Express-Authz
Express-Authz is an authorization middleware for Express, it's based on Node-Casbin
: https://github.com/casbin/node-casbin.
Installation
use casbin v2.x
npm install casbin@2 casbin-express-authz@1 --save
use casbin v3.x
npm install casbin@3 casbin-express-authz@2 --save
or you can simply use,
npm install express casbin casbin-express-authz --save
Usage with Basic HTTP Authentication
By default casbin-authz supports HTTP Basic Authentication of the form Authentication: Basic {Base64Encoded(username:password)}
Usage with Other HTTP Authentication
To use other HTTP Authentication like Bearer/Digest
you can use a custom middleware to define the res.locals.username
variable and casbin-authz will automatically pick up the value from the variable.
const newEnforcer = ;const express = ;const authz = ; const app = ;const enforcer = ; // set userinfoapp; // use authz middlewareapp; // responseapp; app;
Usage with customized authorizer
This package provides BasicAuthorizer
, it uses HTTP Basic Authentication as the authentication method. If you want to use another authentication method like OAuth, you needs to implement Authorizer as below:
;;; ; ; app.use authz; app.listen3000;
How to control the access
The authorization determines a request based on {subject, object, action}
, which means what subject
can perform what action
on what object
. In this plugin, the meanings are:
subject
: the logged-on user nameobject
: the URL path for the web resource like "dataset1/item1"action
: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"
For how to write authorization policy and other details, please refer to the Casbin's documentation.
Getting Help
License
This project is licensed under the Apache 2.0 license.