loopback-component-sec
A loopback security component with scoped roles management and permission access control
Introduction
loopback-component-sec
using nsec enables you to add multi-tenant style access controls to a loopback application.
It enables you to restrict access to model data based on a user's roles within a specific context.
The main concept is borrowed from loopback-component-access-groups.
loopback-component-sec
provide a inheritable roles management and a row level access controller.
There are three types of access restrictions implemented in this component:
1) Role Resolvers
loopback-component-sec
attach a dynamic Role Resolver
named $sec
to the application. The Role Resolver is responsible for determining whether or not a user has the
relevant roles required to access data that belongs to a group context.
2) Query Filters
An 'access' Operation Hook is injected into each Group Content model. This is used to filter search results to ensure that only items that a user has access to (based on their scoped User Role Mappings) are returned.
3) Row Level Secure
A model (Group or Group context model) 'access' operation hook or connector 'execute' operation hook according to database
connector is injected to add additional filter based on model permissions attached with acl.allow()
.
This is used to filter search results to ensure that only items that a user has access to (based on model's permission lists) are returned.
How to Install
-
Install in you loopback project:
$ npm install --save loopback-component-sec
-
Create a component-config.json file in your server folder (if you don't already have one)
-
Configure options inside
component-config.json
. (see configuration section){ "loopback-component-sec": { "{option}": "{value}" } }
Usage
...Run one, or a combination of the following commands to lint and test your code:
$ npm run lint # Lint the source code with ESLint
$ npm test # Lint and Run unit tests with Mocha
A sample application is provided in the test directory. This demonstrates how you can integrate the component with a loopback application.
The following group roles roles are configured in the test data.
-
member
read -
manager
read, write -
admin
read, write, delete
There are a number of test user accounts in the sample application.
- generalUser
- (no group roles)
- storeAdminA
- ($group:admin of Store A)
- storeManagerA
- ($group:manager of Store A)
- storeMemberA
- ($group:member of Store A)
- storeAdminB
- ($group:admin of Store B)
- storeManagerB
- ($group:manager of Store B)
- storeMemberB
- ($group:member of Store B)
Creds
License
MIT © Yuan Tao