Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Node.js + Express.js User Permission Security Model

We have an application that has two types of users. Depending on how the user logs in, we want them to have access to different parts of the application.

How do we implement a security model for preventing users from seeing things they do not have access to?

Do we make security part of each routes implementation? The problem being that we will have some duplicate logic across requests. We could move this into helper functions, but we'd still need to remember to call it.

Do we make security part of a global app.all() route handler? The problem being that we have to inspect each route and do different logic based on a multitude of rules. At least all the code is in one place, but then... all the code is in one place.

like image 398
Travis Parks Avatar asked Mar 07 '12 21:03

Travis Parks


2 Answers

Having it per-route usually works for me. This is what I typically do:

function requireRole (role) {     return function (req, res, next) {         if (req.session.user && req.session.user.role === role) {             next();         } else {             res.send(403);         }     } }  app.get("/foo", foo.index); app.get("/foo/:id", requireRole("user"), foo.show); app.post("/foo", requireRole("admin"), foo.create);  // All bars are protected app.all("/foo/bar", requireRole("admin"));  // All paths starting with "/foo/bar/" are protected app.all("/foo/bar/*", requireRole("user")); 
like image 121
Linus Thiel Avatar answered Sep 29 '22 07:09

Linus Thiel


You can use ability-js with everyauth, which is quite similar to CanCan for Rails https://github.com/scottkf/ability-js

like image 45
Clément Renaud Avatar answered Sep 29 '22 09:09

Clément Renaud