express-roles v0.1.1

express-roles

Dead-simple middleware for express (and other connect based applications) for the restriction of other middlewares by role.

Note that as of current, connect-roles is a significantly more advanced package than this. If you're looking for production-ready, battle-tested role management, connect-roles is your port of call. This is just an experiment for myself. That said, express-roles is significantly more lightweight than connect-roles and allows for users to have multiple roles, so there is some variation between the two.

API

  var roles = require('express-roles');

  // limit access to myAppController to 'administrator' roles
  app.use(roles('administrator'), myAppController);
  // you can also use array arguments - both of the statements below are equivalent
  app.use(roles(['foo', 'bar']), myAppController);
  app.use(roles('foo', 'bar'), myAppController)

Notes

express-roles reads from req.user.roles to determine what the current role avaliable to the current user is. If req.user.roles is undefined, null or otherwise unreachable, then express-roles MUST act as if the user is unauthorized to access the current route. If the current user has all of the roles required, then the next handler in the chain will be called. In the event the user is determined to be unauthorized to access the current route, express-roles will send a HTTP 401 response to the user and end the request.

Road Map

• 0.1.0 - Basic functionality, allowing for routes to be restricted based on a string-based role
• 0.2.0 - Role inheritance - the ability to specify that role foo 'inherits' from bar and thus any route bar has access to, foo does too.
• 0.3.0 - Integration with 3rd party role providers - the ability for users to tell express-roles to look elsewhere (other than req.roles) for the roles of a user.