Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

hapi-crud-acl

Package Overview
Dependencies
Maintainers
1
Versions
18
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

hapi-crud-acl

Hapi Crud Plugin

  • 1.0.0
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
13
decreased by-38.1%
Maintainers
1
Weekly downloads
 
Created
Source

Hapi Route ACL

Fine-grained route access control based on CRUD for hapi.js

Build Status codecov

Description

This hapi.js plugin allows you to specify ACL permission requirements for each of your routes using CRUD. For example let's say you have a resource called "cars". You could protect each route with the following permissions:

'cars:create', 'cars:read', 'cars:update', 'cars:delete'

Routes can be protected by multiple permissions. For example you might have a route for drivers of cars that looks like: POST /cars/1/drivers/

You can protect this route with: ['drivers:create', 'cars:read']

Hapi-Route-ACL

This project is a rewrite of hapi-route-acl to which I give great thanks for the inspiration. I also stole his readme.

Usage

Example

const hapi = require('@hapi/hapi')
const hapiCrudAcl = require('hapi-crud-acl')

// gets the permissions that the user has from the request
// its only argument is the value of request.auth.credentials
// which should be set by your authentication solution
const permissionsFunc = (auth) => {
  return auth.permissions
}

// server.js
var server = new hapi.Server()

server.register({
  plugin: hapiCrudAcl,
  options: {
    permissionsFunc,
  },
})

server.route([
  {
    method: 'GET',
    path: '/unprotected',
    config: {
      handler: (request, reply) => {
        reply('hoi')
      },
    },
  },
  {
    method: 'GET',
    path: '/cars',
    config: {
      handler: (request, reply) => {
        reply(['Toyota Camry', 'Honda Accord', 'Ford Fusion'])
      },
      plugins: {
        hapiCrudAcl: {
          permissions: ['cars:read'],
        },
      },
    },
  },
  {
    method: 'GET',
    path: '/cars/{id}',
    config: {
      handler: (request, reply) => {
        reply('Toyota Camry')
      },
      plugins: {
        hapiCrudAcl: {
          permissions: 'cars:read',
        },
      },
    },
  },
  {
    method: 'DELETE',
    path: '/cars/{id}',
    config: {
      handler: (request, reply) => {
        reply('car deleted!')
      },
      plugins: {
        hapiCrudAcl: {
          permissions: ['cars:delete'],
        },
      },
    },
  },
  {
    method: 'GET',
    path: '/cars/{id}/drivers',
    config: {
      handler: (request, reply) => {
        reply(['Greg', 'Tom', 'Sam'])
      },
      plugins: {
        hapiCrudAcl: {
          permissions: ['cars:read', 'drivers:read'],
        },
      },
    },
  },
  {
    method: 'DELETE',
    path: '/cars/{carId}/drivers/{driverId}',
    config: {
      handler: (request, reply) => {
        reply('driver deleted!')
      },
      plugins: {
        hapiRouteAcl: {
          permissions: ['cars:read', 'drivers:delete'],
        },
      },
    },
  },
])

server.start()

This plugin requires a permissionsFunc which takes credentials (from request.auth.credentials) and returns the permissions or a promise resolving to the permissions

The permission format should look something like this:

{
  cars: {
    create: false,
    read: true,
    update: true,
    delete: true
  },
  drivers: {
    create: false,
    read: true,
    update: false,
    delete: false
  }
};

Keys are route names and values are objects that map each crud type to a boolean for access. Note that while create/read/update/delete is the recommended format it is not required. You could for example also make permissions that look like this:

{
  cars: {
    make: true,
    look: true,
    edit: true,
    remove: true
    duplicate: true
    retract: true
  },
};

FAQs

Package last updated on 21 Feb 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc