A minimal activity based authorization middleware for connect/express
This is heavily inspired by Derick Bailey's mustbe.
It makes no assumptions about how or where roles are stored or how you authorize users. It does assume that all data needed to authorize actions will be in the request object. (e.g. user, roles, etc) This lets candoo play nice with Passport.js and other authentication libraries/frameworks.
There are 3 quick steps to start using candoo.
- install
npm install --save candoo
- config
var can = require('candoo');
can.configureActivities({
'view.profile': function(req, done) {
done(req.user !== undefined);
},
/**
* You can pass a custom error message to the callback for a failure.
*/
'view.admin.page': function(req, done) {
if (req.user && req.user.role === 'admin') {
done(true);
} else {
done(false, 'admins only!');
}
},
/**
* You can pass an options object for further functionality.
*
* The following options are supported:
* {
* onFailure: function(req, res, next) {...}
* }
*
* Currently the only option that is recognized is an `onFailure` callback.
* This gives you more granular control when there is an unauthorized request.
* For example, one may have the need to redirect unauthorized requests to
* different endpoints, instead of relying on error handlers further down the
* line.
*/
'view.stats': function(req, done) {
if (req.user && req.user.isOwner(someModelObject)) {
done(true);
} else {
done(false, '', { onFailure: helpers.redirectToLogin });
}
}
});
- use
var can = require('candoo');
app.get('/admin/page', can.do('view.admin.page'), function(req, res, next) {
// serve admin page
});
Open an issue or send a pull request :)