restify-role-based-auth
Advanced tools
Role-based authorization middleware for Restify API applications.
Is a role-based authorization middleware for Restify API applications. This middleware allows you to manage the authorization of all requests to your Restify API through the use of an Unix-style access control list also known as an ACL. In the API's ACL you define the roles that users belong to, the resources (URL paths) those roles have permissions to access, and the HTTP methods that can be used on said resources.
This Authorization Middleware is meant to be used in conjunction with an Authentication Middleware such as Passport.
You can add restify-role-based-auth as a dependency through NPM
$ npm i restify-role-based-auth --save
in your project require restify-role-based-auth
// Using default configuration
const roleBasedAuth = require('restify-role-based-auth')();
or GitLab
$ git clone git@gitlab.com:graphicnetdesign/restify-role-based-auth.git
copy the lib folder to your project, rename it to restify-role-based-auth, and then require index.js
const roleBasedAuth = require('./restify-role-based-auth/lib/index');
The Access Control List or ACL is an array of Policy objects which make up the access rules by which the API will be bound. The ACL is a single file written in the JSON syntax and must adhere to the following rules:
Example
[
{
"role": "user",
"permissions": [{
"resource": "users",
"methods": [
"POST",
"GET",
"PUT"
],
"action": "allow",
}]
}
]
First step is to create your ACL file, name it acl.json and place this in the config folder in the root of
your application. This is the file where you will define all of the role policies that restrict or give access
to certain resources within your application.
This middleware will iterate through the ACL in an attempt to match:
role with a role in one of the ACL's policiesresource requested (the URI path in the HTTP request) with a resource in one of the permissions objects in the policymethod from the request with a method in the methods array within the permission objectIf all matches can be found the action in the policy is then checked:
allow, the middleware will call next() and allow the application to move to the next middleware in the middleware stackdeny, the middleware will call next() passing it a restify-errors UnauthorizedError with either the default message or the error message supplied in the config objectIn the example below, we are:
* (wildcard symbol), we want admins to be able to do anythingExample
[
{
"role": "admin",
"permissions": [{
"resource": "*",
"methods": "*",
"action": "allow"
}]
},
{
"role": "user",
"permissions": [{
"resource": "users",
"methods": [
"POST"
],
"action": "deny"
}]
}
]
This middleware depends on each Restify request object having an authenticated user object already attached to it by an authentication middleware like Passport.
The middleware looks for a user object on the restify req object like this req.user.
Keep in mind, with the generic use of hasOwnProperty on the user object, you are required to attach
a POJO (plain old JavaScript object) to the req object at the point of authentication by your
authentication middleware (such as passport). If you attach a complex object, such as a Mongoose model
object, this middleware will not be able to find the role(s) property on that user object.
The middleware looks for req.user with a role or roles property that is either a single role as a
String or an Array of multiple String roles respectively, from which it can grab the current user's
role(s) for verification within the ACL policies list.
This means that the call to server.use(roleBasedAuth()); must come after your call to your
authentication middleware or custom code that authenticates the user and adds a user object
to the current request.
Example
// Passport using middleware using passport-jwt strategy
// attaches a user object to the request if successful
// authentication occurs
server.use(passport.initialize());
// restify-role-based-auth middleware depends on the user
// obect and its role property
server.use(roleBasedAuth);
The restify-role-based-auth middleware function can take two parameters:
config object with custom values for available configuration propertiesrequire('restify-role-based-auth')([config])
When requiring the middleware into your application you have the opportunity to use either the default or a custom configuration object.
Default: the middleware will use presets and expects to find your acl.json file in the
config folder at the root of your application (./config/acl.json).
config object's properties:
aclFilename: the name of the ACL Policy file (default: acl.json)aclPath: the file path to the folder containing the ACL Policy file (default: ./config)baseApiUrl: the base URL of the API the middleware is protecting, prepended to all Policy protected resources (default: /)errorMessage: the message to be returned with the 401 Unauthorized ErrorUsing a custom configuration, in the example below, the middleware will look for your ACL file
at the path ./security/custom.json
Example: Custom Config
const customConfig = {
aclFilename: 'custom.json',
aclPath: './security',
baseApiUrl: '/api',
errorMessage: 'You are not authorized to access this resource'
};
const roleBasedAuth = require('restify-role-based-auth')(customConfig);
By default, the middleware will utilize the restify-errors
library when determining an error to use and return to the API caller.
## Other Features
### Unless to Bypass
In order to maintain the highest security possible, this middleware takes the lockdown approach,
that is it blocks all resources (routes) to begin with and only allows resources to be accessed
if-and-only-if that resources has a defined policy with in the ACL Policy file.
This of course, means that even your authentication resources are locked down, making it so that
users cannot login or register for the API. To mitigate this effect, the middleware utilizes the
[express-unless](https://github.com/jfromaniello/express-unless/blob/master/README.md) package
to allow you to unlock certain resources without the need to setup crazy policies in your ACL.
```js
const openResources = {
path: [
{
url: '/auth',
methods: [
'POST'
]
},
{
url: '/auth/login',
methods: [
'POST'
]
}
]
};
server.use(roleBasedAuth).unless(openResources);
This middleware supports debug mode through the use of the debug
NPM module. Please refer to debug's documentation for turning on and off debugging and adjusting environment
variables.
Through the use of debug, the middleware allows you to pull output for all execution paths with
the middleware or for specific portions of execution using the following named debug groups.
All namespaced debug statements will be prefixed with 'RRBA:' for easy identification of debug output originating from this middleware.
Debugging can be activated by setting the DEBUG environment variable at application startup.
In development
DEBUG=* node your-apps-index.js
On a server, such as staging or production, you can use a NPM package like dotenv
to manage the loading of your environment variables based on the current environment using a .env file
placed at the root of your application.
| Debug Key | Description |
|---|---|
| * | All output from the entire middleware as it executes |
| RRBA:processors:authorizationProcessor | output from only the Authorization Processor |
| RRBA:index | output from only the root of the middleware |
FAQs
Role-based authorization middleware for Restify API applications.
We found that restify-role-based-auth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.
Security News
Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.
Security News
Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.