joshnuss · February 18, 2025 15:49 · katonahmike · Oct 25, 2022 · luong12g · Oct 26, 2022
diff --git a/app.js b/app.js
 // the main app file
 import express from "express";
 import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
 import authenticate from "./authentication"; // middleware for doing authentication
 import permit from "./authorization"; // middleware for checking if user's role is permitted to make request

 const app = express(),
      api = express.Router();

 // first middleware will setup db connection
 app.use(loadDb);

 // authenticate each request
 // will set `request.user`
 app.use(authenticate);

 // setup permission middleware,
 // check `request.user.role` and decide if ok to continue 
 app.use("/api/private", permit("admin"));
 app.use(["/api/foo", "/api/bar"], permit("manager", "employee"));

 // setup requests handlers
 api.get("/private/whatever", (req, res) => res.json({whatever: true}));
 api.get("/foo", (req, res) => res.json({currentUser: req.user}));
 api.get("/bar", (req, res) => res.json({currentUser: req.user}));

 // setup permissions based on HTTP Method

 // account creation is public
 api.post("/account", (req, res) => res.json({message: "created"}));

 // account update & delete (PATCH & DELETE) are only available to managers
 api.patch("/account", permit('manager'), (req, res) => res.json({message: "updated"}));
 api.delete("/account", permit('manager'), (req, res) => res.json({message: "deleted"}));

 // viewing account "GET" available to manager and employee
 api.get("/account", permit('manager', 'employee'),  (req, res) => res.json({currentUser: req.user}));

 // mount api router
 app.use("/api", api);

 // start 'er up
 app.listen(process.env.PORT || 3000);
diff --git a/authentication.js b/authentication.js
 // middleware for authentication
 export default async function authorize(request, _response, next) {
  const apiToken = request.headers['x-api-token'];
  
  // set user on-success
  request.user = await request.db.users.findByApiKey(apiToken);
     
  // always continue to next middleware
  next();
 }
diff --git a/authorization.js b/authorization.js
 // middleware for doing role-based permissions
 export default function permit(...permittedRoles) {
  // return a middleware
  return (request, response, next) => {
    const { user } = request

    if (user && permittedRoles.includes(user.role)) {
      next(); // role is allowed, so continue on the next middleware
    } else {
      response.status(403).json({message: "Forbidden"}); // user is forbidden
    }
  }
 }
diff --git a/loadDb.js b/loadDb.js
 // dummy middleware for db (set's request.db)
 export default function loadDb(request, _response, next) {
  
  // dummy db
  request.db = {
    users: {
      findByApiKey: async token => {
        switch {
          case (token == '1234') {
            return {role: 'manager', id: 1234};
          case (token == '5678') {
            return {role: 'employee', id: 5678};
          default:
            return null; // no user
        }
      }
    }
  };
  
  next();
 }
	// the main app file
	import express from "express";
	import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
	import authenticate from "./authentication"; // middleware for doing authentication
	import permit from "./authorization"; // middleware for checking if user's role is permitted to make request

	const app = express(),
	api = express.Router();

	// first middleware will setup db connection
	app.use(loadDb);

	// authenticate each request
	// will set `request.user`
	app.use(authenticate);

	// setup permission middleware,
	// check `request.user.role` and decide if ok to continue
	app.use("/api/private", permit("admin"));
	app.use(["/api/foo", "/api/bar"], permit("manager", "employee"));

	// setup requests handlers
	api.get("/private/whatever", (req, res) => res.json({whatever: true}));
	api.get("/foo", (req, res) => res.json({currentUser: req.user}));
	api.get("/bar", (req, res) => res.json({currentUser: req.user}));

	// setup permissions based on HTTP Method

	// account creation is public
	api.post("/account", (req, res) => res.json({message: "created"}));

	// account update & delete (PATCH & DELETE) are only available to managers
	api.patch("/account", permit('manager'), (req, res) => res.json({message: "updated"}));
	api.delete("/account", permit('manager'), (req, res) => res.json({message: "deleted"}));

	// viewing account "GET" available to manager and employee
	api.get("/account", permit('manager', 'employee'), (req, res) => res.json({currentUser: req.user}));

	// mount api router
	app.use("/api", api);

	// start 'er up
	app.listen(process.env.PORT \|\| 3000);
	// middleware for authentication
	export default async function authorize(request, _response, next) {
	const apiToken = request.headers['x-api-token'];

	// set user on-success
	request.user = await request.db.users.findByApiKey(apiToken);

	// always continue to next middleware
	next();
	}
	// middleware for doing role-based permissions
	export default function permit(...permittedRoles) {
	// return a middleware
	return (request, response, next) => {
	const { user } = request

	if (user && permittedRoles.includes(user.role)) {
	next(); // role is allowed, so continue on the next middleware
	} else {
	response.status(403).json({message: "Forbidden"}); // user is forbidden
	}
	}
	}
	// dummy middleware for db (set's request.db)
	export default function loadDb(request, _response, next) {

	// dummy db
	request.db = {
	users: {
	findByApiKey: async token => {
	switch {
	case (token == '1234') {
	return {role: 'manager', id: 1234};
	case (token == '5678') {
	return {role: 'employee', id: 5678};
	default:
	return null; // no user
	}
	}
	}
	};

	next();
	}