npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

rest-access

v1.3.4

Published

role/scope based REST access control

Downloads

22

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

andineckandinecklukaselmerlukaselmer

Keywords

Readme

rest-access

install

npm i -S rest-access

rest-access can be used to restrict access to resources. it can be used as a standalone solution or as a express/connect middleware.

usage

const express = require('express')
const app = express()
const jwt = require('express-jwt')
const access = require('rest-access')

access([
  ['*', '/api/*', 'api:rookie', true],
  [['POST', 'PUT', 'DELETE'], '/api/*', 'api:write,admin:*'],
  [['POST', 'PUT', 'DELETE'], '/api/secret/*', 'normal-admin'],
  ['GET', '/api/*', 'api:read'],
  [['GET', 'POST'], '/*', '*']
])

app.use(jwt({ secret: 'shared_secret' })) // authenticate with jwt
app.use((req, res, next) => {
  // map req.user.scope (added by express-jwt) to req.permission (used by rest-access)
  req.permission = req.user.scope
  next()
})

app.use(access.middleware()) // restrict access according to definition above

// endpoints
let hello = 'world'
app.get('/api/hello', (req, res) => res.send(hello))
app.post('/api/hello', (req, res) => {
  hello = req.body
  res.send(201)
})
app.get('/hello', (req, res) => res.send('welcome to the unrestricted area'))

api

access(rules)

This function lets you define the access rules all at once:

access([
  [['POST', 'PUT', 'DELETE'], '/*/glint/role/*', 'manage'],
  [['POST', 'PUT', 'DELETE'], '/*/glint/config/*', 'manage'],
  [['GET'], '/signup/*', 'manage'],
  ['*', '/signin/*', 'manage'],
  ['*', '/account/password', 'manage'],
  ['*', '/account/delete', 'manage'],
  ['*', '/*', 'view', true],
  ['*', '/upload/*', 'edit'],
  ['GET', '/translate/*', 'edit,manage'],
  ['GET', '/filemanager/*', 'edit,manage'],
  [['POST', 'PUT', 'DELETE'], '/filemanager/*', 'edit,manage'],
  ['GET', '/ajax/*', '*'],
  ['POST,DELETE,PUT', '/ajax/*', 'edit,insert,delete'],
  ['*', '/admin/*', 'manage'],
  [['GET', 'POST'], '/*', '*']
])

access(methods, path, role[, block])

Use This method if you want to define a single access rules a specific place. examples:

access(['GET', 'POST'], '/*/glint/role/* ', 'admin:*')
access('POST', '/*/glint/*', 'edit:glint')

The fourth argument is optional. If the fourth argument is "truthy" (boolean:true or string), it means that this role is blocked (instead of allowed) for the given methods and path. Therefore in the following example, the Role read:glint is blocked to POST the given path.

access('POST', '/*/glint/*', 'read:glint', true)

members

access.isBlocked this function can be used to check if the access to the required endpoint is blocked. isBlocked(method, path, permission)

Given this definition:

access([
  ['GET', '/api/*', 'api:*'],
  ['GET,POST,PUT,DELETE', '/api/*', 'api:write'],
])

The following result is expected:

access.isBlocked('GET', '/api/hello', 'api:read') // -> returns `false`
access.isBlocked('POST', '/api/message', 'api:write') // -> returns `false`
access.isBlocked('PUT', '/api/message/today', 'api:read') // -> returns `'access not permitted'`

access.midleware middleware function

example usage: looks for user permission under req.permission

app.use(access.middleware({ permissionProperty: 'permission' }))

access.restrict restrict single route

example usage: looks for user permission under req.permission

app.get('/my/home', access.restrict('api:*'), (req, res) => res.send('restricted api access'))

access.getRules use this function to return a copy of the existing rules.

example:

restAccess.getRules().forEach(rule => console.log(rule.join(' ')));

extends

access.middleware() adds req.userCan function to the express/connect Request Object. Example call: req.userCan('admin:*')

test

run unittests

npm test

run integrationtests

npm test:integration

license

MIT

credits

extracted from: https://github.com/glintcms/glintcms-starter-glintcms/blob/master/local_modules/page-auth-access/access.js