express-access-guard

Access control module for express.

Usage

const Express = require('express')
const { Unauthorized } = require('httperrors')

const app = Express()

// auth user
app.use((req, res, next) => {
  req.user = {
    permissions: [ 'photo' ]
  }
})

const Guard = require('express-access-guard')
Guard.Error = Unauthorized // error that throws (to next callback) if user has invalid permissions, default Error

const guard = Guard({
  userProperty: 'user', // property thats contains user object, default "user"
  permissionsProperty: 'permissions', // property in user object that contains permissions list, default 'permissions'
})

app.get(
  '/photos',
  // user must have one permission "photo" or "admin" to see photos
  guard.some([ 'photo', 'admin' ]),
  (req, res) => {
    // do your stuff
  }
)

app.delete(
  '/photos',
  // user must have all permission "photo" and "admin" to delete photos
  guard.every([ 'photo', 'admin' ]),
  (req, res) => {
    // do your stuff
  }
)