mongo-crud
This library was generated with Nx.
Running unit tests
Run nx test mongo-crud
to execute the unit tests via Jest.
Running lint
Run nx lint mongo-crud
to execute the lint via ESLint.
About
The purpose of this library is not just to CRUD objects, this is already provided for in a simple way by the mongodb package. Instead what I intend is to provide a mechanism of middleware when performing CRUD operations that can alter the data or the nature of the operation prior and post the actual operation. Some of the objectives would be:
- Prevent CRUD operations if there is a logged in user who doesn't have access to this particular resource. e.g. Customer cannot see orders from other customers
- Prevent entities in one organisation from performing CRUD operations on entities in other organisations.
- While still allowing me to write cross-organisation reports or perform cross-org data migrations
- Enforce schema of objects prior to being saved - Probably best to do this using a JSON schema on the actual collection, need to test as this will alleviate workload on the api and also ensure any other apps or manual access from storing invalid data.
- When returning a document from an api, there are certain fields (cost price, passwordHash, etc) that should not be exposed, this should provide a framework for stripping those out, while still allowing these values to be used internally by the code.
- Set date created
- Set last updated
- Add audit information
- Ownership of entities by logged in user
- Status (Active/inactive)
Authorisation/Permissions
Objectives
- Prevent access across orgs if not a super user (e.g. allow super users to pull a report that reads data across orgs)
- Prevent certain actions on objects based on ownership (e.g. if you don't own a voucher, you can't CRUD it)
- Prevent certain actions on objects based on status of object (E.g. soft deleted objects can't be updated)
- limit certain actions on objects to certain roles (e.g. only admins can read reports)
- Prevent certain fields from being CRUDed by certain types of users (e.g. don't allow user to see or change passwordHash directly)
- Limit result sets returned to only ones you are allowed (e.g. my orders)
https://dev.to/rschwabco/building-rbac-in-node-3hcb
Casl
https://www.npmjs.com/package/@casl/ability
https://casl.js.org/v6/en/package/casl-react
https://www.npmjs.com/package/@casl/mongoose (Provides a filtered query)
Cerbos
https://cerbos.dev/video/implement-cerbos-in-less-than-4-minutes
Data stores - https://docs.cerbos.dev/cerbos/latest/configuration/storage.html
Aserto
https://www.aserto.com/
.