npm
Sign UpSign In

abilityjs

1.0.1 • Public • Published

Ability-js

A simple route-based ACL component for express.js. This won't handle actual authentication, you can use everyauth for that.

Installing

npm install ability

With everyauth:

This assumes you have, in your everyauth setup, a field called "role" (customizable, see below). For example, if you're using facebook:

everyauth.facebook.extractExtraRegistrationParams( function (req) {
  return {
    role: "some default role"
  }
});

Obviously this doesn't make much sense without persistence, so you can change the roles, but you can achieve that with mongoose-auth or a custom solution.

If you have everyauth working in an expressjs app, all you have to do to your app.js is add the following

abilities = {
  editor: {
    index: ['read'],
    protected: ['read']
  },
  default: {
    index: ['read'],
  }
}
var ability = require('ability');
ability.add(abilities);

This is route-based, and assumes you're going to have 2 routes, app.get /protected and app.get /. Note: You must specify a 'default'.

Then, in the route:

app.get('/protected', function(req, res) {
  authorize();
  res.render('protected');
});

This will check to see if the user is authorized based on the setup above. According to the above setup, an un-authenticated user would not be authorized for this route.

Optionally, you can specify the action and route:

app.get('/protected', function(req, res) {
  authorize('read', 'index');
  res.render('protected');
});

Even further, you can specify the role you want to check

app.get('/protected', function(req, res) {
  authorize('read', 'index', 'default');
  res.render('protected');
});

Now you could use authorizeHandler as a middleware with your express application:

app.get('/protected', authorizeHandler, function(req, res) {
  res.render('protected');
});

This will check from the req if you have a valid user entity, check the property you had configured in ability as the role property name and it will validate if it's authorize to see the resource.

Route translations:

On the routes, you may specify one of 4 options, 'read', 'write', 'delete', or 'all'.

  1. Read -> Get
  2. Write -> Put/post
  3. Delete -> Delete
  4. All -> Read/Write/Delete

Options

ability = require('ability');
ability.configure({
	redirect: true,
	role_name: role,
	redirect_to: '/',
	redirect_message: 'Unauthorized'
})

  • redirect, whether or not to redirect to the user if they're not authorized. By default, it will redirect a user to the home page if they're not authorized, without a flash.

  • redirect_to, where to redirect the user if authentication fails

  • redirect_message, if you're using req.flash, it will put the messages in there

  • role_name, the name of the everyauth field for your role (everyauth only)

Todo:

  • Add logger functions
  • Add options to map the container object for user model

NOTE: I just take the old source and make some changes to used in my project with express v4, I'm plannig to add more feautures on the route, but for now I'm happy to be available to use this simple and awesome library. Hope you find this usefull.

Readme

Keywords

Package Sidebar

Install

npm i abilityjs

Repository

github.com/damianfabian/abilityjs

Homepage

github.com/damianfabian/abilityjs#readme

Weekly Downloads

1

Version

1.0.1

License

ISC

Last publish

Collaborators

  • damianfabian
Try on RunKit
Report malware