Protected and restricted routes within iron-router

Create protected and user-roles restricted routes within iron-router. For roles-restricted routes, please see meteor-roles, you need to install meteor-roles separately to use it.

This package supports protected option defined in list below, ordered by prioritization:

• Router.route() [overrides all]
• RouteController.extend()
• Router.configure() [might be overridden by any above]

Install:

meteor add ostrio:iron-router-protected

Demo app

• Source
• Live: http://iron-router-protected.meteor.com (We are looking for free hosting for this demo)

API:

Router.configure, Router.route, and RouteController will use next properties:

• protected {Boolean} - Make route explicitly protected for all unauthorized users
• authTemplate {String} - Name of the template to render, when access is denied
• authRoute {String} - Route where user will be redirected, when access is denied
• allowedRoles {[String]} - Array of roles, which have access to route
• allowedGroup {String} - Name of the role-group, which have access to route. Note: use only with allowedRoles property, if allowedRoles is not defined check by allowedGroup will be omitted
• authCallback {Function} - This function will be triggered on each route, with current route-object as a context and two arguments:
  • error {Object|null} - Object with error and reason properties, if access is denied
    • error - 401 or 403. 401 when access denied as for unauthorized user (Unauthorized. Permission denied). 403 when access denied by role (Forbidden. Not enough rights).
  • isGranted {Boolean|null} - true if access is granted
  • return false to prevent further code execution and rendering
  • return true to continue default behavior

Note: Don't use authTemplate and authRoute at the same time. If authTemplate and authRoute is both presented - only authTemplate will be used and rendered.

Usage:

Create config:

Router.configure({
  // Render login form
  authTemplate: 'loginForm',
  // Redirect to login form, by exact route or route-name
  authRoute: '/admin/login',
  // Deny access for unauthorized users on all routes
  "protected": true,
  // Restrict access by array of roles on all routes
  allowedRoles: ['admin'],
  // Restrict access by role and role-group. 
  // Use only with `allowedRoles` property, otherwise check on group is omitted
  allowedGroup: Roles.GLOBAL_GROUP,
  // This callback triggered each time when access is granted or forbidden for user
  authCallback: function(error, isGranted) {
    return console.log(error, isGranted);
  },

  // Common options:
  layoutTemplate: '_layout',
  notFoundTemplate: '_404',
  loadingTemplate: 'loading'
});

Create protected route:

Router.route('admin', {
  template: 'admin',
  path: '/admin',
  "protected": true, // Deny access for unauthorized users
  allowedRoles: ['admin'] // Restrict access by role
});

Override default options:

Router.route('admin', {
  template: 'admin',
  path: '/admin',
  authTemplate: null, // Do not render
  authRoute: '/admin/login', // Redirect to login form
  "protected": true // Deny access for unauthorized users
});

If all routes is protected, give access to loginForm:

Router.route('loginForm', {
  template: 'loginForm',
  path: '/admin/login',
  "protected": false // Allow access to this route for anyone
});

Options can be defined on controllers:

var LocationController = RouteController.extend({
  "protected": true
});

Router.route('locations', {
  controller: LocationController // Will be protected
});

Options on routes will override controller options:

Router.route('location', {
  controller: 'LocationController',
  "protected": false // Won't be protected
});