Skip to content

Abstract classes and utils for security context building

Notifications You must be signed in to change notification settings

qiwi/security-context

Repository files navigation

security-context [RnD]

Basic utils for security context providing.

js-standard-style buildStatus coverage dependencyStatus devDependencyStatus

Install
    npm i -S @qiwi/security-context    
Contracts

Inspired by Spring

  • Authentication — basic auth iface
  • *Token — custom auth impl
  • Authority - represents an authority granted to an Authentication object.
  • Role — basic authority type
  • Permission — a representation of the permission object as supplied by the expression system
Usage concept
    import {Role, AbstractToken, PermissionEvaluator} from '@qiwi/security-context'

    // Create role as basic Authority
    const admin = new Role('admin')
    const operator = new Role('operator')
    
    // Specify custom token logic
    class CustomToken extends AbstractToken {
      //...
    }
    
    // Configure your evaluator
    class CustomEvaluator extends PermissionEvaluator {
      constructor() {
        super()
      }
      hasPermission(token, target, permission) {
        const roles = token.authorities
        
        if (roles.contains(admin)) {
          return true
        }
        
        if (roles.contains(operator)) {
          if (permission === 'owner') {
            if (target.owner_id === token.principal.id) {
              return true
            }
          }
        }
        
        return false
      }
    }
    const evaluator = new PermissionEvaluator()
    
    // Handle auth event, build Auth instance
    const user = {
      login: 'foo'
    }
    fetch({/*...*/})
      .then(res => {
        const data = res.json()
        const token = new CustomToken(
          user,
          data.roles.map(v => new Role(v)),
          data.details
        )
        token.authenticated = true

      })
      .catch(e => {
        return new Authentication(user)
      })
      
    // Then pass auth to context and resolve permission where it's needed
    const doSomething = (target, ...args) => {
      if (evaluator.hasPermission(token, target, 'owner')) {
        // ...
      }
    }

About

Abstract classes and utils for security context building

Topics

Resources

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published