node package manager


authorizedjs - simple authorization tool for node applications


It's very easy to use the tool with CoffeeScript.


Set up permits.

Auth = require 'authorizedjs'
class MyTestPermits extends Auth.Permits
    adminOnlyAction: (resource) ->
        @user.role is "admin"
    everyUserAction: (resource) ->
        @user.role is "user"
    resourceBasedAction: (resource) -> is
    validForEverybody: (resource) ->
    secret: (resource) ->
now in your route/controller you can check for authorization:
1. set up authorization:

auth = new Auth.Authorization({MyTest: MyTestPermits})

This is the place where you map your resource with permits. In this example
`MyTest` is a name of your resource and `MyTestPermits` is an object where permits for actions are defined.
2. check if a user can perform an action (assuming that `currentUser` is the user you are going to check):
a) you can catch `error` or `success` events emitted by auth

auth.on 'error', (error) -> # user is not authenticated and should be redirected to some other action # # there are 3 types of error # MissingPermits - Permits are missing, you should include them # MissingPermit - Permit cannot be found, maybe typo? # UnauthorizedAccess - user is not authorized

auth.on 'success', (data) -> # user is authenticated # you can proceed with your action here

perform checking

auth.check currenUser, 'MyTest', 'someAction'

b) you can also pass `success` and `error` functions to auth.check

auth.check currentUser, 'MyTest', 'someAction', (data) -> # user is authenticated , (error) -> # user is not authenticated # error messages are the same as described above

c) last but not least, you can simply check if user is able to perform the action. Note please that we are using `test` method!

if auth.test currentUser, 'MyTest', 'adminOnlyAction' # we're ok to go! else # rights are not sufficient to see that resource!

3. It's also possible to use class as resource (Mongoose objects are also supported):

class MyTest constructor: ->

if auth.test currentUser, MyTest, 'adminOnlyAction' # we're ok to go! else # rights are not sufficient to see that resource!

It works with auth.check as well.
You need to ensure that this resource returns its name with ``. In our case it should be:



4. when user can manage only his/her resource then it's better to use the resource object

class MyTest constructor: (@user) ->

myTestObject = new MyTest(someUser)

if auth.test currentUser, myTestObject, 'resourceBasedAction' # we're ok to go! else # rights are not sufficient

It works with auth.check as well.
it's very important that resource returns its name with ``! In our case it should be: