Geek asks and answers

Authentication and Authorization with Flatiron Resourceful & Restful

I want to implement authentication and authorization on the Flatiron stack (using Flatiron, Resourceful, and Restful). I want to require the user to have the necessary permissions when trying to change the resource. There is a note about authorization in the Restful Readme file :

There are several ways to ensure security and authorization for access to resource methods prone to calm. The recommended authorization template is to use the resourceful ability for beforeand after. In these intercepts, you can add additional business logic to limit access to resource methods.

it is not recommended to place authorization logic in the routing layer, since in an ideal world the router will be a reflected resource interface. Theoretically, the security of the router itself should be somewhat irrelevant, since the resource can have several mirrored interfaces that require the same business logic.

TL DR; For security and authorization you must use beforeand after.

Thus, authorization can be performed using a resource-capturing system.

My actual problem is the authentication process at the beginning of every HTTP request.

Say I have a resource Post, a Userand a resource Session. The REST API is defined using Restful. My main concern on this issue is for the user to have a session when creating the message. Other methods, such as save, updateor for other resources, such as creating a user, should work similarly.

File app.js:

var flatiron = require('flatiron');
var app = flatiron.app;

app.resources = require('./resources.js');

app.use(flatiron.plugins.http);
app.use(restful);
app.start(8080, function(){
  console.log('http server started on port 8080');
});

File resources.js:

var resourceful = require('resourceful');

var resources = exports;

resources.User = resourceful.define('user', function() {
  this.restful = true;
  this.string('name');
  this.string('password');
});

resources.Session = resourceful.define('session', function() {
  // note: this is not restful
  this.use('memory');
  this.string('session_id');
});

resources.Post = resourceful.define('post', function() {
  this.restful = true;
  this.use('memory');
  this.string('title');
  this.string('content');
});

resources.Post.before('create', function authorization(post, callback) {
  // What should happen here?
  // How do I ensure, a user has a session id?

  callback();
});

There is also an executable version of the code (thanks @generalhenry).

So, suppose a user trying to create a message has already received a session ID, which is sent with every request that he makes using the cookie header. How can I access this cookie at the beginning of the request (i.e. callback authorization)?

node app.js, HTTP- curl.

+5
1

, . sessionId, : req.sessionID, req.cookies["connect.sid"].

, , .

app.use(flatiron.plugins.http, {
  before: [
    connect.favicon(),
    connect.cookieParser('catpsy speeds'),
    function(req, res) {
      if (req.originalUrl === undefined) {
        req.originalUrl = req.url;
      }
      res.emit('next');
    },
    connect.session({secret : 'secter'}),
    function(req, res) {
      console.log('Authenticating...');
      console.dir(req.session);
      //any other validation logic
      if (req.url !== '/login' && typeof req.session.user == 'undefined') {
        res.redirect('/login');
      } else {
        res.emit('next');
      }
    }
  ]
});

, .

+4

More articles:


All Articles