cansecurity
Advanced tools
Comparing version 0.7.1 to 0.7.2
@@ -36,11 +36,12 @@ /*jslint node:true, nomen:true */ | ||
}, | ||
loader; | ||
globalLoader; | ||
module.exports = { | ||
init: function (config) { | ||
loader = (config || {}).loader; | ||
globalLoader = (config || {}).loader; | ||
}, | ||
loadFile: function (cfile,options) { | ||
var data, routes = {}, fpath; | ||
var data, routes = {}, fpath, loader, localLoader; | ||
options = options || {}; | ||
localLoader = options.loader ? require(options.loader) || {} : {}; | ||
// source the config file | ||
@@ -144,3 +145,4 @@ /*jslint stupid:true */ | ||
req.cansecurity = req.cansecurity || {}; | ||
loader[entry.loader](req, res, function (err) { | ||
loader = localLoader[entry.loader] || globalLoader[entry.loader]; | ||
loader(req, res, function (err) { | ||
if (err) { | ||
@@ -147,0 +149,0 @@ next(err); |
{ | ||
"name": "cansecurity", | ||
"description": "cansecurity is your all-in-one security library for user authentication, authorization and management in node expressjs apps", | ||
"version": "0.7.1", | ||
"version": "0.7.2", | ||
"url": "http://github.com/deitch/cansecurity", | ||
@@ -22,3 +22,3 @@ "author": "Avi Deitcher <avi@deitcher.net>", | ||
"express":"3.x", | ||
"restify":"2.x", | ||
"restify":"3.x", | ||
"mocha":"1.x", | ||
@@ -25,0 +25,0 @@ "supertest":"0.x" |
@@ -686,15 +686,3 @@ # cansecurity | ||
The data is loaded by passing a loader to `cansec.init()`: | ||
````JavaScript | ||
cansec.init({ | ||
loader: { | ||
user: function(req,res,next) { | ||
}, | ||
group: function(req,res,next) { | ||
} | ||
} | ||
}); | ||
```` | ||
Each loader function has two simple jobs to do: | ||
@@ -737,4 +725,68 @@ | ||
So where do you actually define the loader functions? You have two options for where the loader can exist. | ||
##### Global | ||
If you have or want a single loader, you can pass all of your loader functions into `cansec.init()`: | ||
````JavaScript | ||
cansec.init({ | ||
loader: { | ||
user: function(req,res,next) { | ||
}, | ||
group: function(req,res,next) { | ||
} | ||
} | ||
}); | ||
```` | ||
And the declarative part: | ||
````JavaScript | ||
{ | ||
routes: [ | ||
["GET","/api/group/:group",true,"group","_.contains(item.members,user.id)"] | ||
] | ||
} | ||
```` | ||
##### Local | ||
You can define the loader functions in a file local to a certain declarative file: | ||
````JavaScript | ||
// in your main server.js | ||
app.use(cansec.authorizer(__dirname+'/path/to/decl.json',{loader:__dirname+'/path/to/loader.js'}))` | ||
```` | ||
The loader file then would look like: | ||
````JavaScript | ||
module.exports = { | ||
user: function(req,res,next) { | ||
}, | ||
group: function(req,res,next) { | ||
} | ||
} | ||
```` | ||
If you can do it globally, why bother with the local? Simple. You can have *multiple* declarative files. For example, we often separate the security authorization (user Jim is allowed to see his own account) from subscription authorization (user Jim already has 2 accounts and needs to upgrade his plan to get another). | ||
````JavaScript | ||
// in your main server.js | ||
app.use(cansec.authorizer(__dirname+'/path/to/security.json',{loader:__dirname+'/securityloader.js'}))` | ||
app.use(cansec.authorizer(__dirname+'/path/to/plans.json',{loader:__dirname+'/planloader.js'}))` | ||
```` | ||
If course, you might want to keep them together, in which case just use the global! | ||
##### Order of Priority | ||
What if a particular loader is defined in *both* lcala *and* global? The order of priority then is: | ||
1. Look for and run the loader in the local; if not found... | ||
2. Look for an run the loader in the global. | ||
Simple, right? | ||
#### What It Returns | ||
@@ -741,0 +793,0 @@ The authorizer has one of three possible results: |
@@ -1,2 +0,2 @@ | ||
/*jslint node:true, nomen:true */ | ||
/*jslint node:true, nomen:true, unused:vars */ | ||
var _ = require( 'lodash' ), | ||
@@ -60,2 +60,6 @@ tokenLib = require("../../lib/token"), | ||
next(); | ||
}, | ||
local: function ( req, res, next ) { | ||
req.cansecurity.item = "global"; | ||
next(); | ||
} | ||
@@ -62,0 +66,0 @@ }, |
/*jslint node:true, nomen:true, unused:vars */ | ||
