UNPKG

authorizedjs

Version:

A tool for authorization based on permits

fagbokforlaget/authorizedjs

120 lines (87 loc) 3.03 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
## authorizedjs - simple authorization tool for node applications ## Usage It's very easy to use the tool with CoffeeScript. ### Permits Set up permits. ``` Auth = require 'authorizedjs' class MyTestPermits extends Auth.Permits adminOnlyAction: (resource) -> @user.role is "admin" everyUserAction: (resource) -> @user.role is "user" resourceBasedAction: (resource) -> resource.user.id is @user.id validForEverybody: (resource) -> true secret: (resource) -> false now in your route/controller you can check for authorization: 1. set up authorization: ``` auth = new Auth.Authorization({MyTest: MyTestPermits}) ``` This is the place where you map your resource with permits. In this example `MyTest` is a name of your resource and `MyTestPermits` is an object where permits for actions are defined. 2. check if a user can perform an action (assuming that `currentUser` is the user you are going to check): a) you can catch `error` or `success` events emitted by auth ``` auth.on 'error', (error) -> # user is not authenticated and should be redirected to some other action # # there are 3 types of `error` # MissingPermits - Permits are missing, you should include them # MissingPermit - Permit cannot be found, maybe typo? # UnauthorizedAccess - user is not authorized auth.on 'success', (data) -> # user is authenticated # you can proceed with your action here # perform checking auth.check currenUser, 'MyTest', 'someAction' ``` b) you can also pass `success` and `error` functions to auth.check ``` auth.check currentUser, 'MyTest', 'someAction', (data) -> # user is authenticated , (error) -> # user is not authenticated # error messages are the same as described above ``` c) last but not least, you can simply check if user is able to perform the action. Note please that we are using `test` method! ``` if auth.test currentUser, 'MyTest', 'adminOnlyAction' # we're ok to go! else # rights are not sufficient to see that resource! ``` 3. It's also possible to use class as resource (Mongoose objects are also supported): ``` class MyTest constructor: -> if auth.test currentUser, MyTest, 'adminOnlyAction' # we're ok to go! else # rights are not sufficient to see that resource! ``` It works with auth.check as well. You need to ensure that this resource returns its name with `resource.name`. In our case it should be: ``` console.log MyTest.name >> 'MyTest' ``` 4. when user can manage only his/her resource then it's better to use the resource object ``` class MyTest constructor: (@user) -> myTestObject = new MyTest(someUser) if auth.test currentUser, myTestObject, 'resourceBasedAction' # we're ok to go! else # rights are not sufficient ``` It works with auth.check as well. it's very important that resource returns its name with `resource.constructor.name`! In our case it should be: ``` console.log myTestObject.constructor.name >> MyTest ```