Authentication policies #192
Comments
|
As I understand it, policies are middleware that perform access control checks. That should work fine with koa-router. However, if you're using a rich DBMS like Postgres I think it's better to have access control logic at the DB rather than your application code. |
|
The router already exposes the most general solution possible by letting you plug your own middleware. Sails.js ships with an authorization solution because one of its core goals is to be a prescriptive layer on top of Express, but koa-router is a lower-level building block. For the same reason, Express' router doesn't come with an authorization abstraction. |
|
@danneu agreed, it should be middleware The problem is, as far as I'm aware, you can't attach any data to a particular route definition. It's just a route regexp and middleware / callbacks. So you can't say for example that '/home' should have some particular flags like "logged in only" that could be used by policy middleware. I could use named routes, like that, and say that |
|
This can be accomplished via nested routers and middleware, if I understand what you are looking for correctly. For example, let's say you have an admin section of a web site that requires the admin role. All the routes in that section would go in an admin router. The admin router would call use and then build up the middleware that applies your policies. let adminRouter = new Router({prefix: '/admin'});
adminRouter.use(getPolicyMiddleware(['policy1','policy2']); // this is just a function that returns your middleware that represents your policies, it can be composed any way you want.
adminRouter.get('/foo', function *(next) {}); // whatever you want here
baseRouter.use(adminRouter.routes()); // your base routerThe policy middleware is just regular koa middleware that the router runs before it gets to your actual route. A basic example (assuming earlier in the pipeline you put on the state of the koa context whether the user is an admin or not, perhaps after establishing a session). function *(next) {
if (this.state.isAdmin) {
yield next;
} else {
this.throw(403, 'You are not authorized.');
}
}I originally came from Sails too (it seemed like a good beginners library) and tried to apply the same concepts. Actually, if you want to get right down to it you can apply a dispatch layer over the router to apply whatever parameters and policies you want. I use a simple dispatch to connect my koa-router routes with a controller. Something like ... router.get.apply(router, dispatchToController('/some/url', 'controller/path', 'methodOnController', [policy1, policy2]));The function returns an array of arguments that feed into the router, which basically amounts to a URL and a bunch of middleware to do whatever work we want. You could stick all your routes in whatever data structure you want, iterate over them and dispatch according to whatever convention you want. |
Hi @alexmingoia
Thank you for this router, works great.
I think policy-based access control would be very useful. Coupling this with router seems to have advantages. I'm currently implementing this for my project
Something like: http://sailsjs.org/documentation/concepts/policies
What do you think?
The text was updated successfully, but these errors were encountered: