Sunday, 17 January 2016

Complex Authorisation in a node app

Hey, Let me just prefix this post in saying I am by no means an expert in node. I have just been playing around and built a couple toys and I am now building my first app that I am hoping to put into production and I would love some advice from more experienced programmers.So I am building an app. The DB I am using is mongo with mongoose as my ORM and my framework is hapijs.I have a pretty confusing authorisation structure that I need to implement which I am not sure if I can do with existing modules.So let's set out my structure.Users are part of "teams" within each team they have a role this role grants them specific privileges that allows them to access certain routes and carry out actions on data. For instance if they are an admin they can modify other users profiles and the team itself.A single user can be part of multiple teams and have a different role on each team.Then there are resources which are user created. A user can grant access to this resource to a role. This will allow all users within any teams that the creator is part of who are assigned that role to access the data, but only when they have that team as their "active one". Users can then also create finer grained access where they can grant a single user access to that resource.Now please let me know if I haven't explained myself properly. I understand it's pretty complex and confusing.The approach I am looking at to handle this is similar to how AWS handles IAM authorisation. Each resource has a document that specifies the specific actions roles or users can perform and the server checks this document on every request. There will then be a general policy document for the roles as a whole on actions they can perform.If I am going about this completely the wrong way please tell me. Thanks.

Submitted January 18, 2016 at 12:04AM by mrjonny2

No comments:

Post a Comment