/*global before, it, describe, after */ | ||
var express = require('express'), restify = require('restify'), app, request = require('supertest'), | ||
cansec, cs = require('./resources/cs'), errorHandler = require('./resources/error'), declareFile = __dirname+'/resources/declare.json', | ||
cansec, cs = require('./resources/cs'), errorHandler = require('./resources/error'), | ||
declareFile = __dirname+'/resources/declare.json', | ||
declareLocalFile = __dirname+'/resources/declare2.json', | ||
declareLocalLoader = __dirname+'/resources/loader.js', | ||
r, path, send200 = function(req,res,next){ | ||
@@ -144,2 +147,12 @@ // send a 200 | ||
}); | ||
}, | ||
thirdtests = function () { | ||
describe('loader', function(){ | ||
it('should return 200 for global loader', function(done){ | ||
r.get('/secure2/globalloader').expect(200,done); | ||
}); | ||
it('should execute the specific group loader instead of the global one', function(done){ | ||
r.get('/secure2/localloader').expect(200,done); | ||
}); | ||
}); | ||
}; | ||
@@ -149,4 +162,4 @@ | ||
describe('declarative authorization', function(){ | ||
describe('without format flag', function(){ | ||
describe('express', function(){ | ||
describe('express', function(){ | ||
describe('without format flag', function(){ | ||
before(function(){ | ||
@@ -170,27 +183,22 @@ cansec = cs.init(); | ||
}); | ||
describe('restify', function(){ | ||
describe('with format flag', function(){ | ||
before(function(){ | ||
cansec = cs.init(); | ||
app = restify.createServer(); | ||
app.use(restify.queryParser()); | ||
app = express(); | ||
app.use(express.cookieParser()); | ||
app.use(express.session({secret: "agf67dchkQ!"})); | ||
app.use(cansec.validate); | ||
// This is where we instantiate the declarative authorizer | ||
app.use(cansec.authorizer(declareFile)); | ||
app.use(cansec.authorizer(declareFile,{format:true})); | ||
app.use(app.router); | ||
app.use(errorHandler); | ||
// we just send 200 for all routes, if it passes authorization | ||
app.get(/^.*$/,send200); | ||
app.post(/^.*$/,send200); | ||
app.put(/^.*$/,send200); | ||
app.del(/^.*$/,send200); | ||
app.head(/^.*$/,send200); | ||
app.all('*',send200); | ||
r = request(app); | ||
}); | ||
firsttests(); | ||
after(function(){ | ||
app.close(); | ||
}); | ||
secondtests(); | ||
}); | ||
}); | ||
describe('with format flag', function(){ | ||
describe('express', function(){ | ||
describe('multiple declarations', function(){ | ||
before(function(){ | ||
@@ -203,3 +211,4 @@ cansec = cs.init(); | ||
// This is where we instantiate the declarative authorizer | ||
app.use(cansec.authorizer(declareFile,{format:true})); | ||
app.use(cansec.authorizer(declareFile)); | ||
app.use(cansec.authorizer(declareLocalFile,{loader:declareLocalLoader})); | ||
app.use(app.router); | ||
@@ -213,5 +222,10 @@ app.use(errorHandler); | ||
}); | ||
secondtests(); | ||
// all of the firsttests should still pass | ||
firsttests(); | ||
// all of the thirdtests should pass | ||
thirdtests(); | ||
}); | ||
describe('restify', function(){ | ||
}); | ||
describe('restify', function(){ | ||
describe('without format flag', function(){ | ||
before(function(){ | ||
@@ -223,2 +237,24 @@ cansec = cs.init(); | ||
// This is where we instantiate the declarative authorizer | ||
app.use(cansec.authorizer(declareFile)); | ||
// we just send 200 for all routes, if it passes authorization | ||
app.get(/^.*$/,send200); | ||
app.post(/^.*$/,send200); | ||
app.put(/^.*$/,send200); | ||
app.del(/^.*$/,send200); | ||
app.head(/^.*$/,send200); | ||
r = request(app); | ||
}); | ||
firsttests(); | ||
after(function(){ | ||
app.close(); | ||
}); | ||
}); | ||
describe('with format flag', function(){ | ||
before(function(){ | ||
cansec = cs.init(); | ||
app = restify.createServer(); | ||
app.use(restify.queryParser()); | ||
app.use(cansec.validate); | ||
// This is where we instantiate the declarative authorizer | ||
app.use(cansec.authorizer(declareFile,{format:true})); | ||
@@ -237,3 +273,5 @@ | ||
}); | ||
describe('multiple declarations', function(){ | ||
}); | ||
}); | ||
}); |
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
120960
27
2193
903
3