Skip to content

hapi-authz is an authorization middleware for Hapi.js based on Casbin

License

Notifications You must be signed in to change notification settings

node-casbin/hapi-authz

Repository files navigation

Hapi Authz

NPM version NPM download codebeat badge Build Status Release Discord

This is a authorization middleware for Hapi js, and it is based on Node-Casbin.

Installation

npm i casbin @casbin/hapi-authz --save

Integration

  • Register the plugin inside your index.js file.
const { newEnforcer } = require('casbin');
const hapiauthz = require('@casbin/hapi-authz');

...

const init = async () => {
    ...
    const enforcer = await newEnforcer('model.conf', 'policy.csv') // replace with your model and policy file location

    await server.register({  
    plugin: hapiauthz.Hapiauthz,
    options: {
      newEnforcer: enforcer
    }

    ...
  })
}

Use a customized authorizer

This package provides BasicAuthorizer, which checks the Authorization header for the username. If you want to use another authentication method like OAuth, you needs to extends BasicAuthorizer as below:

class MyAuthorizer extends hapiauthz.BasicAuthorizer {
  constructor(request, enforcer) {
    super(request, enforcer);
  }

  getUserName () {
    const { username } = this.request.credentials.username
    return username
  }
}

const init = async () => {
    ...
    const enforcer = await newEnforcer('model.conf', 'policy.csv') // replace with your model and policy file location

    await server.register({  
    plugin: hapiauthz.Hapiauthz,
    options: {
      newEnforcer: enforcer,
      authorizer: (request, option) => new MyAuthorizer(request, option)
    }

    ...
  })
}

How to control the access

The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:

  1. subject: the logged-on user name
  2. object: the URL path for the web resource like "dataset1/item1"
  3. action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"

For how to write authorization policy and other details, please refer to the Casbin's documentation.

Getting Help

About

hapi-authz is an authorization middleware for Hapi.js based on Casbin

Resources

License

Stars

Watchers

Forks

Packages

No packages published