@krimzen-ninja/mongo-crud v0.4.7

mongo-crud

This library was generated with Nx.

Running unit tests

Run nx test mongo-crud to execute the unit tests via Jest.

Running lint

Run nx lint mongo-crud to execute the lint via ESLint.

About

The purpose of this library is not just to CRUD objects, this is already provided for in a simple way by the mongodb package. Instead what I intend is to provide a mechanism of middleware when performing CRUD operations that can alter the data or the nature of the operation prior and post the actual operation. Some of the objectives would be:

1. Prevent CRUD operations if there is a logged in user who doesn't have access to this particular resource. e.g. Customer cannot see orders from other customers
2. Prevent entities in one organisation from performing CRUD operations on entities in other organisations.
   1. While still allowing me to write cross-organisation reports or perform cross-org data migrations
3. Enforce schema of objects prior to being saved - Probably best to do this using a JSON schema on the actual collection, need to test as this will alleviate workload on the api and also ensure any other apps or manual access from storing invalid data.
4. When returning a document from an api, there are certain fields (cost price, passwordHash, etc) that should not be exposed, this should provide a framework for stripping those out, while still allowing these values to be used internally by the code.
5. Set date created
6. Set last updated
7. Add audit information
8. Ownership of entities by logged in user
9. Status (Active/inactive)

Authorisation/Permissions

Objectives

1. Prevent access across orgs if not a super user (e.g. allow super users to pull a report that reads data across orgs)
2. Prevent certain actions on objects based on ownership (e.g. if you don't own a voucher, you can't CRUD it)
3. Prevent certain actions on objects based on status of object (E.g. soft deleted objects can't be updated)
4. limit certain actions on objects to certain roles (e.g. only admins can read reports)
5. Prevent certain fields from being CRUDed by certain types of users (e.g. don't allow user to see or change passwordHash directly)
6. Limit result sets returned to only ones you are allowed (e.g. my orders)

https://dev.to/rschwabco/building-rbac-in-node-3hcb

Casl

https://www.npmjs.com/package/@casl/ability https://casl.js.org/v6/en/package/casl-react https://www.npmjs.com/package/@casl/mongoose (Provides a filtered query)

Cerbos

https://cerbos.dev/video/implement-cerbos-in-less-than-4-minutes

Data stores - https://docs.cerbos.dev/cerbos/latest/configuration/storage.html

Aserto

https://www.aserto.com/