Permission checks
To check roles and permission of auth user you can use AuthChecker
from _global/src/auth/auth-check.ts
.
Constructor requires appId
to initialize logger, and than you can use hasPermissions
function or middleware for express.
As check options AuthChecker
accepts object with list of types, roles and permissions.
If you need more flexibility you can pass function that will check user and return boolean. Examples provided below.
Options object structure:
export interface AuthCheckOptions {
type?: UserTypes | UserTypes[],
role?: UserRoles | UserRoles[],
permission?: string | string[],
}
One important moment for options object, it checks if user has:
- at least one of given types
AND
- at least one of given role
AND
- at least one of given permission
Empty options means that user passes without check
Usage
hasPermissions
function
Some example with usage may be found in _global/tests/auth.test.ts
Usage:
import { AuthChecker, AuthUser, UserRoles, UserTypes } from '@titanhouse/global';
const authChecker = new AuthChecker('service-id');
const testTitan: AuthUser = {
id: 'id',
type: UserTypes.Titan,
name: 'Name',
email: 'email@gmai.com',
roles: [UserRoles.User, UserRoles.TpUser, UserRoles.TpRegisteredUser],
permissions: ['profile-read'],
}
// check if user has 'titan' type;
// return true
authChecker.hasPermissions(testTitan, { type: UserTypes.Titan })
// check if user has 'titan' type and ('user' or 'admin') roles;
// return true
authChecker.hasPermissions(testTitan, {
type: UserTypes.Titan,
role: [UserRoles.User, UserRoles.Admin]
});
// check if user has 'titan' type and ('all' or 'all-write') permissions;
// return false
authChecker.hasPermissions(testTitan, {
type: UserTypes.Titan,
permission: ['all', 'all-write']
});
Routing controllers with express
Initialization:
import express from 'express';
import { Action, useExpressServer } from 'routing-controllers';
import { AuthChecker } from '@titanhouse/global';
const app = express();
useExpressServer(app, {
authorizationChecker: new AuthChecker('service-id').routingControllersChecker(),
currentUserChecker: async (action: Action) => action.request.user,
});
Usage:
import { JsonController, Get, UseBefore, CurrentUser, Authorized } from 'routing-controllers';
import { UserTypes, UserRoles } from '@titanhouse/global';
@JsonController()
@UseBefore(authenticate) // see authorization
export class Controller {
// User with 'client' type and roles CpUser or CpAccountAdmin allowed
// Otherwise 403 status will be send in response
@Authorized({ type: UserTypes.Client, role: [UserRoles.CpUser, UserRoles.CpAccountAdmin] })
@Get(`/check`)
check(@CurrentUser() user) {
return 'ok';
}
}
With 'pure' express
Usage:
import { AuthChecker, UserRoles } from '@titanhouse/global';
const authChecker = new AuthChecker('service-id');
app.post(
'/logout',
authChecker.expressChecker({ role: UserRoles.CpAccountAdmin }),
async (req, res) => {
res.ok();
}
);