Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@loopback/authorization

Package Overview
Dependencies
Maintainers
7
Versions
82
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@loopback/authorization

A LoopBack component for authorization support.

  • 0.1.2
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
5.3K
increased by6.45%
Maintainers
7
Weekly downloads
 
Created
Source

@loopback/authorization

A LoopBack 4 component for authorization support.

Overview

Authorization decides if a subject can perform specific action on an object.

Authorization

Role based

Permission based

Vote based

Key building blocks

  1. Decorate a method to describe:
  • Permission (maps the method to an action on the protected resource)

    • Type of the protected resource (such as customer or order)
    • What action does the method represent (such as changeEmail, createOrder, or cancelOrder)
  • ACL (provides role based rules)

    • allowedRoles
    • deniedRoles
  • Voters (supplies a list of function to vote on the decision)

  1. Intercept a method invocation
  • Build authorization context

    • Subject (who) - from authentication
    • Map principals to roles
    • Inspect the target method for metadata - Permission, ACL, voters
  • Run through voters/enforcers to make decisions

Installation

npm install --save @loopback/authorization

Basic use

Start by decorating your controller methods with @authorize to require the request to be authorized.

In this example, we make the user profile available via dependency injection using a key available from @loopback/authorization package.

import {inject} from '@loopback/context';
import {authorize} from '@loopback/authorization';
import {get} from '@loopback/rest';

export class MyController {
  @authorize({allow: ['ADMIN']})
  @get('/number-of-views')
  numOfViews(): number {
    return 100;
  }
}

Extract common layer(TBD)

@loopback/authentication and @loopback/authorization shares the client information from the request. Therefore we need another module with types/interfaces that describe the client, like principles, userProfile, etc... A draft PR is created for this module: see branch https://github.com/strongloop/loopback-next/tree/security/packages/security

Since the common module is still in progress, as the first release of @loopback/authorization, we have two choices to inject a user in the interceptor:

  • @loopback/authorization requires @loopback/authentication as a dependency. The interceptor injects the current user using AuthenticationBindings.CURRENT_USER. Then we remove this dependency in the common layer PR, two auth modules will depend on @loopback/security.

    • This is what's been done in my refactor PR, Principle and UserProfile are still decoupled, I added a convertor function to turn a user profile into a principle.
  • The interceptor injects the user using another key not related to @loopback/authentication.(Which means the code that injects the user stays as it is in https://github.com/strongloop/loopback-next/pull/1205). Then we unify the user set and injection in the common layer PR: same as the 1st choice, two auth modules will depend on @loopback/security.

Contributions

Tests

run npm test from the root folder.

Contributors

See all contributors.

License

MIT

Keywords

FAQs

Package last updated on 15 Aug 2019

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc