UNPKG

mustbe

Version:

Authorization plumbing for Node+Express apps

github.com/derickbailey/mustbe

derickbailey/mustbe

103 lines (75 loc) 3.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
## Authorizing Express Routes Once you have MustBe configured, you can use it to authorize Express routes. Doing this allows you to determine who can take what actions in your application, based on the configured activities within your system. Please see the [configuration documentation](./configure.md) for information on configuring the activities and user. Start by requiring `mustbe` and grabbing the `routeHelpers()` from this module. ### Require Authentication For A Route You can apply a requirement to be authenticated - that is, logged in - using the `authenticated` method. ```js var mustbe = require("mustbe").routeHelpers(); var express = require("express"); var router = express.Router(); router.get("/profile", mustBe.authenticated(), viewProfile); function viewProfile(req, res, next){ res.render("/profile/view"); } ``` You should note that MustBe does not provide support for authentication, directly. The means by which you assert someone is authenticated is entirely up to you. MustBe does, however, allow you to check authentication. This is done through the use of [the `isAuthenticated` configuration method](./configure.md). ### Require Authorization For An Activity The most basic authorization of an activity is done with the `mustBe.authorized` method call. This method assumes a user is in need of the authorization. ```js var mustbe = require("mustbe").routeHelpers(); var express = require("express"); var router = express.Router(); router.get("/:id", mustBe.authorized("view thing"), view); function view(req, res, next){ res.render("/something"); } ``` In this example, a "view thing" activity is required to view the thing in question. The first parameter of the `authorized` call is the activity name, and the second is the route handler method to call if the user is authorized. The route handler method receives all of the standard Express route handler parameters. ### Custom Failure Handler The default method for handling failed authorization and authentication checks are set up through [the `routeHelpers` configuration methods](./configure.md). However, there will be times when you need a specific view or other action to be taken when an authorization or authentication check fails. To handle this situation, you may provide an additional parameter to the `authenticated` and `authorized` methods of the routeHelpers. This extra parameter is a route handler callback function, accepting all of the standard parameters of an Express route handler. ```js var mustbe = require("mustbe").routeHelpers(); var express = require("express"); var router = express.Router(); router.get("/:id", mustBe.authorized("view thing", cannotView), view); function view(req, res, next){ res.render("/something"); } funciton cannotView(req, res, next){ res.render("/cannot-view"); } ``` In this example, an authorization check that passes will call the `view` route handler and render the "something" view. If the authorization check fails, the `cannotView` handler will be called and will render the "cannot-view" view. The same extra parameter also applies to the `authenticated` method of the routeHelpers.