0.0.4 • Published 4 years ago
express-gateway-plugin-access-controller v0.0.4
express-gateway-plugin-access-controller
This plugin for Express Gateway allow to easily control accces for your APIs.
When using this plugin, by default:
- All API resources are blacklisted
- All requests filters are whitelisted
Installation
Simply type from your shell environment:
eg plugin install express-gateway-plugin-access-controller
Quick start
Make sure the plugin is listed in system.config.yml file. This is done automatically for you if you used the command above.
Add the configuration keys to gateway.config.yml file.
In the exemples below, we are using 2 others plugins:
- jwks plugin : to validate our JWT Bearer
- jwt-forwarder plugin : to extract in header our JWT "sub" field (for owner validity cases)
Use case
policies:
- jwks:
- jwt-forwarder:
- access-controller:
- action:
# We define what represent the current auth user from the request (it will be evaled on runtime)
user: 'req.get("x-jwt-sub")' # [OPTIONNAL] Will be compared to owner of the resource uri when using options like 'requireOwner' or 'exceptOwner'
# We list rejected filters rules
rejectFilters: # [OPTIONNAL]
- filter: 'Account' # reject filter matching key & value (?account=details)
key: 'account'
value: 'details' # [OPTIONNAL]
- filter: 'FieldExist' # reject filter matching key (?field_exist or ?field_exist=whatever)
key: 'field_exist'
# Last but not least, we list our allowed resources, where we can plug our desired rejected filters rules set above
allowedResources: # [REQUIRED]
- resource: '/api/users'
methods: # [REQUIRED]
- method: 'GET'
filtersRejection: # [OPTIONNAL]
- filter: 'Account'
- filter: 'FieldExist'
- resource: '/api/users/{owner:\d+}' # we can catch required owner using "{owner:x}", where x is a standard regex pattern
methods: # [REQUIRED]
- method: 'GET'
- method: 'PUT'
requireOwner: true # [OPTIONNAL] Only owner is allowed to use this method
filtersRejection: # [OPTIONNAL]
- filter: 'Account'
exceptOwner: true # [OPTIONNAL] reject this filter excepted for owner
- resource: '/api/users/{\d+}/contacts' # we can use standard regex pattern inside "{}"
methods: # [REQUIRED]
- method: 'GET'
filtersRejection: # [OPTIONNAL]
- filter: 'Account'
- filter: 'FieldExist'
Want to make your own plugin?
Just check out our plugin development guide. We can't wait to see your custom stuff in the Gateway!