I'm building a SPA with vue and node.js / express.js . At this moment I dont have any way to limit different users to access resources from other users by just modifying the id part in one of my urls. Example:
'/api/v1/house/:id/pets'
I have other end points that follow these rules too. I know I could create a middle-ware for every resource type and add it to express routes. Something like:
app.get('/api/v1/house/:id/pets', userOwnsHouseMiddleware, appsConfig.getPetsInHouse);
Is this a good way to accomplish this? Could I build a more generic (not resource dependant) middleware?
Related
Greeting, guys
I'm currently working on an authorization function on NestJS for my side project and use Casbin to apply my policies and permissions for users.
One step is that I want to provide an array of [handler name(ie. getAllUsers), api route(ie. api/v1/users), method(ie. get)] as an policy list while app bootstrap which will be wrote to database.
Getting api&method list is not a problem but question is I could't find a solution to get all of the handler name while app bootstrap
Do you have any experience or thoughts on it? would be much appreciate for your valuable sharing.
for the api&method way, I took this post as a reference and it worked well.
for handler name, I was thinking about the ExecutionContext from NestJs but it seems to be working in an interceptor while there is a request
** for those who might wonder why I need to put handler name in my polices, here is the way I implement the Casbin rule.
list a basic policies for all my apis.
create an role and add policies to it by handler name.
appoint the role to the user(whatever the user is) and the user can only access the allowed apis to perform.
I have a Rust app and I'd like to store routes in a database (it can be an in-memory mock for all I care), but I want to update routes at runtime. I'm ignoring a 404 route or other status routes and assuming anything off the root route of "/" would be fair game for the user to create. That means the user could create "/hello/world/test" and "/hello2/again/test" with no real pattern. Most examples I see asume there will be a pattern.
The idea is that the user would be able to eventually define a route and Rust module and function in the database and then when that route is hit, it would load the function. All the examples I found assume that the routes are known at compile time or follow a pattern.
If hyper is not the framework I should be using let me know.
Thanks!
I'm currently using express to handle client request. At one point I need to handle get request if user loads any page of my app. So, I want all the routes to be configured at some place.
For example:
"/about"
"/contact"
"/listing"
"/product"
Above there are multiple routes and for each route I need to write app.get('/about', handler)..like this. So rather then writing multiple get handlers I want to use these path dynamically.
Is there a best way which I can use to store all the route path at one place (not DB) and can read from there only. Currently I am thinking to use JSON where I will store all the path with method type, params etc.
Also please validate is this a correct approach to handle such things or any better way or any node module.
It's common practice to write different methods for each route.
This makes sense since you'll want to return something different for /about than for /contact.
To organise this in a scalable manner you should create different files for each route. You can look at this official Express.js example.
I understand that people use something like "/api" to send data. but lets say I have a page that has a route ("/home") I could do DB stuff and send a res.send() with the data from the DB. Should I be making a call to the /api when the user visits the home page? Why would I need both? I see people talking about api routes but I'm not sure when to use it. I'm assuming we don't do res.render in an /api route. It is mostly to send JSON. I never use api route I usually use the /home way. Should I be using the api way?
I'm confused on when to use it
Edit I guess a use case for having both is returning data for outside users and to also returning data for your website. Do people combine both?
It is just about naming convention. /api is where people keep APIs for single pages apps or mobile apps. If you have neither of those, you can use /home or for that matter, any named route for your purpose. It is just a coding practice and nothing else.
I've been using ember, node, express since 2 months ago.
I've developed an small app, now it's time to add user auth to it but I can't figure out how to do this.
There are a few questions I have:
1.- In SPA apps, where there's only index.html, I include all .js ember files. So, the user could be able to see all the app logic without auth?. How can I add the libs only when the user has been auth?
2.- What's the right way to auth in ember? I haven't seen a solution in official documentation.
3.- How the frontend communicates with the backend, what's the logic here? It's in every route?
Also I'm looking for an example or tutorial.
Thanks you!
I believe these videos target exactly your question
http://www.embercasts.com/episodes/client-side-authentication-part-1
http://www.embercasts.com/episodes/client-side-authentication-part-2
just to mention a great resource for ember tutorials http://emberwatch.com/ - it contains screencasts, books, talks.. articles - all you need to get started.
There is nothing bad about "seeing logic", you are protecting data, not code. Still, if you really want to protect your code, you can create a separate login page and require authentication for every other resource (app html, styles, scripts, etc.). But protecting EVERY resource of your app means that you can't delegate handling static files to nginx or cdn or whatnot. So, think carefully.
There are to approaches: embedded authentication and separate login page. For the first one you can use https://github.com/Vestorly/torii or https://github.com/simplabs/ember-simple-auth. If you decide to go with the second, you can just use authentication provided by your backend (passport.js, etc) and redirect to login page on failures.
Nothing special, you just write your model methods and handle possible authorisation errors. You might also want to have a user object around to use in your template and route logic.