npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

express-access-control

v2.0.0

Published

Middleware to perform access control based on the user's session and groups.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

magnitusmagnitus

Keywords

ExpressMiddlewareSessionAccess Control

Readme

Express-Access-Control

Module to implement access control based on a user's membership to groups.

It is intended as a dependency for express-user and express-user-local, but could be used on it's own by making use of the customization facilities.

Requirements

  • A recent version of Node.js (version 0.10.25 is installed on my machine, later versions should work also, let me know if that is not the case)

  • The AuthenticateRoute function is meant to be used with an Express router, although it could feasibly work with frameworks that support a similar API.

Installation

npm install express-access-control

Running Tests

In the directory where the module is located, run the following 2 commands on the prompt:

  • npm install
  • npm test

Usage

The library has 2 main methods:

Authenticate(Req, Res, Groups, And)

This function, returns true if the request's user matches the expected authentication credentials, else false.

<Req> and <Res> and the usual arguments passed to every Express route handler.

<Groups> is an array of strings correspond to groups that you want to verify that the request's user belongs to. It can be set to null, in which case the call will just verify that the request's user is logged in.

<And> can be set to true or false. If set to true, the function will only match the user if he belongs to all the groups specified in <Groups>.

Ex:

var AccessControl = require('express-access-control');

//Some code

App.put('/Homeworks/Math202/Week2', function(Req, Res, Next) {
    if(Authenticate(Req, Res, ['Teacher', 'Math'], true))
    {
        Next();
    }
    {
        Res.status(401).end();
    }
});

//More code

AuthenticateRoute(Options)

This call is a shortcut to generate a route that authentifies the user (like in the above example).

If the user doesn't pass authentication, then Next(Err) is called, where Err is an error with Err.Source set to "ExpressAccessControl" and Err.Type set to "NoAccess". If the user passes authentication, then Next() is called to go to the next route handler.

<Options> can take 2 formats:

  • An array of groups the user should belong to

In this case, 'Authenticate' is used to authenticate the user with <Groups> set to <Options> and <And> set to false.

  • An object of options:

-The 'Group' property specifies the group to check that the user belongs to. If null, the route route only verifies that the user is logged in. Defaults to null. -The 'And' proporty specifies whether the user should belong to all the groups. Defaults to false. -The 'Not' property specifies whether the user should not belong to the groups instead. Defaults to false.

Ex:

var AccessControl = require('express-access-control');

//Some code

App.posts('/Forums/French', AccessControl.AuthenticateRoute({'Groups': ['Banned'], 'Not': true}));

//More code

Customization

The library is, by default, dependent on req.session (set by the express-session library) and req.session.User.Memberships (set by the user-store and express-user libraries) being present for each request.

You can alter these expectations with the following calls:

SetGetMemberships(NewGetter)

Changes the internal function that fetches a user's memberships.

<NewGetter> needs to have the following signature: function(Req, Res)

The arguments are those that Express passes to route handlers. The return value should be an array containing the user's memberships as strings.

AccessControl.SetLoggedIn

SetLoggedIn(NewChecker)

Changes the internal function that determines if a user is logged in.

<NewChecker> needs to have the following signature: function(Req, Res)

The arguments are those that Express passes to route handlers. The return value should be true if the user is logged in, else false.

Example

ex:

//Assume our User info is stored in Res.locals.User.Groups instead

var AccessControl = require('express-access-control');

AccessControl.SetGetMemberships(function(Req, Res) {
    return(Res.locals.User.Groups);
});

AccessControl.SetLoggedIn(function(Req, Res) {
    var ToReturn = Res.locals.User ? true : false;
    return(ToReturn);
});

Future

This library will probably be augmented with custom response handling and custom memberships testing (via a function argument).

Other potential modifications, would be to change the customization API to allow customization fonctions to be asynchronous (if they need to make a trip to the database for example).

These change will be made as needs arises.

Versions History

1.0.0

Initial release.

2.0.0

The library's 'AuthenticateRoute' method will now deleguate the response to an error handler if the user doesn't pass authentication.