I'm actually building a RESTFul API node.js based and I m facing a problem.
The domain code is written, and I m now trying to manage access rights on this application and I dont know how to process.
In fact, I need to allow / restrict a ressource access on a user. Actually, I've thought about storing the rights in an array in the user like this :
{
userName:"foo",
userMail:"foo#bar.com",
userApiRightsAllowed:[
{
uri:"/site/1594656",
verb:"post",
},
{
uri:"/sites",
verb:"get",
}
]
}
In a custom middleware, I check if the user rights contains the req.url and the req.verb.
If it's okay, he can access the ressource. In the other case, he get a 403 FORBIDDEN.
The problem
The problem is when I need to get /sites . I authorized the user to get /sites, but he doesn't have the accesses to look at a site detail like /sites/65982 .
But in my list of sites, he will see all the sites and /sites/65982 in it.
Question
What is the best way of managing access rights on an API at the smallest granularity : the resource and the method ?
How can I do to make my code work, and that the user could see only the sites he's able to look at ?
EDIT : I'm working with a MongoDb database
Thanks in advance
Assuming you're using express (based on the tag), sails.js is a great option for extending the functionality of your app beyond the basic REST functionality that express gives you. Sails has some useful addons for helping with management of roles, users, and permissions:
sails-permissions
sails-auth
Related
Greeting, guys
I'm currently working on an authorization function on NestJS for my side project and use Casbin to apply my policies and permissions for users.
One step is that I want to provide an array of [handler name(ie. getAllUsers), api route(ie. api/v1/users), method(ie. get)] as an policy list while app bootstrap which will be wrote to database.
Getting api&method list is not a problem but question is I could't find a solution to get all of the handler name while app bootstrap
Do you have any experience or thoughts on it? would be much appreciate for your valuable sharing.
for the api&method way, I took this post as a reference and it worked well.
for handler name, I was thinking about the ExecutionContext from NestJs but it seems to be working in an interceptor while there is a request
** for those who might wonder why I need to put handler name in my polices, here is the way I implement the Casbin rule.
list a basic policies for all my apis.
create an role and add policies to it by handler name.
appoint the role to the user(whatever the user is) and the user can only access the allowed apis to perform.
My ArangoDB server contains a database (mydb) with a collection (thiscol) and in the collection sits a bit of data. I can login with a user Thijs and look around using the web interface.
I cannot have user Thijs use the REST API, I have tried setting the password, granting access, restarting and making a new user.
The REST interface always returns 401 Unauthorized. I have obviously quadrupple checked the password.
If I use the user root it all works fine.
And I rather not start with Foxx services at this point because it seems to be an enormous amount of work to implement a REST service that allready exists but is not 'available'.
So is the REST API only implemented for a single hard-coded username or am I missing something here..
REST call example: http://localhost:8529/_api/collection
per request
failing GET
Ah, you need to specify the database to use in the URL, without specifying a database it will default to _system. Try localhost:8529/_db/vbo/_api/collection see this documentation page for more info.
Glad to help get it resolved.
I am totally new to Action HeroJS and I was wondering how can I restricted users to access my action herojs rest API, url from the browser?
I have even put the route as POST, but it is still accessible by get method?
Just like in java when we specify a rest api as post, it will not be accessible by get or browser url?
How can I accomplish this?
Edit:
Contacted the Action Hero, on github, they were pretty helpful, the solution was:
in web.js, put simpleRouting : false, and it should resolve the Issue.
Before you could access a post routed action, from the URL but after doing this you cannot!!
accessing a POST using get will return you a 404.
Thanks #Evan
Regardless of your language/framework, all routes are able to be hit by anyone, unless you block them at load-balancer or similar level.
Rather than thinking about the problem as "how to block" access, you should be thinking about the problem like "how can I ensure that this user is authenticated to use this route". Using things like cookies or tokens is the way to go.
You can use actionhero's middleware to apply access rules to specific actions, and return errors to the use if they aren't allowed.
Here's an example project that does these types of things:
Actions for dealing with the session: https://github.com/evantahler/actionhero-angular-bootstrap-cors-csrf/blob/master/actions/session.js
Middleware which uses that session data for access: https://github.com/evantahler/actionhero-angular-bootstrap-cors-csrf/blob/master/initializers/session.js
and finally another action (route/url) which requires the logged-in-session middleware: https://github.com/evantahler/actionhero-angular-bootstrap-cors-csrf/blob/master/actions/showDocumentation.js
I've been using ember, node, express since 2 months ago.
I've developed an small app, now it's time to add user auth to it but I can't figure out how to do this.
There are a few questions I have:
1.- In SPA apps, where there's only index.html, I include all .js ember files. So, the user could be able to see all the app logic without auth?. How can I add the libs only when the user has been auth?
2.- What's the right way to auth in ember? I haven't seen a solution in official documentation.
3.- How the frontend communicates with the backend, what's the logic here? It's in every route?
Also I'm looking for an example or tutorial.
Thanks you!
I believe these videos target exactly your question
http://www.embercasts.com/episodes/client-side-authentication-part-1
http://www.embercasts.com/episodes/client-side-authentication-part-2
just to mention a great resource for ember tutorials http://emberwatch.com/ - it contains screencasts, books, talks.. articles - all you need to get started.
There is nothing bad about "seeing logic", you are protecting data, not code. Still, if you really want to protect your code, you can create a separate login page and require authentication for every other resource (app html, styles, scripts, etc.). But protecting EVERY resource of your app means that you can't delegate handling static files to nginx or cdn or whatnot. So, think carefully.
There are to approaches: embedded authentication and separate login page. For the first one you can use https://github.com/Vestorly/torii or https://github.com/simplabs/ember-simple-auth. If you decide to go with the second, you can just use authentication provided by your backend (passport.js, etc) and redirect to login page on failures.
Nothing special, you just write your model methods and handle possible authorisation errors. You might also want to have a user object around to use in your template and route logic.
I am developing a website in node.js and I am using Parse.com to handle the user registration and the Facebook users.
To handle the Facebook login with Parse, I have to use the line of code:
Parse.initialize(APP_ID, KEY);
which can be accessed by anybody by just looking at the source code of the website.
So my question is: if somebody has access to this information, can he access the data that I stored in Parse? he would just have to create some simple query, no?
I already initialize on the server side so is there a way to tell the template(jade in my case) that Parse has been initialized by passing some kind of parameters?
Thanks
If you set up ACLs and class permissions correctly in your app, then there should be no concern with handing out your JavaScript key. See this page for more information: https://www.parse.com/questions/javascript-sdk-security