Help on context / milestones about epilogue HOT 7 CLOSED

I'm not sure if you're looking to implement security for the session or just for accessing individual records, so I'll provide an example for both. I'm assuming Item belongsTo List.

For auth on the resource:

var epilogue = require('epilogue'),
    ForbiddenError = epilogue.Errors.ForbiddenError;

var ItemMiddleware = {
  list: { // you'll have to replicate this for each controller
    auth: {
      action: function(req, res, context) {
        var user = getUserFromRequest(req); // some logic to get your user id
        if (!isValidUser(user)) { // some logic to check that your session is valid
          throw new ForbiddenError('This user cannot access this resource');
        }
        return context.continue();
      }
    }
  }
};

var resource = epilogue.resource({
  model: Item,
  endpoints: ['/item', '/items/:id'],
  include: [{
    model: List,
    as: 'list',
    include: [{
      model: User,
      as: 'user'
    }]
  }]
});

resource.use(ItemMiddleware);

For checking individual record access:

var epilogue = require('epilogue'),
    ForbiddenError = epilogue.Errors.ForbiddenError;

var ItemMiddleware = {
  list: {
    fetch: {
      before: function(req, res context) {
        var userId = getCurrentUserId(); // Some logic to get the current user id from your session
        // This is sloppy. We're currently trying to find a better way to do this. See issue #62
        this.include[0].include[0].where = { id: userId };
        return context.continue();
      },
      complete: {
        action: function(req, res, context) {
          // we have to clean up every include.where after the request,
          // or we will have the same filters on the next request
          delete this.include[0].include[0].where;
          return context.continue();
        }
      }
    }
  },

  read: {
    fetch {
      after: function(req, res, context) {
        var userId = getCurrentUserId(); // Some logic to get the current user id from your session
        if (context.instance) {
          if (context.instance.list.user.id !== userId) {
            throw new ForbiddenError('This user cannot access this resource');
          }
        }
        return context.continue();
      }
    }
  }
};

var resource = epilogue.resource({
  model: Item,
  endpoints: ['/item', '/items/:id'],
  include: [{
    model: List,
    as: 'list',
    include: [{
      model: User,
      as: 'user'
    }]
  }]
});

resource.use(ItemMiddleware);

Hope that helps!

from epilogue.

Thanks, this is EXACTLY what I needed! This should be moved to the docs ;-)

from epilogue.

@getvega pull requests are very graciously accepted ;) The docs are right in the README.md

from epilogue.

I'd hold off on documenting filtering on associations, as this probably isn't then best way to do it. I'm hoping to have a POC this week to sort that mess out, as it's becoming clear that people need this. I have the tests written, I just need to do the actual implementation :) But if you'd like to add documentation for session authentication, I'd say go for it!

from epilogue.

@johngiudici could you share your thoughts on what you plan to implement regarding this? seems like w sequelize we have to pass by include option to filter on associations, instead of where like: Item.findAll({ where: { 'list.user.id' : XX } })

@mbroadst I try to implement this tomorrow at work and will make the PR if it works ;-)

from epilogue.

@getvega That is correct. The where must be part of the include. There are multiple approaches to solving this problem, but the ultimate goal is to implement some extra functionality that would parse the q parameter for associated filters, have the controller find the proper include, and manipulate the include for that specific request. So we may end up with something that looks like /item?q=list.user.id:1. Alternatively, we could implement support for a stringified JSON object as the query, so we would end up with with something like /item?q={ list: { user: { id: 1 } } } (this obviously needs to be percent-encoded). In your implementation, you would be able to simply append to the q parameter in your milestones, and you wouldn't have to worry about resetting your include or having multiple requests collide. As an added bonus, it would be trivial to implement a feature that allows users to filter on one local field instead of ORing all the fields together.

from epilogue.

Ouch I did not catch that multiple requests could collide - this seems pretty limiting for the moment. I watch both issues - tell me if you need help on those.

from epilogue.