npm i -S rest-access
rest-access
can be used to restrict access to resources. it can be used as a standalone solution or as a express/connect middleware.
const express = require('express')
const app = express()
const jwt = require('express-jwt')
const access = require('rest-access')
access([
['*', '/api/*', 'api:rookie', true],
[['POST', 'PUT', 'DELETE'], '/api/*', 'api:write,admin:*'],
[['POST', 'PUT', 'DELETE'], '/api/secret/*', 'normal-admin'],
['GET', '/api/*', 'api:read'],
[['GET', 'POST'], '/*', '*']
])
app.use(jwt({ secret: 'shared_secret' })) // authenticate with jwt
app.use((req, res, next) => {
// map req.user.scope (added by express-jwt) to req.permission (used by rest-access)
req.permission = req.user.scope
next()
})
app.use(access.middleware()) // restrict access according to definition above
// endpoints
let hello = 'world'
app.get('/api/hello', (req, res) => res.send(hello))
app.post('/api/hello', (req, res) => {
hello = req.body
res.send(201)
})
app.get('/hello', (req, res) => res.send('welcome to the unrestricted area'))
This function lets you define the access rules all at once:
access([
[['POST', 'PUT', 'DELETE'], '/*/glint/role/*', 'manage'],
[['POST', 'PUT', 'DELETE'], '/*/glint/config/*', 'manage'],
[['GET'], '/signup/*', 'manage'],
['*', '/signin/*', 'manage'],
['*', '/account/password', 'manage'],
['*', '/account/delete', 'manage'],
['*', '/*', 'view', true],
['*', '/upload/*', 'edit'],
['GET', '/translate/*', 'edit,manage'],
['GET', '/filemanager/*', 'edit,manage'],
[['POST', 'PUT', 'DELETE'], '/filemanager/*', 'edit,manage'],
['GET', '/ajax/*', '*'],
['POST,DELETE,PUT', '/ajax/*', 'edit,insert,delete'],
['*', '/admin/*', 'manage'],
[['GET', 'POST'], '/*', '*']
])
Use This method if you want to define a single access rules a specific place. examples:
access(['GET', 'POST'], '/*/glint/role/* ', 'admin:*')
access('POST', '/*/glint/*', 'edit:glint')
The fourth argument is optional. If the fourth argument is "truthy" (boolean:true or string), it means that this role is blocked (instead of allowed) for the given methods and path.
Therefore in the following example, the Role read:glint
is blocked to POST
the given path.
access('POST', '/*/glint/*', 'read:glint', true)
access.isBlocked
this function can be used to check if the access to the required endpoint is blocked.
isBlocked(method, path, permission)
Given this definition:
access([
['GET', '/api/*', 'api:*'],
['GET,POST,PUT,DELETE', '/api/*', 'api:write'],
])
The following result is expected:
access.isBlocked('GET', '/api/hello', 'api:read') // -> returns `false`
access.isBlocked('POST', '/api/message', 'api:write') // -> returns `false`
access.isBlocked('PUT', '/api/message/today', 'api:read') // -> returns `'access not permitted'`
access.midleware middleware function
example usage: looks for user permission under req.permission
app.use(access.middleware({ permissionProperty: 'permission' }))
access.restrict restrict single route
example usage: looks for user permission under req.permission
app.get('/my/home', access.restrict('api:*'), (req, res) => res.send('restricted api access'))
access.getRules use this function to return a copy of the existing rules.
example:
restAccess.getRules().forEach(rule => console.log(rule.join(' ')));
access.middleware()
adds req.userCan
function to the express/connect Request Object.
Example call: req.userCan('admin:*')
run unittests
npm test
run integrationtests
npm test:integration
MIT
extracted from: https://github.com/glintcms/glintcms-starter-glintcms/blob/master/local_modules/page-auth-access/access.js