Moleculer Middleware Permissions

Check action permissions.

Install

This module requires at least Node v8.3.0.

yarn add moleculer-middleware-permissions

Usage

// moleculer.config.js
const PermissionGuard = require('moleculer-middleware-permissions');
 
const guard = new PermissionGuard({options});
 
module.exports = {
    ...
    middlewares: [
        guard.middleware(),
    ],
};

// service.js
module.exports = {
  name: 'awesome.service',
   actions: {
       hello: {
         // The user must have both 'hello:read' AND 'hello:name'
         // You can override this behaviour by passing your 'checkFunction'
         permissions: ['hello:read', 'hello:name'],
         handler (ctx) {
           const {name} = ctx.params;
           return `Hello ${name}`;
         }
       },
       me: {
          // Will check for these permissions: ['awesome.service.me']
          permissions: true,
          handler (ctx) {
            return `Hello me`;
          }
        }
     }
};

Notes

The middleware also add a property rawPermissions on the action. It allows anyone to have the real permissions used by the action. The array is immutable, so any attempt to edit it will fail.

Options

• checkFunction: A function that return true if the request has enough permissions. Else, the return value will be send in the rejected PermissionError. For the default behaviour search for basicPermissionCheck in src/index.js.
• permissionsPath: Path to look for the request permissions (from the ctx object). Default to meta.user.permissions,
• permissionsSep: Separator used to transform the action name to a permission name (default: .).
• pathSeparator: Separator to use when there is a . in a property.

License

MIT