@r2d2bzh/moleculer-authz-helpers 1.0.1 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.adoc +43 -3
- package/package.json +5 -2
- package/src/add-preflight-mixin.js +5 -3
- package/src/request-authorizations.js +5 -1
package/README.adoc
CHANGED
|
@@ -2,8 +2,18 @@
|
|
|
2
2
|
:sectnums:
|
|
3
3
|
:toc: left
|
|
4
4
|
|
|
5
|
+
ifdef::env-github[]
|
|
6
|
+
:tip-caption: :bulb:
|
|
7
|
+
:note-caption: :information_source:
|
|
8
|
+
:important-caption: :heavy_exclamation_mark:
|
|
9
|
+
:caution-caption: :fire:
|
|
10
|
+
:warning-caption: :warning:
|
|
11
|
+
endif::[]
|
|
12
|
+
|
|
5
13
|
= Moleculer authorization helpers
|
|
6
14
|
|
|
15
|
+
== Rationale
|
|
16
|
+
|
|
7
17
|
The current authorization strategy used by the R2D2 stack is to operate a preflight from the API gateway before it actually calls an action of a backend service.
|
|
8
18
|
These preflight actions can either decide themselves if the call is authorized or ask other services for an authorization.
|
|
9
19
|
|
|
@@ -11,17 +21,44 @@ These requests are sent through Moleculer events.
|
|
|
11
21
|
Services subscribing to these events will either reply with a boolean (`true` = authorized, `false` = forbidden) or will not reply if they cannot answer (`undefined` answer).
|
|
12
22
|
An authorization request is considered successful if at least one service has authorized the request and no service has forbidden the request (which means that if nobody answered, the request is implicitly forbidden).
|
|
13
23
|
|
|
24
|
+
[NOTE]
|
|
25
|
+
====
|
|
26
|
+
Events are used instead of actions as the authorization requester does not necessarily know which service answers its authorization requests.
|
|
27
|
+
Moreover, multiple services could be responsible to answer one authorization request.
|
|
28
|
+
====
|
|
29
|
+
|
|
30
|
+
=== Use case
|
|
31
|
+
|
|
32
|
+
The following example considers a shared todo list service.
|
|
33
|
+
This service exposes an action to update a todo item and notify by email the todo list members of this update. +
|
|
34
|
+
Depending on the user, the email sender will authorize or not the notification.
|
|
35
|
+
|
|
36
|
+
The following services are at play:
|
|
37
|
+
|
|
38
|
+
* todo-list: manage todo lists
|
|
39
|
+
* email-sender: send emails
|
|
40
|
+
* members-service: manage users
|
|
41
|
+
* moleculer-web: expose actions
|
|
42
|
+
|
|
43
|
+
image::docs/use-case.svg[]
|
|
44
|
+
|
|
45
|
+
== Helpers
|
|
46
|
+
|
|
14
47
|
Currently, this library provides the following helpers:
|
|
15
48
|
|
|
16
49
|
* `addPreflightMixin` to build and add a preflight mixin in a service schema
|
|
17
50
|
* `isAuthorized` to decide whether one or more authorization requests have all succeeded based on the answers provided by the subscribers
|
|
18
51
|
* `requestAuthorizations` to send multiple authorization requests at once
|
|
19
52
|
|
|
20
|
-
|
|
53
|
+
=== `addPreflightMixin`
|
|
21
54
|
|
|
22
55
|
This helper adds a service mixin used to generate preflight actions for actions exposed through rest.
|
|
23
56
|
It takes a Moleculer service schema as a parameter and returns the same service schema with the mixin added.
|
|
24
57
|
|
|
58
|
+
This helper also adds the `callEventMixin` provided by https://www.npmjs.com/package/@r2d2bzh/moleculer-event-callback[@r2d2bzh/moleculer-event-callback].
|
|
59
|
+
`callEventMixin` injects a `$$callEvent` method to make authorization requests.
|
|
60
|
+
It also provides the callback action needed to receive the return value of authorization requests.
|
|
61
|
+
|
|
25
62
|
NOTE: A preflight action takes the same parameters as the original action.
|
|
26
63
|
|
|
27
64
|
To define a preflight handler, you must add a preflight attribute to an action:
|
|
@@ -67,7 +104,7 @@ Only actions where authorization is disabled do not enforce a preflight:
|
|
|
67
104
|
----
|
|
68
105
|
====
|
|
69
106
|
|
|
70
|
-
|
|
107
|
+
=== `isAuthorized`
|
|
71
108
|
|
|
72
109
|
This helper decides whether or not something is authorized based on the answers to one or more authorization requests.
