express-access-control
Advanced tools
Middleware to perform access control based on the user's session and groups.
Module to implement access control based on a user's membership to groups.
It is intended as a dependency for express-user and express-user-local, but could be used on it's own by making use of the customization facilities.
A recent version of Node.js (version 0.10.25 is installed on my machine, later versions should work also, let me know if that is not the case)
The AuthenticateRoute function is meant to be used with an Express router, although it could feasibly work with frameworks that support a similar API.
npm install express-access-control
In the directory where the module is located, run the following 2 commands on the prompt:
The library has 2 main methods:
This function, returns true if the request's user matches the expected authentication credentials, else false.
<Req> and <Res> and the usual arguments passed to every Express route handler.
<Groups> is an array of strings correspond to groups that you want to verify that the request's user belongs to. It can be set to null, in which case the call will just verify that the request's user is logged in.
<And> can be set to true or false. If set to true, the function will only match the user if he belongs to all the groups specified in <Groups>.
Ex:
var AccessControl = require('express-access-control');
//Some code
App.put('/Homeworks/Math202/Week2', function(Req, Res, Next) {
if(Authenticate(Req, Res, ['Teacher', 'Math'], true))
{
Next();
}
{
Res.status(401).end();
}
});
//More code
This call is a shortcut to generate a route that authentifies the user (like in the above example).
If the user doesn't pass authentication, then Next(Err) is called, where Err is an error with Err.Source set to "ExpressAccessControl" and Err.Type set to "NoAccess". If the user passes authentication, then Next() is called to go to the next route handler.
<Options> can take 2 formats:
In this case, 'Authenticate' is used to authenticate the user with <Groups> set to <Options> and <And> set to false.
-The 'Group' property specifies the group to check that the user belongs to. If null, the route route only verifies that the user is logged in. Defaults to null. -The 'And' proporty specifies whether the user should belong to all the groups. Defaults to false. -The 'Not' property specifies whether the user should not belong to the groups instead. Defaults to false.
Ex:
var AccessControl = require('express-access-control');
//Some code
App.posts('/Forums/French', AccessControl.AuthenticateRoute({'Groups': ['Banned'], 'Not': true}));
//More code
The library is, by default, dependent on req.session (set by the express-session library) and req.session.User.Memberships (set by the user-store and express-user libraries) being present for each request.
You can alter these expectations with the following calls:
Changes the internal function that fetches a user's memberships.
<NewGetter> needs to have the following signature: function(Req, Res)
The arguments are those that Express passes to route handlers. The return value should be an array containing the user's memberships as strings.
AccessControl.SetLoggedIn
Changes the internal function that determines if a user is logged in.
<NewChecker> needs to have the following signature: function(Req, Res)
The arguments are those that Express passes to route handlers. The return value should be true if the user is logged in, else false.
ex:
//Assume our User info is stored in Res.locals.User.Groups instead
var AccessControl = require('express-access-control');
AccessControl.SetGetMemberships(function(Req, Res) {
return(Res.locals.User.Groups);
});
AccessControl.SetLoggedIn(function(Req, Res) {
var ToReturn = Res.locals.User ? true : false;
return(ToReturn);
});
This library will probably be augmented with custom response handling and custom memberships testing (via a function argument).
Other potential modifications, would be to change the customization API to allow customization fonctions to be asynchronous (if they need to make a trip to the database for example).
These change will be made as needs arises.
Initial release.
The library's 'AuthenticateRoute' method will now deleguate the response to an error handler if the user doesn't pass authentication.
FAQs
Middleware to perform access control based on the user's session and groups.
We found that express-access-control demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.