UNPKG

expacl

Version:

Express Access Control List middleware

106 lines (92 loc) 4.34 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
Express based Access Control List middleware ============================================ Express Access Control List (expacl) enable you to manage the access to resources served by your express server and to protect routes four anauthenticated/unauthorized access. ACLs defines which user roles are granted access to a specified resource Expacl checks the corresponding access policy against user's request to verify if the user has is as authenticated and/or has the necessary access privileges. Installation ------------ Using npm: ```javascript npm install expacl ``` Using yarn: ```javascript yarn add expacl ``` Options ------- *Required:* ```javascript routes: ACLRoute[], /* An array with Access Control List routes */ ``` *Optional:* ```javascript resource: (req: Request) => string, /* This is the resource that we are either giving access to. Defaults to req.url */ roles: (req: Request) => string[] | undefined, /* This property returns an array of strings that define the user roles. Defaults to req.user.roles */ authenticated: (req: Request) => boolean, /* This property returns true if user is authenticated. Defaults to !!req.user */ missingRoute: Action, /* This property tells expacl what action to perform if requested route is not defined in routes array. Defaults to deny */ defaultAction: Action, /* This property tells expacl what action to perform if requested route is found but no action is defined for the route. Defaults to allow */ onNotAuthenticated: (req: Request, res: Response, next: NextFunction) => any /* This method is invoked when requested route is denied and user is not authenticated. Defaults to res.status(401).send("401 Not authenticated"); */ onNotAuthorized: (req: Request, res: Response, next: NextFunction) => any /* This method is invoked when requested route is denied and user is not authenticated. Defaults to res.status(403).send("403 Not authorized"); */ ``` Examples -------- ```javascript import middleware from 'expacl'; const opts = { routes: [ { path: '/', subroutes: [ { path: '/page1', methods: 'GET', roles: '*', }, /* /page1 route will be accessible by all users via a GET */ { path: '/page1/submit', methods: 'POST', roles: 'authenticated', }, /* /page1/submit route will be accessible by users with 'authenticated' role via a POST */ { path: '/page2', roles: '*', subroutes: [ { path: '/submit', methods: 'POST', roles: 'authenticated', } ] }, /* the same rights as above, but declaring ACL using nested structure */ { path: '/api/v1', transient: true, /* /api/v1 route is marked as transient. Not a valid resource */ subroutes: [ { path: '/resource', methods: 'GET', roles: ['*'], /* /api/v1/resource route is accessible by all users via GET */ subroutes: [ { path: /^[a-f\d]{24}$/i, /* path can also be described as a regular expression */ methods: 'GET', roles: ['*'], /* /api/v1/resource/[^[a-f\d]{24}$] route is accessible by all users via GET */ }, { path: /^[a-f\d]{24}$/i, methods: ['POST', 'DELETE'], roles: 'admin', /* /api/v1/resource/[^[a-f\d]{24}$] route is accessible only by an user with admin role via POST or DELETE */ } ] }, ] }, ] } ] }; app.use(middleware(opts)); ```