Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
authsome
Advanced tools
Readme
Flexible team-based authorization module. This software is in an alpha stage.
Authsome is team-based, which means that authorization is determined based on team membership. A team consists of a group of members and belongs to one of the at team types configured at load time. A team is always based around an object (the object of the authorization request). A team can also be conditionally active, i.e. only active if the current state of the object matches the requirement for team activation. Best to explain this in an example. See Science Blogger mode example below.
Modes are exchangeable mechanisms of authorization (e.g. built in example modes: blog, journal, and noon).
If Authsome configuration is:
let config = {
mode: require('./src/modes/blog'),
teams: {
teamContributors: {
name: 'Contributors',
permissions: 'create'
},
teamCoauthors: {
name: 'Coauthors',
permissions: 'update'
}
}
}
Then Authsome can be created like so:
let authsome = new Authsome(
config.mode,
{ teams: config.teams }
)
And then used like so:
authsome.can(user, operation, object)
or:
authsome.can(currentUser, 'update', fragment)
The currently configured modes then take over and decide on the authorization, returning true or false.
In Science Blogger, we have two types of teams. One is a 'contributor' type, which allows you to create blogposts for the blog. The other is a 'coauthor' team type, which allows you to update a specific blogpost (write it with someone). There is no conditional activity of teams, and only these two team types.
When your managing teams, you create a new team with a certain type, and a certain object (in the case of Contributors, you would chose the blog object as the object of the team). You can then add members to this team, and those members can then ask (and receive) authorization to create blogposts for the blog.
Authsome can be used on both the backend (for authorizing API requests, e.g. for creating collections in PubSweet), and frontend (for showing/hiding UI that relates to an authorization request, e.g. a Create Blogpost button.)
FAQs
Flexible team-based authorization
The npm package authsome receives a total of 357 weekly downloads. As such, authsome popularity was classified as not popular.
We found that authsome demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.