About

A module that connects a sri4node backend to the sri security api (https://github.com/rodrigouroz/sri-security-api).

Installing

Installation is simple using npm :

$ cd [your_project]
$ npm install --save sri4node-security-api

Usage

The module exposes a function for each one of the after functions available in a resource in sri4node:

• checkReadPermission: an afterread function implementation (Check afterread in sri4node)
• checkInsertPermission: an afterinsert function implementation (Check afterinsert in sri4node)
• checkUpdatePermission: an afterupdate function implementation (Check afterupdate in sri4node)
• checkDeletePermission: a secure function implementation that checks a DELETE method (Check secure in sri4node)

This modules connects to the sri-security-api and checks permissions on the actions performed. If there are no permissions the promise is rejected.

CRUD rules must exist in the sri-security-api for the permissions to work.

In order to use it in a sri4node backend, you need to import the module:

var sri4nodeSecurity = require('sri4node-security-api');

This returns a construction function that must be invoked with these parameters:

var generalSecurity = sri4nodeSecurity(Config, sri4node.utils);

Where the Config object must have the following properties:

• USER a valid username to connect to the Security API
• PASSWORD a valid password to connect to the Security API
• SECURITY_API_HOST the host of the Security API
• HEADERS any extra header to be added to the requests to the Security API

The second argument is the utils attribute of the sri4node backend (Check General Utilities)

This returns a constructor function that can be used to build one security module for each component.

For example, for the component persons-api:

var securityForPersons = generalSecurity('/security/components/persons-api');

Then it must be hooked to the resource, such as this:

return {
  type: '/content',
  public: false,
  secure: [security.checkDeletePermission],
  ...
  afterread: [security.checkReadPermission],
  afterupdate: [security.checkUpdatePermission],
  afterinsert: [security.checkInsertPermission],
  ...
};

It's important to note that the checkDeletePermission method is not an after function. It has the interface of a secure function because it must be checked before the resource is deleted, unless with the other methods that must be checked after it's altered.