Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorizations and Access Control to hide API methods and check access #14

Closed
wants to merge 8 commits into from
Closed

Authorizations and Access Control to hide API methods and check access #14

wants to merge 8 commits into from

Conversation

metasection
Copy link

This Pull Request addresses issue #11.

Feedback on implementation is welcome. Pull would be greatly appreciated. Thanks again for building node-restify-swagger.

Usage / Implementation

Hiding routes based on authorization...

  • You create an accessControl function and pass it to the loadRestifyRoutes. The accessControl function returns a space delimited list of user-authorizations (Example: "public account admin").

  • You add an ‘authorizations’ parameter to each route (optional, defaults to public) with a space separated list of route-authorizations (Example: "admin super-admin").

  • when swagger loads it calls the createResource method in node-restify-swagger which uses the accessControl method (if provided) to verify the api_key (if provided) and get the user-authorizations.
  • it then iterates over all of the routes and verifies that the user-authorizations are sufficient to provide access to the route based on the route-authorizations.
  • In our examples above, the user would have to have admin or super-admin in order to access the route. In our example, the user has public, account, and admin. Therefore, the user can see and access the route because it has the admin authorization required by the route.

Authorize access middleware...

  • You pass the accessControl function to the swaggerRestify.authorizeAccess middleware function
  • Each time that the route is accessed, the middleware function is executed.

@coveralls
Copy link

Coverage Status

Coverage decreased (-21.27%) when pulling fcb9432 on metasection:master into 7ba886d on z0mt3c:master.

z0mt3c
z0mt3c reviewed Nov 14, 2014
View reviewed changes
lib/index.js
return next();
}
else {
var restify = require('restify');
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't require inline and remember restify is(was) a dev dependency.

@z0mt3c
Copy link
Owner

z0mt3c commented Nov 14, 2014

Sorry, I didn't have much time to look into during the last days. Just find a way to deal with the require('restify') part and it would be great if you could add some tests since this change decreased the coverage about 21%.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@metasection @coveralls @z0mt3c