Node.js + Express.js User Permission Security Model

security node.js express

Solution 1:

Having it per-route usually works for me. This is what I typically do:

function requireRole (role) {
    return function (req, res, next) {
        if (req.session.user && req.session.user.role === role) {
            next();
        } else {
            res.send(403);
        }
    }
}

app.get("/foo", foo.index);
app.get("/foo/:id", requireRole("user"), foo.show);
app.post("/foo", requireRole("admin"), foo.create);

// All bars are protected
app.all("/foo/bar", requireRole("admin"));

// All paths starting with "/foo/bar/" are protected
app.all("/foo/bar/*", requireRole("user"));

Solution 2:

You can use ability-js with everyauth, which is quite similar to CanCan for Rails https://github.com/scottkf/ability-js

Solution 3:

Take a look at this list for NodeJS ACL/Permission systems. IMHO OptimalBits node_acl looks best.

Related

Get connection status on Socket.io client
Gradle version 1.10 is required. Current version is 2.0
Android How to implement Bottom Sheet from Material Design docs
When or Why to use a "SET DEFINE OFF" in Oracle Database
Angular2 Component @Input two way binding
How does jemalloc work? What are the benefits?
PHPUnit: How do I create a function to be called once for all the tests in a class?
Why does .class:last-of-type not work as I expect?
What is Grunt for?
What does useCallback/useMemo do in React?
Intellij IDEA plus sign when String wrap
Learning Web Development : Django vs Node vs Rails vs Others [closed]