1.0.1 • Published 2 years ago
node-express-rbac v1.0.1
node-express-rbac
Express Middleware for Role Based Access Control, this library enable you to manage the requests made to your express server.
Installation
$ npm install node-express-rbac --saveUse
First step is to create your access control, it could be stored in a database, file or a simple array, the structure should follow the below example.
Definition of Access Control
| Option | Default | Description |
|---|---|---|
| access_group | String | The access group with name. |
| permissions | Array | Array of permissions that defined to an access group, to allow or deny. |
| resource | String | The route that the permission will be applied. Use * to include all routes or sub-routes. e.g. /foo/*. |
| methods | String \| Array | The methods that the permission will be applied. Use * to include all methods. |
| action | String | This property tells node-express-rbac what action will be applied on the permission, deny or allow. |
Example
[
{
"access_group":"admin",
"permissions":[
{
"resource":"*",
"methods":"*",
"action":"allow"
}
]
},
{
"access_group":"guest",
"permissions":[
{
"resource":"/foo",
"methods":["POST"],
"action":"deny"
},
]
}
]config[type: function]
This methods loads the configuration to node-express-rbac.
| Option | Default | Description |
|---|---|---|
| access_control | Array | The access control array. |
| access_group_search_path | String | The path in request object where access group resides. |
| custom_message | String | The custom message when user is denied. |
| default_access_group | String | The default access_group to be assigned if no role defined. |
| prefix | String | The base URL of your api. e.g. api/v1. |
Example
const app = require('express');
const path = require('path');
const fs = require('fs');
const expressRBAC = require('node-express-rbac');
// Using access control from file
const accessControlFile = fs.readFileSync(
path.join(__dirname, './access-control/access-control.json'));
expressRBAC.config({
prefix: '/api/v1',
access_control: accessControlFile,
});authorize[type: function]
This methods is the middleware to node-express-rbac manage your requests.
In an express based application:
Example
const express = require('express');
const app = express();
app.use(expressRBAC.authorize());unless[type: function]
By default, node-express-rbac will block any route that does not have access control defined. This method allows you to create exceptions for routes that did not use node-express-rbac.
| Option | Type | Description |
|---|---|---|
| resources | String\|Array | String or an array of string containing the resource to be skipped. It also could be an array of object which is resource and methods key-pairs. |
| methods | String\|Array | String or an array of string containing the methods to be skipped. |
| useOriginalUrl | Boolean | It could be true or false, default is true. if false, resource will match against req.url instead of req.originalUrl. Please refer to express for the difference between req.url and req.originalUrl. |
Example
const express = require('express');
const app = express();
app.use(expressRBAC.authorize().unless({ resources: ['/foo'] }));