Support for route authorization

[irothschild]

When using dynamic hypermedia responses, it's nice to be able to check for authorization for various routes based on the current request credentials. Unfortunately, the code that does the access (entity and scope) checks is not currently exposed so there isn't a simple way to do this.

I'd love to see a method route.authorizeRequest(request) or route.authorize(request.auth).

[hueniverse]

I need an example of what this would look like.

[irothschild]

It's basically refactoring code in internals.Authenticator validate() in auth.js and exposing the functionality from a route instance. Something like this (which isn't working code):

Route.prototype.authorizeRequest = function(request) {       
      // authorize a route based on auth in the request
      var credentials = request.auth.credentials;
      var config = route.settings.auth;

       const requestEntity = (credentials.user ? 'user' : 'app');

        const scopeErrors = [];
        for (let i = 0; i < config.access.length; ++i) {
            const access = config.access[i];

            // Check entity

            const entity = access.entity;
            if (entity &&
                entity !== 'any' &&
                entity !== requestEntity) {

                continue;
            }

            // Check scope

            let scope = access.scope;
            if (scope) {
                if (!credentials.scope) {
                    scopeErrors.push(scope);
                    continue;
                }

                scope = internals.expandScope(request, scope);
                if (!internals.validateScope(credentials, scope, 'required') ||
                    !internals.validateScope(credentials, scope, 'selection') ||
                    !internals.validateScope(credentials, scope, 'forbidden')) {

                    scopeErrors.push(scope);
                    continue;
                }
            }

            return True;  // allow access
        }

        return False; // authorization denied
}

[hueniverse]

I don't understand the point of this. If the request has credentials, they would have already been verified against the scope and entity. Have you looked at the auth.test() method?

[irothschild]

It's for testing authorization for other routes. So in my hypermedia reply, I can include links to other endpoints that the user has permission to access.

[hueniverse]

You are going to get the routing table, then try each one? sounds awful.

[irothschild]

Trying each route in the table would be like having a web page with links to every other page and resource on the site. Sounds awful. No one would do that.

I have a short list of related routes (by id). For a website analogy, imagine showing a few extra links on a webpage if a user has admin permissions.

I'm not building a web site, I'm building a hypermedia API. Some of our endpoints are 'private' features that are only exposed to users with the right credentials.

[devinivy]

I can imagine the use-case. This isn't the first time folks have asked to expose the logic used to validate access. I personally think it makes sense to expose it given that auth.test() already exposes the "other side" of auth.

[thebergamo]

This request, sounds a good point, because sometimes you need to redirect the user to another endpoint internally and test if the user have roles to access its really useful.

[hueniverse]

As you can see from the documentation, this has to be pretty limited.