Authorisation (AuthZ)

[richardschneider]

Required by #70 and associated with #4 and #62

Some background

• https://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/
• https://www.npmjs.com/package/express-authorization

[richardschneider]

Shiro implemented by express-authorization is nice for AuthZ. I like the idea of instance-level Access Control Lists. In this scenario we use three parts - the first is the resource, the second is the action(s), and the third is the instance(s) being acted upon.

So for example you could have

printer:query:lp7200
printer:print:epsoncolor

[richardschneider]

CRUD would use the resource type name as the first part, one of create, view, change, delete or find for the 2nd part and finally the resource ID.

So the CRUD instance level permission for GET /api/product/123 is api:product:view:123. To allow a user to view all resources simply assign api:*:view.

[richardschneider]

A permission to view/expose/decrypt redacted information #62 is required. The redacted field is a JSON Pointer, such as /service/0/!apikey in api/tenant/123. How do we specify which fields can be exposed? This is called attribute level permission.

What is the route?

• GET /api/tenant/123?only=/service/0/!apikey
• GET /api/tenant/123#/service/0/!apikey fragments passed to server violate HTTP protocol

The route asks for the plain-text value of the apikey. This should return, if user is permitted to view the information, a text/plain with the the value.

[richardschneider]

Need a req.user.isPermitted(permission). We assume authentication #4 creates the user with a set of claims.