REST-bac
A REST based access control list middleware for Express applications.
This middleware allows to protect each method (GET,POST...) of any Express path (all the Express-style paths) with a set of custom roles specified in a configuration JSON.
Install
In your project root type
npm install rest-bac --save
Usage
To use the middleware you need an express application and a rest-bac configuration JSON. The express application should already provide a middleware or some other logic that set the req.user.roles property with an array of roles (string).
NB: the module protect exclusively the paths specified in the REST-BAC configuration JSON. If a business logic route path doesn't have a catching rest-bac path rule you have an Unhautorized 401 response.
JSON Configuration
The following configuration allow a "user" role to do GET requests to /book and all the paths under /book/* that don't match the path /book/admin/. An "admin" role can do POST and GET requests to /book and all its descendant paths /book/
Initialization
To initialize the rest role based access control simply use
var restbac = ; // some code to initialize the express app and the rest-bac configurations // app is the expressjs application// rbac-config is the JSON (parsed) object for the configuration// prefix-path is an optional string to be prefixed to all the paths specified in the rbac-config
Full Example
This is a full example to better understand how to use the middleware.
Server Application Code
This code can be found at /test/server.js. You can run and test it directly with node test/server.js
.
"use strict"; var express = ;var restbac = ; // some code to initialize the express app and the rest-bac configurationsvar app = ; // before use rest-bac the express app need to extract some roles from the request// and put them in the req.user.roles arrayapp; var config = "/book(/*)?": get: "user" "admin" post: "admin" "/book/admin/*": action: "deny" get: "user" ; // setup the rest methods protection --> paths in config are prefixed with "/api/v1"; // now we can define some business logic API routesapp;app;app; // a simple error handler to catch authorization errorapp; var server = app;
Some requests
Valid request for a user role
GET /api/v1/book/123 HTTP/1.1
Host: 127.0.0.1:3000
Authorization: user
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 3
123
Invalid role cause a 401 with a json error message
GET /api/v1/book/123 HTTP/1.1
Host: 127.0.0.1:3000
Authorization: invalid
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Content-Length: 63
{"message":"Unhautorized: Invalid role or path not configured"}
The user cannot request a path under /api/v1/book/admin/*
GET /api/v1/book/admin/some HTTP/1.1
Host: 127.0.0.1:3000
Authorization: user
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Content-Length: 63
{"message":"Unhautorized: Invalid role or path not configured"}
GET /api/v1/book/admin/some HTTP/1.1
Host: 127.0.0.1:3000
Authorization: admin
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 10
admin path