Login/Register
Is there a library compatible with Hapi for fine-grained ACL / User permissions?
Asked Answered
Solved node.jspermissionsacluser-permissionshapi.js
D

2

11

Looking to use HapiJS as our API server. We need fine-grained user permissions, e.g. "User A can edit field B" "User C can view field D" for a given model / resource.

Before we start building something I've been looking to see if something like this has already been done that is compatible with Hapi.

Darcee answered 23/9, 2014 at 22:40 Comment(2)
Did you find anything?Nepali
No, that project is on-hold for the moment. Will post back here on any findings.Darcee
S
3

I've recently been working on an ACL project for hapijs. It should get you a good start. https://www.npmjs.org/package/hapi-authorization

Seriatim answered 4/12, 2014 at 20:24 Comment(2)
Just checked the plugin, and I have a question - could you implement it in a way that user can have multiple roles, which are not hierarchical, but on a same level, allowing access to different parts of the application (let's say, manages_users, and manages_products)? You could have a convetion that if user object has .role property, it's a single role; if it has .roles, then you expect an array and check against thatHartzke
This functionality already exists and is the default. github.com/toymachiner62/hapi-authorization#plugin-config. If you have questions please submit github issues instead of posting on SO.Seriatim
C
4

I have just read an article where the ACL permissions are validated using the build-in scopes.

Here is the link to the mentioned article : https://blog.andyet.com/2015/06/16/harnessing-hapi-scopes/

And to resume quickly (using the example from the above link), you get a user object that looks like so : 

{
    "username": "han",
    "scope": ["door-trash-compactor"]
}

The scope can be generated by whatever is backing your ACL for this user. In this case you have the resource door with id trash-compactor that can be checked like so : 

server.route({
    method: 'GET',
    route: '/doors/{door_id}',
    config: {
        handler: function (request, reply) {
            reply(request.params.door_id ' door is closed');
        },
        auth: {
            scope: ['door-{params.door_id}']
        }
    }
});

The scope door-{params.door_id} will be translated to door-trash-compactor which will then be validated. Han's request to the trash compactor door will be valid and he will get the door is closed message.

The blog post is well written (much better then this summary) and describes this in better detail - would recommend the read.

Cellule answered 17/12, 2015 at 15:44 Comment(0)
S
3

I've recently been working on an ACL project for hapijs. It should get you a good start. https://www.npmjs.org/package/hapi-authorization

Seriatim answered 4/12, 2014 at 20:24 Comment(2)
Just checked the plugin, and I have a question - could you implement it in a way that user can have multiple roles, which are not hierarchical, but on a same level, allowing access to different parts of the application (let's say, manages_users, and manages_products)? You could have a convetion that if user object has .role property, it's a single role; if it has .roles, then you expect an array and check against thatHartzke
This functionality already exists and is the default. github.com/toymachiner62/hapi-authorization#plugin-config. If you have questions please submit github issues instead of posting on SO.Seriatim

© 2022 - 2024 — McMap. All rights reserved.