Sri4node-security-api NPM

About

A module that connects a sri4node backend to the sri security api (https://github.com/rodrigouroz/sri-security-api).

Installing

Installation is simple using npm :

$ cd [your_project]
$ npm install --save sri4node-security-api

Usage

The module exposes a function for each one of the after functions available in a resource in sri4node:

checkReadPermission: an afterread function implementation (Check afterread in sri4node)
checkInsertPermission: an afterinsert function implementation (Check afterinsert in sri4node)
checkUpdatePermission: an afterupdate function implementation (Check afterupdate in sri4node)
checkDeletePermission: a secure function implementation that checks a DELETE method (Check secure in sri4node)

This modules connects to the sri-security-api and checks permissions on the actions performed. If there are no permissions the promise is rejected.

CRUD rules must exist in the sri-security-api for the permissions to work.

In order to use it in a sri4node backend, you need to import the module:

var sri4nodeSecurity = require('sri4node-security-api');

This returns a construction function that must be invoked with these parameters:

var generalSecurity = sri4nodeSecurity(Config, sri4node.utils);

Where the Config object must have the following properties:

USER a valid username to connect to the Security API
PASSWORD a valid password to connect to the Security API
SECURITY_API_HOST the host of the Security API
HEADERS any extra header to be added to the requests to the Security API

The second argument is the utils attribute of the sri4node backend (Check General Utilities)

This returns a constructor function that can be used to build one security module for each component.

For example, for the component persons-api:

var securityForPersons = generalSecurity('/security/components/persons-api');

Then it must be hooked to the resource, such as this:

return {
  type: '/content',
  public: false,
  secure: [security.checkDeletePermission],
  ...
  afterread: [security.checkReadPermission],
  afterupdate: [security.checkUpdatePermission],
  afterinsert: [security.checkInsertPermission],
  ...
};

It's important to note that the checkDeletePermission method is not an after function. It has the interface of a secure function because it must be checked before the resource is deleted, unless with the other methods that must be checked after it's altered.

sri4node vsko

needle q retry

@infinitebrahmanuniverse/nolb-sr @everything-registry/sub-chunk-2813

8 years ago

8 years ago

8 years ago

8 years ago