express-authorize
A fork of express-authorization optimized for server-side authorization with a more succinct syntax, better documentation and more robust examples. This module is an express/connect middleware module for enforcing an Apache Shiro inspired authorization system.
Installation
$ npm install express-authorize
Basic usage
var express = var app = var authorizer = // Initialize authorizer with default optionsauthorizeroptions = /* withSubject : withSubject, withPermissions : withPermissions, onDenied : onDenied */ app
Documentation
Definitions
Permission - a statement that defines access to an explicit activity, behaviour or action.
Subject - usually a website user, assigned permissions to enable access to sets of activities, behaviours, or actions.
Claim - a collection of permissions that are assigned to a subject and compiled into a regular expression. The regular expression matches any permissions that are permitted by the subject (user), or permission list under consideration.
Permission Wildcard Expressions
To practically assign sets of permissions to subjects, express-authorize supports a wildcard enabled permission statement syntax that closely follows the syntax used by Apache Shiro. A collection of permissions assigned to a subject are compiled by the system into a regular expression referred to as a claim.
- Permission statements are composed of from parts delimited by colons
:
. - Permission parts can contain lists delimited by commas
,
. - Wildcard
?
and*
can be used to match one or more characters within an expression part. - Examples:
Expression | Description |
---|---|
'system:*' |
String - has all permissions for system. Works for a single permission statement only |
[ 'system:*', 'activity:create,update,delete' ] |
Array - has all permissions for system and create/update/delete permissions for activity |
'user:john,bill,eric:retrieve,update' |
Multi-level - has retrieve and update permissions for the john, bill and eric users |
Initialization
Create a new authorizer:
var authorizer =
Options
Setting options at initialization sets the default for that authorizer. The following options are available:
- withSubject - A subject, usually a user, is expected to be represented by an object with a permissions property referring to either a single permission or an array of permissions. Defaults to req.user or req.session.user.
- withPermissions - Permissions statements are strings that can be specified in parameter lists that may include arrays of composited permissions. Ignored if non-default subject is specified.
- onDenied - Callback function for when permission is denied. Defaults to setting the res.status to 403 and passing next with a 'Permission denied' error.
All of these options can be set either through chained API calls for ad hoc overriding, or on the Authorizer.options object to establish new defaults.
Setting the default subject
withSubject can be specified using an array, a function or an asynchronous function.
// Use any object that has a "permissions" parameter (array)var user = username : 'thisismyusername' permissions : 'account:view' 'payment:view' authorizeroptionswithSubject = user// OR use a function that returns a valid subjectauthorizeroptions { var user = username : 'thisismyusername' permissions : 'account:view' 'payment:view' return user}// OR use an asynchronous function that passes a valid subject to a callback functionauthorizeroptions { var user = username : 'thisismyusername' permissions : 'account:view' 'payment:view' }
Setting the default permissions
withPermissions can be specified using a string (for a single permission statement), an array, a function or an asynchronous function.
// Use a string for a single permissionauthorizeroptionswithPermissions = 'account:view'// OR use an array of permissionsauthorizeroptionswithPermissions = 'account:view' 'payment:view' // OR use a functionauthorizeroptions { return 'account:view' 'payment:view' }// OR use an asynchronous functionauthorizeroptions { }
Setting the default onDenied callback
onDenied must be an express/connect compatible middleware function
authorizeroptions { res}
Ad hoc permission queries
Options can be overridden in an ad hoc manner using a permission query. In the permission query API, a permission source is placed under consideration and compiled into a claim that is queried to confirm permitted permissions. This is beneficial when you want to change the considered subject, permissions
// Use the default optionsauthorizer// One-time override of the subject being consideredauthorizer // One-time override of the permissions being consideredauthorizer // One-time override of the onDenied functionauthorizer
Methods can be chained in combination.
From subject or permission list -> claim -> isPermitted
authorizerwithSubject | authorizerwithPermissions -> claim
The withSubject and withPermissions methods are used to generate a claim object. Note that specifying a subject source always supercedes specifying a permission source. Only one consideration source should be used at a time.
Express Middleware
express-authorize uses a fluent API to generate express middleware for enforcing permissions.
app
To generate an express middleware, you write a call chain starting with a reference to express-authorize and ending in a call to isPermitted. The call to isPermitted returns a connect/express compliant middleware function.
By default, express-authorize sources permissions from the session through references to session.user.permissions or session.permissions. To consider alternative permission sources, withSubject or withPermissions are used.
app
Defaults
By default, express-authroize sources permissions using the following function:
{ if requser && requserpermissions return requserpermissions if reqsession && reqsessionuser && reqsessionuserpermissions return reqsessionuserpermissions if reqpermissions return reqpermissions return }
The default onDenied function sets res.status(403)
and passes an error to next.
{ resstatus403 }
Initialize another authorizer object
When calling require('express-authorize')
a new Authorizer instance is returned. In order to initialize a second instance do the following:
var anotherAuthorizer = /* options */
License
MIT License
Copyright (c) 2013 Support.com, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.