context-access

Powerful access control with a dead simple API.

context-access

Powerful access control with a dead simple API. Build any access control scheme you need by allowing maps of arbitrary keys and values called contexts.

  • Simple — just two API methods.
  • Powerful — flexible enough to build any API scheme.
  • Browser support — works on the client or server.

Using npm:

npm install context-access

Using component:

component install bloodhound/context-access

The simplest example is a traditional roles-based access control system using contexts:

var access = require('context-access');
 
access.allow({
  url: '/public'
});
 
access.allow({
  url: '/private',
  role: 'admin'
});
 
access.assert({
  url: '/public',
  role: 'guest'
});
// => true 
 
access.assert({
  url: '/private',
  role: 'guest'
});
// => false 

Use contexts to match routes in Express:

var app = require('express')();
var access = require('coaccess');
 
access.allow({
  role: 'guest',
  path: '/users',
  method: 'GET'
});
 
access.allow({
  role: 'admin',
  path: '/users',
  method: ['GET', 'PUT', 'POST', 'DELETE']
});
 
// Route middleware 
var authorize = function(reqresnext) {
  var context = {
    role: req.session.role,   // admin 
    path: req.path,           // /users 
    method: req.method        // POST 
  };
  if (access.assert(context)) {
    return next();
  }
  res.send(403, 'You must be an admin to do this!');
};
 
app.post('/users', authorize, function(reqres) {
  // ... 
});

Allow a given context when asserted.

Assert a given context. Returns true or false if it is allowed or denied.

If there's no definition for a key in the given context, then it is ignored.

Imbricate arrays to alternate AND and OR operations when asserting.

["guest", "admin"]                guest AND admin
[["guest", "admin"]]              guest OR admin
["role1", ["role2", "role3"]]     role1 AND (role2 OR role3)
 
access.allow({
  resource: 'API',
  role: ['admin', 'manager']
});
 
access.assert({
  resource: 'API',
  role: 'admin'
});
// => true 

Tests are written with mocha and should using BDD-style assertions.

Run them with npm:

npm test