feat(authorization): add support for default authorization metadata

Implements #3681

Author: raymondfeng

packages/authorization/src/__tests__/acceptance/authorization.options.acceptance.ts

@@ -72,29 +72,58 @@ const matrix3: DecisionMatrix = [
   [{defaultDecision: Allow}, [Abstain, Abstain, Abstain], Allow],
 ];
 
+const matrix4: DecisionMatrix = [
+  [{defaultMetadata: {}}, [Abstain, Abstain, Abstain], Deny],
+  [
+    {defaultMetadata: {}, defaultDecision: Deny},
+    [Abstain, Abstain, Abstain],
+    Deny,
+  ],
+  [
+    {defaultMetadata: {}, defaultDecision: Allow},
+    [Abstain, Abstain, Abstain],
+    Allow,
+  ],
+];
+
+// Decisions controlled by options.defaultDecision
+const matrix5: DecisionMatrix = [
+  [{}, [Abstain, Abstain, Abstain], Allow],
+  [{defaultDecision: Deny}, [Abstain, Abstain, Abstain], Allow],
+  [{defaultDecision: Allow}, [Abstain, Abstain, Abstain], Allow],
+];
+
 describe('Authorization', () => {
   let app: Application;
   let controller: OrderController;
   let reqCtx: Context;
 
   it('always use explicit decisions', async () => {
-    await runTest(matrix1);
+    await testCancelOrder(matrix1);
   });
 
   it('honors decisions and options.precedence', async () => {
-    await runTest(matrix2);
+    await testCancelOrder(matrix2);
   });
 
   it('honors decisions and options.defaultDecision', async () => {
-    await runTest(matrix3);
+    await testCancelOrder(matrix3);
+  });
+
+  it('honors decisions with options.defaultMetadata', async () => {
+    await testPlaceOrder(matrix4);
   });
 
-  async function runTest(matrix: DecisionMatrix) {
+  it('honors decisions without options.defaultMetadata', async () => {
+    await testPlaceOrder(matrix5);
+  });
+
+  async function testCancelOrder(matrix: DecisionMatrix) {
     let index = 0;
     for (const row of matrix) {
       givenRequestContext();
       setupAuthorization(row[0], ...row[1]);
-      const finalDecision = await run();
+      const finalDecision = await cancelOrder();
       const expectedDecision = row[2];
       expect(`${index}:${finalDecision}`).to.equal(
         `${index}:${expectedDecision}`,
@@ -103,10 +132,35 @@ describe('Authorization', () => {
     }
   }
 
-  async function run() {
+  async function testPlaceOrder(matrix: DecisionMatrix) {
+    let index = 0;
+    for (const row of matrix) {
+      givenRequestContext();
+      setupAuthorization(row[0], ...row[1]);
+      const finalDecision = await placeOrder();
+      const expectedDecision = row[2];
+      expect(`${index}:${finalDecision}`).to.equal(
+        `${index}:${expectedDecision}`,
+      );
+      index++;
+    }
+  }
+
+  async function cancelOrder() {
+    let finalDecision = Deny;
+    try {
+      await invokeMethod(controller, 'cancelOrder', reqCtx, ['order-01']);
+      finalDecision = Allow;
+    } catch (err) {
+      finalDecision = Deny;
+    }
+    return finalDecision;
+  }
+
+  async function placeOrder() {
     let finalDecision = Deny;
     try {
-      await invokeMethod(controller, 'handleOrder', reqCtx, ['order-01']);
+      await invokeMethod(controller, 'placeOrder', reqCtx, ['prod-01', 10]);
       finalDecision = Allow;
     } catch (err) {
       finalDecision = Deny;
@@ -116,9 +170,15 @@ describe('Authorization', () => {
 
   class OrderController {
     @authorize({})
-    async handleOrder(orderId: string) {
+    async cancelOrder(orderId: string) {
       return orderId;
     }
+
+    // This method is not decorated with `@authorize`. The decision depends on
+    // authorizationOptions.defaultMetadata
+    async placeOrder(productId: string, quantity: number) {
+      return '001';
+    }
   }
 
   function setupAuthorization(

packages/authorization/src/authorize-interceptor.ts

@@ -60,12 +60,16 @@ export class AuthorizationInterceptor implements Provider<Interceptor> {
 
   async intercept(invocationCtx: InvocationContext, next: Next) {
     const description = debug.enabled ? invocationCtx.description : '';
-    const metadata = getAuthorizationMetadata(
+    let metadata = getAuthorizationMetadata(
       invocationCtx.target,
       invocationCtx.methodName,
     );
     if (!metadata) {
-      debug('No authorization metadata is found %s', description);
+      debug('No authorization metadata is found for %s', description);
+    }
+    metadata = metadata || this.options.defaultMetadata;
+    if (!metadata) {
+      debug('Authorization is skipped for %s', description);
       const result = await next();
       return result;
     }

packages/authorization/src/types.ts

@@ -177,4 +177,10 @@ export interface AuthorizationOptions {
    * rest of votes will be skipped.
    */
   precedence?: AuthorizationDecision.DENY | AuthorizationDecision.ALLOW;
+  /**
+   * Default authorization metadata if a method is not decorated with `@authorize`.
+   * If not set, no authorization will be enforced for those methods that are
+   * not associated with authorization metadata.
+   */
+  defaultMetadata?: AuthorizationMetadata;
 }