A REST API is written in ExpressJs 4.x.x / NodeJS.
Let's assume an interface :
app.delete('/api/v1/users/:uid', function (req, res, next) {
...
}
So with that interface users can be deleted.
Let's assume there are 2 Customers in the system, and each Customer has Users. A User can have the privilege of deleting other Users with a role named CustomersAdmin.
But this User should only be able to delete Users which are Users from his Company(Customer).
So, let's get ACL into the scene. Assuming in our ACL we can define roles, resources and permissions. (Code is adopted from http://github.com/OptimalBits/node_acl#middlware.)
app.delete('/api/v1/users/:uid', acl.protect(), function (req, res, next)
{
// ? Delete User with uid = uid or check
// ? first if current user is in same company as user uid
}
There are two things to consider. One is protecting the route from persons without permission to HTTP/DELETE on that route ( /api/v1/users/:uid ) and the other is that a Person with Role CustomersAdmin shall not be allowed to delete Users from another Customer.
Is ACL supposed to do both? Or is it supposed to protect the route /api/v1/users?
So, would I use it like
acl.allow([
{
roles:'CustomersAdmin',
allows:[
{resources:['/api/v1/users', '/api/v1/users'] permissions:'delete'}
}
app.delete('/api/v1/users/:uid',acl.middleware(3), function(req,res,next)
{
Make sure uid is a User from same Customer as request is from(req.session.userid)
}
This would allow every User with Role CustomersAdmin to delete whatever user he wants.
Or is it preferable to define each possible Users route as a Resource and define multiple Roles which can interact with them?
acl.allow([
{
roles:'CustomersAdminOne',
allows:[
{resources:['/api/v1/users/1', '/api/v1/users/2'], permissions:'delete'}]
},
{
roles:'CustomersTwoAdmin',
allows:[
{resources:['/api/v1/users/3','/api/v1/users/4'], permissions:'delete'}
]
}
app.delete('/api/v1/users/:uid',acl.middleware(), function(req,res,next)
{
no logic needed to be sure that request is from a user within the same customer
}
The way I solved this was to create a role per user. I use a mongoose post save hook:
acl.addUserRole(user._id, ['user', user._id]);
Then in a post save hook for a resource I do this:
acl.allow(['admin', doc.user._id], '/album/' + doc._id, ['*']);
acl.allow(['guest', 'user'], '/album/' + doc._id, ['get']);
You can then use the isAllowed method to check if req.user has the right permissions.
Related
I am using firebase to generate JWT tokens to authorize access to a hasura graphql server.
I want an end user to have a callable firebase function that they can call from the app so they can change the x-hasura-role in their claims without changing other parts of their claims. I am guessing the best way to do this is to export the old custom user claims and set a new role inputted by the user.
PseudoCode:
exports.changeUserType = functions.https.onCall( async (data, context) => {
var userType = data.usertype;
// get the old user claims somehow
// check if user should be able to change their userType via a graphql query
...
// edit the user claims
return admin.auth().setCustomUserClaims(userType, {
'https://hasura.io/jwt/claims': {
'x-hasura-role': userType,
'x-hasura-default-role': 'orgdriver',
'x-hasura-allowed-roles': ['orgauditor', 'orgdriver', 'orgmanager', 'orgadmin', 'orgdirector'],
'x-hasura-user-id': user.uid // <-- from the old claims so user can't edit
}
});
If there is a better way to do this, maybe by grabbing a user's id from the auth database by checking who ran the function please tell me. Thank you in advance.
When a Firebase Authenticated user hits a Firebase Function, their uid is passed in through context. I would ensure they are authenticated first:
if (context.auth == undefined) {
throw new functions.https.HttpsError(
'failed-precondition',
'The user must be authenticated.',
);
}
Then I would grab their uid:
const uuid = context?.auth?.uid as string;
Then you can get their user using the firebase-admin library's getAuth():
// get user
const user = await getAuth().getUser(uuid);
Now finally you can set your new custom claim property:
// set the hasura role
return await getAuth().setCustomUserClaims(uuid, {
...user.customClaims,
'x-hasura-role': userType,
});
Be sure to import:
import { getAuth } from 'firebase-admin/auth';
In this way you can safely know the user is authenticated and a uid exists, then you can simply grab the user and all their existing claims, then when you go to update destructure all existing claims values, and update the one value you want.
In this way get all the user's old claims, ensure they are authenticated, retain all old claim properties, and update the one thing you want to update.
I hope that helps out!
I need authorization in NestJS based on instances property.
Ex. user can update only his own articles.
Is there another way despite defining the logic in each services? ( I know it is possible using CASL )
Not having a global guard will facility errors, and everything is authorized by default unless add logic on the service.
What about creating a function that takes the request, the model and the name of the proprety and use it wherever you want ?
const verifAuthorization = (
req: Request,
propName: string,
model: any
): void => {
const sender: User = req.user;
if (!sender) {
throw new BadRequestException("there is no user in the token");
}
if (!sender._id.equals(model[propName])) {
throw new UnauthorizedException();
}
};
Yes ! you will call it in every service you want to check the authorization in, but it will save you a lot of time and code
Using the Node.js SDK, I've created a user and a resource group. How can I now assign the user to the resource group as an owner?
You could refer to this example.
authzClient.roleAssignments.create(scope, assignmentGuid, roleCreateParams, function (err, roleAssignment, req, res) {
if (err) {
console.log('\nError occured while creating the roleAssignment: \n' + util.inspect(err, { depth: null }));
return;
}
According to your need, you need the example.
Owner role id is 8e3af657-a8ff-443c-a75c-2fe8c4bcb635.
scope should be like this /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1.
Replace application id to your user object id.
Also, you could use Azure rest API to do this, please refer to this link.
I am using Auth0 to manage a large set of users across several different applications with some being web based and others desktop and mobile. Under the meta data for each user I have an array of applications each user can access, I wondered how I might check this when authenticating so that access would be refused if not within that list.
I can do this very easily on the applications, however it would be great to do it on Auth0.
Using a Rule defined as follows has provided me with the functionality I was looking for:
function (user, context, callback) {
// ACL object
var acl = {
"someAppName": [ 'user1#mail.com', 'user2#mail.com' ],
"otherApp": ['user2#mail.com']
}
// if App is not in the ACL, skip
if(!acl.hasOwnProperty(context.clientName)){
return callback(null, user, context);
}
// check if user has access to app
var userHasAccess = acl[context.clientName].some(
function (email) {
return email === user.email;
}
);
if (!userHasAccess) {
return callback(new UnauthorizedError('Access denied.'));
}
callback(null, user, context);
}
Consider the following scenario:
There's a collection called Resources and a special user can CRUD it on an admin site.
When a regular user accesses the site, the routes are created dynamically in the browser depending on a subscription to Resources.
We would like to pause the router lookup until the subscription's callback function terminates. Otherwise the user is presented a "404" when accessing /<dynamically-created-route> directly.
Is there an easy way to do this?
Something like this? You create a dynamic route based on a resource id, waitOn a subscription with the id value, and then route based on whether or not you can access the resource with the id. This assumes you have the proper publishing setup in your server code also.
Resources = new Mongo.Collection("resources");
Router.route("/resources/:_id", {
name: "resources",
waitOn: function() {
// Waits on the subscription
return Meteor.subscribe("resources", this.params._id);
},
action: function() {
// Should only return the resource you subscribed to unless you
// subscribe to resources in another part of your application
var resource = Resources.findOne({});
if (resource) {
// The resource exists and the user is able to access it.
this.render("resourceTemplate", {
data: {
resource: resource
}
});
}
else {
Router.go("/404");
}
}
});