UNPKG

access-manager

Version:

A one-stop solution for implementing authenticated and anonymous continuous sessions with user handling and whitelisted acl.

github.com/WeeHorse/access-manager

WeeHorse/access-manager

232 lines (173 loc) 6.76 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# access-manager © WeeHorse 2018, MIT license ## Authentication, Sessions and ACL Access Manager is a one-stop solution for implementing authenticated and anonymous sessions with user handling and whitelisted ACL. Keeps the same session regardless of authenticated state. Attaches itself to an express app as a middleware. ## Install ```sh $ npm install access-manager ``` ### Install ACL data If you want some example data or wish to import your ACL from file, use the --import-acl switch when you start your app with access manager (for the first time). Note that your app will shut down once the import is done. Use example data: (see below) ```sh $ node app --import-acl ``` Or provide your own file: ```sh $ node app --import-acl=file.json ``` The ACL data installs into the acl collection. _Obviously you're free to populate the acl collection anyway you see fit._ #### The example ACL data: ```javascript [ {"path":"/rest/admin*", "roles":[ {"role": "admin", "methods": ["ALL"]}, {"role": "super", "methods": ["ALL"]} ]}, {"path":"/rest/login", "roles":[ {"role": "anonymous", "methods": ["POST"]} ]}, {"path":"/rest/logout", "roles":[ {"role": "user", "methods": ["GET","POST"]} ]}, {"path":"/rest/news*", "roles":[ {"role": "*", "methods": ["GET"]} ]}, {"path":"/rest/messages*", "roles":[ {"role": "user", "methods": ["GET","POST","DELETE"]} ]}, {"path":"/rest/user", "roles":[ {"role": "user", "methods": ["GET"]} ]}, {"path":"/rest/register", "roles":[ {"role": "anonymous", "methods": ["POST"]}, {"role": "super", "methods": ["POST"]} ]} ] ``` __It works like this:__ Only the paths detailed above are valid paths together with the correct user role and method, all other paths will be blocked with 403 Forbidden. _You may end any path with a wildcard *, letting traffic through on all subpaths._ ## Examples of access-manager usage: ### Typical init with basic dependencies ```javascript const express = require('express'); const app = express(); const bodyParser = require('body-parser'); const bcrypt = require('bcrypt'); const saltRounds = 10; const mongoose = require('mongoose'); mongoose.connect('mongodb://localhost/some_database'); // IMPORTANT - if you don't want to block frontend files with access-manager, serve them before access-manager: app.use(express.static('../client/')); const AccessManager = require('access-manager'); const accessManager = new AccessManager({ mongoose: mongoose, // mongoose (connected) expressApp: app // an express app }); ``` ### Configuration You can optionally add your own schemas (Schema Objects) for users, sessions and acl, at the properties: userSchema, sessionSchema, aclSchema Some properties in the schemas are required by the access-manager. Those details can be found at the bottom of this document. You will propably want to supply your own userSchema, an example of doing that: ```javascript const accessManager = new AccessManager({ mongoose: mongoose, expressApp: app, userSchema: { firstName: {type: String, required:true}, lastName: {type: String, required:true}, email: {type: String, required:true, unique:true}, // required access manager property password: {type: String, required:true}, // required access manager property roles: [String] // required access manager property } ``` __The models access manager uses are then avaliable from access manager:__ ```javascript const User = accessManager.models.user; ``` __Now access manager will do its work seamlessly in the background, but we need a user, so here's a registration route:__ _The example ACL will only allow anonymous users and super users create accounts_ ```javascript app.post('/rest/register', async (req, res)=>{ // encrypt password req.body.password = await bcrypt.hash(req.body.password, saltRounds); // create user let user = await new User(req.body); await user.save(); res.json({msg:'Registered'}); }); ``` __And login:__ _The example ACL will prevent this route if you are already logged in_ ```javascript app.post('/rest/login', async (req, res)=>{ // find user let user = await User.findOne({email: req.body.email}); // passwords match? if(user && await bcrypt.compare(req.body.password, user.password)){ req.session.user = user._id; req.session.loggedIn = true; await req.session.save(); // save the state res.json({msg:'Logged in'}); }else{ res.json({msg:'Failed login'}); } }); ``` __To logout:__ _The example ACL will prevent this route if you are already logged out_ ```javascript app.all('/rest/logout', async (req, res)=>{ req.user = {}; // we clear the user req.session.loggedIn = false; // but we retain the session with a logged out state, since this is better for tracking, pratical and security reasons await req.session.save(); // save the state res.json({msg:'Logged out'}); }); ``` __A restricted example route:__ _The example ACL will only allow this route on logged in users_ ```javascript app.get('/rest/messages', async (req, res)=>{ res.json({msg:'Here are your messages'}); }); ``` __The current user route:__ _The example ACL will only allow this route on logged in users_ ```javascript app.get('/rest/user', (req, res)=>{ // check if there is a logged-in user and return that user let response; if(req.user._id){ response = req.user; // reply with the user object response.password = '******'; // but do not send the password back }else{ response = {message: 'Not logged in'}; } res.json(response); }); ``` __Wildcard route (that takes any method) so we can test that the ACL blocks anything not allowed):__ ```javascript app.all('*', (req, res)=>{ res.json({params: req.params, body: req.body}); // just echo whatever we send }); ``` __Don't forget...__ ```javascript app.listen(3000,()=>{ console.log("Remember Mystery science theatre 3000!"); }); ``` ## Access manager schemas requirements The schemas used in access manager must contain the properties detailed below. If you don't supply your own schemas these are the defaults: _The mininum required userSchema:_ ```javascript { email: {type: String, required:true, unique:true}, password: {type: String, required:true}, roles: [String] } ``` _The mininum required sessionSchema:_ ```javascript { loggedIn: {type:Boolean, default:false}, user: { type: this.mongoose.Schema.Types.ObjectId, ref: 'User' } } ``` _The mininum required aclSchema:_ ```javascript { path: {type: String, unique: true}, roles: [ new this.mongoose.Schema({ role: String, methods: [{type: String, enum: ['GET', 'POST', 'PUT', 'DELETE', 'ALL', '*']}] }) ] } ```