|
|
73
110
|
It implements the following rules:
|
|
@@ -96,10 +133,13 @@ The signature of `isAuthorized` is `(logger) => (answer) => true | false`:
|
|
|
96
133
|
** `undefined`:: the responder is not able to answer
|
|
97
134
|
* multiple `true` or `false` answers were provided to the same authorization request
|
|
98
135
|
|
|
99
|
-
|
|
136
|
+
=== `requestAuthorizations`
|
|
100
137
|
|
|
101
138
|
This helper operates multiple authorization requests at once and returns a promise which result can be handled by `isAuthorized`.
|
|
102
139
|
|
|
140
|
+
This helper uses the `$$callEvent` method provided by the `callEventMixin` of https://www.npmjs.com/package/@r2d2bzh/moleculer-event-callback[@r2d2bzh/moleculer-event-callback] (see `addPreflightMixin`).
|
|
141
|
+
This allows the retrieval of authorization requests return values.
|
|
142
|
+
|
|
103
143
|
[source,javascript]
|
|
104
144
|
----
|
|
105
145
|
requestAuthorization(moleculerContext)([
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@r2d2bzh/moleculer-authz-helpers",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "2.0.2",
|
|
4
4
|
"description": "Moleculer mixin to implement preflight runner",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"type": "module",
|
|
@@ -39,7 +39,10 @@
|
|
|
39
39
|
"node": ">=12.0.0"
|
|
40
40
|
},
|
|
41
41
|
"peerDependencies": {
|
|
42
|
-
"lodash": "^4.17.21",
|
|
43
42
|
"moleculer": "^0.14.0"
|
|
43
|
+
},
|
|
44
|
+
"dependencies": {
|
|
45
|
+
"@r2d2bzh/moleculer-event-callback": "~0.0.1",
|
|
46
|
+
"lodash": "^4.17.21"
|
|
44
47
|
}
|
|
45
48
|
}
|
|
@@ -1,11 +1,12 @@
|
|
|
1
1
|
import cloneDeep from 'lodash/cloneDeep.js';
|
|
2
2
|
import moleculer from 'moleculer';
|
|
3
|
+
import { callEventMixin } from '@r2d2bzh/moleculer-event-callback';
|
|
3
4
|
|
|
4
5
|
const {
|
|
5
6
|
Errors: { MoleculerError },
|
|
6
7
|
} = moleculer;
|
|
7
8
|
|
|
8
|
-
export const unsafeAddPreflightMixin = (serviceSchema) => {
|
|
9
|
+
export const unsafeAddPreflightMixin = (serviceSchema, { timeout }) => {
|
|
9
10
|
const actionsWithPreflight = Object.entries(serviceSchema.actions || {}).filter(
|
|
10
11
|
([, actionSpecification]) => actionSpecification?.preflight
|
|
11
12
|
);
|
|
@@ -28,12 +29,13 @@ export const unsafeAddPreflightMixin = (serviceSchema) => {
|
|
|
28
29
|
{
|
|
29
30
|
actions: Object.fromEntries(preflightActions),
|
|
30
31
|
},
|
|
32
|
+
callEventMixin({ timeout }),
|
|
31
33
|
];
|
|
32
34
|
|
|
33
35
|
return schema;
|
|
34
36
|
};
|
|
35
37
|
|
|
36
|
-
export default (serviceSchema) => {
|
|
38
|
+
export default (serviceSchema, { timeout = 200 } = {}) => {
|
|
37
39
|
Object.entries(serviceSchema.actions || {})
|
|
38
40
|
.filter(([, actionSpecification]) => actionSpecification?.rest && actionSpecification.rest?.authorization !== false)
|
|
39
41
|
.forEach(([actionName, actionSpecification]) => {
|
|
@@ -42,5 +44,5 @@ export default (serviceSchema) => {
|
|
|
42
44
|
}
|
|
43
45
|
});
|
|
44
46
|
|
|
45
|
-
return unsafeAddPreflightMixin(serviceSchema);
|
|
47
|
+
return unsafeAddPreflightMixin(serviceSchema, { timeout });
|
|
46
48
|
};
|
|
@@ -1,2 +1,6 @@
|
|
|
1
1
|
export default (ctx) => (requests) =>
|
|
2
|
-
Promise.all(
|
|
2
|
+
Promise.all(
|
|
3
|
+
requests.map(({ eventName, parameters, options }) =>
|
|
4
|
+
ctx.service.$$callEvent(ctx, { eventName, payload: parameters, options })
|
|
5
|
+
)
|
|
6
|
+
);
|