Route authorization module for Node.js Express applications.
npm install --save fi-auth
var auth = require('fi-auth');
You must call it with your Express' app instance, to attach the routes, and a configuration object. It's important to initialize the Express' session before you configure Fi Auth:
var session = require('express-session');
var express = require('express');
var auth = require('fi-auth');
var app = express();
app.use(session());
auth(app, config);
/* And now your routes... */
app.get('/', function (req, res, next) {
//...
});
The configuration Object
must have an authorizer function and a route array. The debug
parameter is optional but recommended.
IMPORTANT: All routes are allowed by default!
-
debug: This option can be a
Function
to log with or aBoolean
. Iftrue
it'll useconsole.log
. -
authorizer: This is required and must be a
Function
. ThisFunction
runs on each request and should return theString
orNumber
that will be compared against theallows
parameter value inside each route definition. The authorizerFunction
return value will be attached toreq.session.authorized
. -
routes: An
Array
with the routes to authorize:- method: A
String
or anArray
of HTTP request method(s) to filter. If no method is specified it defaults to all. - path: A
String
or anArray
of strings with the route(s) path(s) to filter. - allows: A
String
or anArray
of authorization value(s) to compare with the authorizer method returned value.
- method: A
{
debug: require('debug')('app:auth'),
authorizer: function (req) {
/* IMPORTANT: This is just a simple example */
/* Check if there's a user in session */
if (req.session.user) {
/* Check whether the user has 'admin' role */
return req.session.user.admin && 'admin' || 'user';
}
/* There's no user in session */
return null;
},
/* Routes authorization definition */
routes: [{
/* All request methods are filtered */
path: '/api/users/count', /* On this route path only */
allows: 'admin' /* And allows 'admin' only */
}, {
method: 'GET', /* Only GET requests are filtered */
path: '/api/users', /* On this route path only */
allows: 'admin' /* And allows 'admin' only */
}, {
method: ['POST', 'PUT', 'DELETE'], /* Only POST, PUT and DELETE requests are filtered */
path: ['/api/users', '/api/stuff'], /* On this route paths only */
allows: 'admin' /* And allows 'admin' only */
}, {
method: ['POST', 'DELETE'], /* Only POST, PUT and DELETE requests are filtered */
path: '/api/content', /* On this route path only */
allows: ['user', 'admin'] /* And allows both 'user' and 'admin' */
}]
}