Comments (7)
I'm not sure if you're looking to implement security for the session or just for accessing individual records, so I'll provide an example for both. I'm assuming Item
belongsTo List
.
For auth on the resource:
var epilogue = require('epilogue'),
ForbiddenError = epilogue.Errors.ForbiddenError;
var ItemMiddleware = {
list: { // you'll have to replicate this for each controller
auth: {
action: function(req, res, context) {
var user = getUserFromRequest(req); // some logic to get your user id
if (!isValidUser(user)) { // some logic to check that your session is valid
throw new ForbiddenError('This user cannot access this resource');
}
return context.continue();
}
}
}
};
var resource = epilogue.resource({
model: Item,
endpoints: ['/item', '/items/:id'],
include: [{
model: List,
as: 'list',
include: [{
model: User,
as: 'user'
}]
}]
});
resource.use(ItemMiddleware);
For checking individual record access:
var epilogue = require('epilogue'),
ForbiddenError = epilogue.Errors.ForbiddenError;
var ItemMiddleware = {
list: {
fetch: {
before: function(req, res context) {
var userId = getCurrentUserId(); // Some logic to get the current user id from your session
// This is sloppy. We're currently trying to find a better way to do this. See issue #62
this.include[0].include[0].where = { id: userId };
return context.continue();
},
complete: {
action: function(req, res, context) {
// we have to clean up every include.where after the request,
// or we will have the same filters on the next request
delete this.include[0].include[0].where;
return context.continue();
}
}
}
},
read: {
fetch {
after: function(req, res, context) {
var userId = getCurrentUserId(); // Some logic to get the current user id from your session
if (context.instance) {
if (context.instance.list.user.id !== userId) {
throw new ForbiddenError('This user cannot access this resource');
}
}
return context.continue();
}
}
}
};
var resource = epilogue.resource({
model: Item,
endpoints: ['/item', '/items/:id'],
include: [{
model: List,
as: 'list',
include: [{
model: User,
as: 'user'
}]
}]
});
resource.use(ItemMiddleware);
Hope that helps!
from epilogue.
Thanks, this is EXACTLY what I needed! This should be moved to the docs ;-)
from epilogue.
@getvega pull requests are very graciously accepted ;) The docs are right in the README.md
from epilogue.
I'd hold off on documenting filtering on associations, as this probably isn't then best way to do it. I'm hoping to have a POC this week to sort that mess out, as it's becoming clear that people need this. I have the tests written, I just need to do the actual implementation :) But if you'd like to add documentation for session authentication, I'd say go for it!
from epilogue.
@johngiudici could you share your thoughts on what you plan to implement regarding this? seems like w sequelize we have to pass by include
option to filter on associations, instead of where
like: Item.findAll({ where: { 'list.user.id' : XX } })
@mbroadst I try to implement this tomorrow at work and will make the PR if it works ;-)
from epilogue.
@getvega That is correct. The where
must be part of the include
. There are multiple approaches to solving this problem, but the ultimate goal is to implement some extra functionality that would parse the q
parameter for associated filters, have the controller find the proper include
, and manipulate the include for that specific request. So we may end up with something that looks like /item?q=list.user.id:1
. Alternatively, we could implement support for a stringified JSON object as the query, so we would end up with with something like /item?q={ list: { user: { id: 1 } } }
(this obviously needs to be percent-encoded). In your implementation, you would be able to simply append to the q
parameter in your milestones, and you wouldn't have to worry about resetting your include or having multiple requests collide. As an added bonus, it would be trivial to implement a feature that allows users to filter on one local field instead of ORing all the fields together.
from epilogue.
Ouch I did not catch that multiple requests could collide - this seems pretty limiting for the moment. I watch both issues - tell me if you need help on those.
from epilogue.
Related Issues (20)
- Support to check if Postgres array contains string?
- create inserts nulls on postgres db? HOT 1
- Workflow for pull requests? HOT 2
- Typescript support? HOT 4
- AResouce.list.data.after is not called if AResouce.list.data is not presented
- Controller List is not applying attributes of Model Scope as specified in req.query.scope HOT 1
- search by parameter 'q' does not work HOT 12
- Order of associations HOT 1
- repo unmaintained! active fork: https://github.com/tommybananas/finale HOT 4
- How to add another options item while creating an model instance?
- app[self.method] is not a function
- [Read Endpoint] Get data from two models HOT 1
- Filtering/sorting by association fields
- Project status HOT 1
- EpilogueError: internal error HOT 1
- Sorting ignored with hasMany relationships
- How to define all API routes to be in a separate group
- How do I add auth to all actions of a Resource? HOT 1
- How can I assign fetching items to POST request?
- Cannot set headers after they are sent to the client HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from epilogue.