Authorizations and Access Control to hide API methods and check access (2nd Attempt)

[metasection]

This Pull Request addresses issue #11.

Feedback on implementation is welcome. Pull would be greatly appreciated. Thanks again for building node-restify-swagger.

Usage / Implementation

Hiding routes based on authorization...

• You create an accessControl function and pass it to the loadRestifyRoutes. The accessControl function returns a space delimited list of user-authorizations (Example: "public account admin").

• You add an ‘authorizations’ parameter to each route (optional, defaults to public) with a space separated list of route-authorizations (Example: "admin super-admin").

• when swagger loads it calls the createResource method in node-restify-swagger which uses the accessControl method (if provided) to verify the api_key (if provided) and get the user-authorizations.
• it then iterates over all of the routes and verifies that the user-authorizations are sufficient to provide access to the route based on the route-authorizations.
• In our examples above, the user would have to have admin or super-admin in order to access the route. In our example, the user has public, account, and admin. Therefore, the user can see and access the route because it has the admin authorization required by the route.

  Authorize access middleware...

• You pass the accessControl function to the swaggerRestify.authorizeAccess middleware function
• Each time that the route is accessed, the middleware function is executed.

[coveralls]

Coverage decreased (-13.87%) when pulling 364786add28aee65b87b7d45afba2634426120d3 on metasection:master into 5b2f1465711aa1ad3ae2ab43aae57b67aba068d2 on z0mt3c:master.

[metasection]

Any feedback?

[z0mt3c]

Still decreased test coverage

[metasection]

Ok, was hoping for some feedback on the code / tests that were already developed. Glad to know you are still out there ;) Will get some more tests created soon.

[z0mt3c]

Sorry for my short answers... i'm just busy (hope things get a bit more relaxing with the new year) and not really into this project atm. Tests increase confidence.

I wonder if we could extract the filtering out of lib/swagger-doc.js. May be as post processing - or may some more generic filter abstraction? Not really focused on authorization.