A stupid simple authorization strategy for APIs.
npm install --save @ryanburnette/authorizationThis strategy makes a couple assumptions.
-
req.useris an object that describes this user -
req.user.rolesis an array of strings that describes the roles this user has
A basic implementation looks something like this.
import Authorization from '@ryanburnette/authorization';
// use it on a group of endpoints
app.use(
'/api/widgets',
Authorization.middleware({ methods: ['GET', 'POST'], roles: ['user', 'admin'] }),
Authorization.middleware({ methods: ['DELETE'], roles: ['admin'] }),
function (req, res) {
res.statusCode = 200;
res.end();
return;
}
);
// use it on a single endpoint
app.get(
'/api/employees',
Authorization.middleware({ roles: ['user', 'admin'] }),
function (req, res) {
res.statusCode = 200;
res.end();
return;
}
);
app.use(function (err, req, res, next) {
// catch errors from this strategy
if (err.code === 'E_FORBIDDEN') {
res.statusCode = 403;
res.end();
return;
}
console.error(err);
res.statusCode = 500;
res.end();
});npm install --no-save express
npm test