Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

rest-access

Package Overview
Dependencies
Maintainers
1
Versions
9
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

rest-access

role/scope based REST access control

  • 1.1.0
  • Source
  • npm
  • Socket score

Version published
Maintainers
1
Created
Source

rest-access

install

npm i -S rest-access

usage

const express = require('express')
const app = express()
const jwt = require('express-jwt')
const access = require('rest-access')

access([
  ['*', '/api/*', 'api:rookie', true],
  [['POST', 'PUT', 'DELETE'], '/api/*', 'api:write,admin:*'],
  [['POST', 'PUT', 'DELETE'], '/api/secret/*', 'normal-admin'],
  ['GET', '/api/*', 'api:read'],
  [['GET', 'POST'], '/*', '*']
])

app.use(jwt({ secret: 'shared_secret' })) // authenticate with jwt
app.use((req, res, next) => {
  // map req.user.scope (added by express-jwt) to req.permission (used by rest-access)
  req.permission = req.user.scope
  next()
})

app.use(access.middleware()) // restrict access according to definition above

// endpoints
let hello = 'world'
app.get('/api/hello', (req, res) => res.send(hello))
app.post('/api/hello', (req, res) => {
  hello = req.body
  res.send(201)
})
app.get('/hello', (req, res) => res.send('welcome to the unrestricted area'))

api

access(rules)

This function lets you define the access rules all at once:

access([
  [['POST', 'PUT', 'DELETE'], '/*/glint/role/*', 'manage'],
  [['POST', 'PUT', 'DELETE'], '/*/glint/config/*', 'manage'],
  [['GET'], '/signup/*', 'manage'],
  ['*', '/signin/*', 'manage'],
  ['*', '/account/password', 'manage'],
  ['*', '/account/delete', 'manage'],
  ['*', '/*', 'view', true],
  ['*', '/upload/*', 'edit'],
  ['GET', '/translate/*', 'edit,manage'],
  ['GET', '/filemanager/*', 'edit,manage'],
  [['POST', 'PUT', 'DELETE'], '/filemanager/*', 'edit,manage'],
  ['GET', '/ajax/*', '*'],
  ['POST,DELETE,PUT', '/ajax/*', 'edit,insert,delete'],
  ['*', '/admin/*', 'manage'],
  [['GET', 'POST'], '/*', '*']
])
access(methods, path, role[, block])

Use This method if you want to define a single access rules a specific place. examples:

access(['GET', 'POST'], '/*/glint/role/* ', 'admin:*')
access('POST', '/*/glint/*', 'edit:glint')

The fourth argument is optional. If the fourth argument is "truthy" (boolean:true or string), it means that this role is blocked (instead of allowed) for the given methods and path. Therefore in the following example, the Role read:glint is blocked to POST the given path.

access('POST', '/*/glint/*', 'read:glint', true)
members

app.midleware middleware function

example usage: looks for user permission under req.permission

app.use(access.middleware({ permissionProperty: 'permission' }))

app.restrict restrict single route

example usage: looks for user permission under req.permission

app.get('/my/home', access.restrict('api:*'), (req, res) => res.send('restricted api access'))
extends

access.middleware() adds req.userCan function to the express/connect Request Object. Example call: req.userCan('admin:*')

test

npm test

license

MIT

credits

extracted from: https://github.com/glintcms/glintcms-starter-glintcms/blob/master/local_modules/page-auth-access/access.js

FAQs

Package last updated on 07 Sep 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc