Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

rest-access

Package Overview
Dependencies
Maintainers
1
Versions
9
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

rest-access

role/scope based REST access control

  • 1.3.0
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
0
Maintainers
1
Weekly downloads
 
Created
Source

rest-access

install

npm i -S rest-access

rest-access can be used to restrict access to resources. it can be used as a standalone solution or as a express/connect middleware.

usage

const express = require('express')
const app = express()
const jwt = require('express-jwt')
const access = require('rest-access')

access([
  ['*', '/api/*', 'api:rookie', true],
  [['POST', 'PUT', 'DELETE'], '/api/*', 'api:write,admin:*'],
  [['POST', 'PUT', 'DELETE'], '/api/secret/*', 'normal-admin'],
  ['GET', '/api/*', 'api:read'],
  [['GET', 'POST'], '/*', '*']
])

app.use(jwt({ secret: 'shared_secret' })) // authenticate with jwt
app.use((req, res, next) => {
  // map req.user.scope (added by express-jwt) to req.permission (used by rest-access)
  req.permission = req.user.scope
  next()
})

app.use(access.middleware()) // restrict access according to definition above

// endpoints
let hello = 'world'
app.get('/api/hello', (req, res) => res.send(hello))
app.post('/api/hello', (req, res) => {
  hello = req.body
  res.send(201)
})
app.get('/hello', (req, res) => res.send('welcome to the unrestricted area'))

api

access(rules)

This function lets you define the access rules all at once:

access([
  [['POST', 'PUT', 'DELETE'], '/*/glint/role/*', 'manage'],
  [['POST', 'PUT', 'DELETE'], '/*/glint/config/*', 'manage'],
  [['GET'], '/signup/*', 'manage'],
  ['*', '/signin/*', 'manage'],
  ['*', '/account/password', 'manage'],
  ['*', '/account/delete', 'manage'],
  ['*', '/*', 'view', true],
  ['*', '/upload/*', 'edit'],
  ['GET', '/translate/*', 'edit,manage'],
  ['GET', '/filemanager/*', 'edit,manage'],
  [['POST', 'PUT', 'DELETE'], '/filemanager/*', 'edit,manage'],
  ['GET', '/ajax/*', '*'],
  ['POST,DELETE,PUT', '/ajax/*', 'edit,insert,delete'],
  ['*', '/admin/*', 'manage'],
  [['GET', 'POST'], '/*', '*']
])
access(methods, path, role[, block])

Use This method if you want to define a single access rules a specific place. examples:

access(['GET', 'POST'], '/*/glint/role/* ', 'admin:*')
access('POST', '/*/glint/*', 'edit:glint')

The fourth argument is optional. If the fourth argument is "truthy" (boolean:true or string), it means that this role is blocked (instead of allowed) for the given methods and path. Therefore in the following example, the Role read:glint is blocked to POST the given path.

access('POST', '/*/glint/*', 'read:glint', true)
members

access.isBlocked this function can be used to check if the access to the required endpoint is blocked. isBlocked(method, path, permission)

Given this definition:

access([
  ['GET', '/api/*', 'api:*'],
  ['GET,POST,PUT,DELETE', '/api/*', 'api:write'],
])

The following result is expected:

access.isBlocked('GET', '/api/hello', 'api:read') // -> returns `false`
access.isBlocked('POST', '/api/message', 'api:write') // -> returns `false`
access.isBlocked('PUT', '/api/message/today', 'api:read') // -> returns `'access not permitted'`

access.midleware middleware function

example usage: looks for user permission under req.permission

app.use(access.middleware({ permissionProperty: 'permission' }))

access.restrict restrict single route

example usage: looks for user permission under req.permission

app.get('/my/home', access.restrict('api:*'), (req, res) => res.send('restricted api access'))

access.getRules use this function to return a copy of the existing rules.

example:

restAccess.getRules().forEach(rule => console.log(rule.join(' ')));
extends

access.middleware() adds req.userCan function to the express/connect Request Object. Example call: req.userCan('admin:*')

test

run unittests

npm test

run integrationtests

npm test:integration

license

MIT

credits

extracted from: https://github.com/glintcms/glintcms-starter-glintcms/blob/master/local_modules/page-auth-access/access.js

FAQs

Package last updated on 11 Sep 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc