baugarten
Authorization & Authentication
I suppose this really reduces to #25
resource.before(*, function(req, res, next) {
if (!authorized(req)) return next(err);
next();
});
But we can make this API explicit
resource.authorize(auth_function);
And what about a situation where we have multiple users owning some resources?
I want to be able to respond to GET with only the resources belonging to the authorized user. There is no way of passing filter to queries. Also, I don't know if the user is allowed to request a resource before I query it, so I'd have to fetch it anyway to be able to throw error.
This is not enough.
[edit]
I was able to hack it like this:
function filterAccess(req, res, next) {
req.quer._conditions.owner=someuserIdFromSession;
return next();
}
It's ugly, but You get the point - it's just about server-side filtering
First, you could just do
function filterAccess(req, res, next) {
req.quer = req.quer.where('owner', someuserIdFromSession)
next()
}
Next, you could solve this using a custom route
resource.route('getuserfromsession', function(req, res, next) {
User.findById(req.session.userId, function(err, user) {
res.json(user); // error checking, etc.
});
})
Or
resource.before('get', function(req, res, next) {
// You might have to do some extra checking to make sure this isn't a GET list
req.params.id = req.session.userIdFromSesssion;
next()
});
None of these relate to authentication -- in the future, please just open up a new issues :)
Ok, It's up to you, I just expected this functionality (checking if user has access to what he requests) to be available somewhere near authorization. Thanks anyway.
I thought you wanted to populate request data from session data.
Authorization you can currently do on select routes
resource.before('get', function(req, res, next) {
if (!authorized(req)) {
return next({
err: "Some error"
});
}
return next();
})