access to act on behalf of a user, but only to perform certain actions.

Zones

Zones are a mechanism for partitioning data in the application. Each user may be a member of multiple zones or no zones at all. Typically, a zone is tied to an account or organization in the organization. In an authorization context, a single zone is active.

Each zone should have the following information:

  • id - The id of the zone
  • name - The name of the zone
  • features - Features the zone has access to

Example

The following is an example authentication structure in JSON:

[source,json]

{ "user": { "id": "0d05121f-0432-4016-86a9-5b9532af58f9", "name": "Anna Banana", "roles": ["Admin"] }, "zone": { "id": "7cb58c1d-ed57-4b2a-aeae-33b8a28945c8", "name": "Acme Inc", "features": ["Premium"] }, "scopes": ["*"] }

Authorization Logic

An authorization object provides logic for controlling which actions the user can perform on which resources, and even what parts of a resource the user has access to.

Gates

A gate determines whether or not a user has access to perform an action on resource collection at all.

[source,javascript]

try { authorization.gate('Cat', 'view') // All good } catch (err) { // No access // err.code === 'EFORBIDDEN' }

Filters

A filter describes access to a subset of a collection. It is expressed in MongoDB query syntax.

[source,javascript]

const inputFilter = {/* Filter data */} const authFilter = authorization.filter('Cat', 'view') const filter = appendFilter(inputFilter, authFilter) // Filter can now be used in a store query

A filter can also be used to check if an action on an item is allowed.

[source,javascript]

if (authorization.isFiltered('Cat', 'modify', someCat)) { throw Forbidden('You do not have permission to modify this cat') }

Masks

A mask describe access to individual properties of a resource.

[source,javascript]

const mask = authorization.mask('Cat', 'view', someCat) for (const key of mask) { someCat.hide(key) }

They can also be used in write operations.

[source,javascript]

const input = {/* Get input somehow */}, const mask = authorization.mask('Cat', 'modify', someCat), for (const key of mask) { if (Object.hasOwnProperty.call(input, key)) { throw Forbidden(You do not have permission to modify the ${key} property of this cat) } }

Applicator

An applicator defines property values that are set for a resource when performing certain actions.

[source,javascript]

const {Path} = require('@potient/logos-util') const applicator = authorization.applicator('Cat', 'create', someCat) for (const [key, value] of Object.entries(applicator)) { Path.set(someCat, key, value, true) }

Authorization Definition

Authorization data is described in the https://yaml.org/[YAML] format and should be placed in your services data directory in file named authorize.yml.

An example authorize file might look like this:

[source,yaml]

refs:

  • &view actions:
    • view filter: accountId: $zone.id scopes:
    • animals:read
  • &create actions:
    • create applicator: accountId: $zone.id createdBy: $user.id modifiedBy: $user.id scopes:
    • animals:write
  • &modify actions:
    • modify filter: accountId: $zone.id applicator: modifiedBy: $user.id scopes:
    • animals:write
  • &delete actions:
    • delete filter: accountId: $zone.id scopes:
    • animals:write

grants:

resources: ['Cat']
grants:
  -
    roles:
      - Owner Admin
    grants:
      - *view
      - *create
      - *modify
      - *delete
  -
    roles:
      - Member
    grants:
      -
        <<: *view
        mask:
          - secretDesire
  • features:
    • Premium grants:

    • resources: ['Bear'] grants:

      roles:
  - Owner Admin
grants:
  - *view
  - *create
  - *modify
  - *delete
      • roles:
        • Member grants:
        • <<: *view mask:
          • secretDesire