chore: initial import

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true

.github/stale.yml

@@ -0,0 +1,21 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 15
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - 'discussion'
+  - 'feature request'
+  - 'bug'
+  - 'help wanted'
+  - 'plugin suggestion'
+  - 'good first issue'
+# Label to use when marking an issue as stale
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+name: ci
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node: [10.x, 12.x, 14.x]
+    name: Node ${{ matrix.node }}
+    steps:
+      - uses: actions/checkout@v1
+      - name: Setup node
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node }}
+      - run: npm install
+      - run: npm run lint
+      - run: npm run test:ci
+      - run: bash <(curl -s https://codecov.io/bash)

.gitignore

@@ -0,0 +1,49 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directory
+node_modules
+
+# Optional npm cache directory
+.npm
+
+# Optional REPL history
+.node_repl_history
+
+# 0x
+.__browserify_string_empty.js
+profile-*
+
+# tap --cov
+.nyc_output/
+
+# JetBrains IntelliJ IDEA
+.idea/
+*.iml
+
+# VS Code
+.vscode/
+package-lock.json
+yarn.lock

.npmignore

@@ -0,0 +1,89 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+
+# next.js build output
+.next
+
+# 0x
+.__browserify_string_empty.js
+profile-*
+
+# JetBrains IntelliJ IDEA
+.idea/
+*.iml
+
+# VS Code
+.vscode/
+
+# lock files
+package-lock.json
+yarn.lock
+
+# Travis configuration files
+ci_scripts/
+.travis.yml
+
+# Git configuration files
+.gitattributes
+.gitignore
+.github
+.DS_Store
+
+# examples folder
+examples/

.prettierrc

@@ -0,0 +1,6 @@
+{
+  "singleQuote": true,
+  "semi": false,
+  "arrowParens": "avoid",
+  "trailingComma": "none"
+}

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Fastify
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,107 @@
+# fastify-casbin-rest
+
+![Continuous Integration](https://github.com/nearform/fastify-casbin-rest/workflows/ci/badge.svg)
+[![codecov](https://codecov.io/gh/nearform/fastify-casbin-rest/branch/master/graph/badge.svg?token=BwsVjvYSJb)](https://codecov.io/gh/nearform/fastify-casbin-rest)
+[![npm version](https://badge.fury.io/js/fastify-casbin-rest.svg)](https://badge.fury.io/js/fastify-casbin-rest)
+
+A plugin for [Fastify](http://fastify.io/) that adds support for [Casbin](https://casbin.org/) RESTful model.
+
+It depends and builds on top of [fastify-casbin](https://github.com/nearform/fastify-casbin) and provides an opinionated approach to model an authorization scheme based on a RESTful model using [Casbin Node.js APIs](https://github.com/casbin/node-casbin) within a Fastify application.
+
+## Install
+
+```
+npm i casbin fastify-casbin fastify-casbin-rest
+```
+
+> `fastify-casbin` must be registered in the Fastify instance
+
+## How it works
+
+Once registered, the plugin use the Fastify instance decorated by `fastify-casbin` and will automatically enforce authorization rules to routes where the plugin is enabled.
+
+It uses the default Casbin's `sub`, `obj` and `act` entities and extracts them automatically from the request.
+
+When a rule is not satisfied, it returns a `403 Forbidden` error by default.
+
+All the options can be customized when registering the plugin.
+
+## API
+
+The plugin must be explicitly enabled on individual routes via route options. The plugin will have no effect on routes on which it is not enabled.
+
+```js
+fastify.route({
+  // ... other route options
+  casbin: {
+    rest: true
+  }
+})
+```
+
+The API exposed by this plugin is the configuration options:
+
+| Option   | Type                            | Description                                       | Default                         |
+| -------- | ------------------------------- | ------------------------------------------------- | ------------------------------- |
+| `getSub` | `Request => string`             | Extracts `sub` from the request                   | `r => r.user`                   |
+| `getObj` | `Request => string`             | Extracts `obj` from the request                   | `r => r.url`                    |
+| `getAct` | `Request => string`             | Extracts `act` from the request                   | `r => r.method`                 |
+| `onDeny` | `(Reply, sub, obj, act) => any` | Invoked when Casbin's `enforce` resolves to false | Returns a `403 Forbidden` error |
+
+## Examples
+
+A working example can be found in the [examples](examples) folder.
+
+The example below uses [fastify-jwt](https://github.com/fastify/fastify-jwt) to authenticate users and extract user information from the request.
+It uses sample REST [model](examples/fastify-casbin-rest-example/config/rest_model.conf) and [policy](examples/fastify-casbin-rest-example/config/rest_policy.csv) files.
+
+```js
+const fastify = require('fastify')()
+
+// register jwt plugin
+fastify.register(require('fastify-jwt'), {
+  secret: 'some secret'
+})
+
+// register casbin plugin
+fastify.register(require('fastify-casbin'), {
+  modelPath: 'rest_model.conf', // the model configuration
+  adapter: 'rest_policy.csv' // the adapter
+})
+
+// register and configure casbin-rest plugin
+fastify.register(require('fastify-casbin-rest'), {
+  getSub: r => r.user.payload.username
+})
+
+// decorate Fastify instance with authenticate method
+fastify.decorate('authenticate', async function (request, reply) {
+  try {
+    await request.jwtVerify()
+  } catch (err) {
+    reply.send(err)
+  }
+})
+
+// sample login endpoint which always authenticates the user
+fastify.post('/login', async request => {
+  return fastify.jwt.sign({ payload: { username: 'alice' } })
+})
+
+fastify.get(
+  '/protected',
+  {
+    // ensure user is authenticated
+    preValidation: [fastify.authenticate],
+    // enable fastify-casbin-rest plugin on this route
+    casbin: {
+      rest: true
+    }
+  },
+  async () => `You're in!`
+)
+```
+
+## License
+
+Licensed under [MIT License](./LICENSE)

examples/fastify-casbin-rest-example/.env.sample

@@ -0,0 +1,3 @@
+PG_CONNECTION_STRING=postgres://postgres:postgres@localhost:5433/postgres
+JWT_SECRET=secret
+CASBIN_ADAPTER=file  # file|pg

examples/fastify-casbin-rest-example/.gitignore

@@ -0,0 +1 @@
+.env