时间戳

首页 > 解决方案 > 节点访问权限 | 动态网址授权

node.js - 节点访问权限 | 动态网址授权

问题描述

我正在使用节点 acl 将我的休息端点授权到我的节点应用程序中。

基于角色的授权非常适合以下网址。

acl.allow([{
    roles: ['user'],
    allows: [{
            resources: ['/books/v1/single'],
            permissions: ['post'],
        },
       {
            resources: ['/books/v1/book/list'],
            permissions: ['get'],
        },
    ]
},
{
    roles: ['admin'],
    allows: [{
            resources: ['/books/v1/list'],
            permissions: ['get'],
        }
    ]
}]);

但是,当我尝试添加动态网址时,它无法按预期工作,并给出错误,这意味着未经授权需要更多权限。

acl.allow([{
    roles: ['user'],
    allows: [{
            resources: ['/books/v1/single'],
            permissions: ['post'],
        },
       {
            resources: ['/books/v1/book/list'],
            permissions: ['get'],
        },
    ]
},
{
    roles: ['admin'],
    allows: [{
            resources: ['/books/v1/list'],
            permissions: ['get'],
        },
        {
            resources: ['/books/v1/user/:userID/book/:bookID'],
            permissions: ['get', 'put', 'delete'],
        },
        {
            resources: ['/users/v1/list'],
            permissions: ['get'],
        },
        {
            resources: ['/users/v1/:userId'],
            permissions: ['get', 'post', 'put', 'delete'],
        }
    ]
}]);

因此,它为动态 url 的其余端点提供未经授权的错误,即/users/v1/:userId/books/v1/user/:userID/book/:bookID

可以使用 node-acl 库实现的任何方式/方法。

标签: node.jsrestauthorizationaclrole-base-authorization

解决方案

That's because node acl does not actually support hierarchy. It is really just a flat list, so it is explicitly checking for the string to match the resource. This is just a fundamental problem with the package. Since all the functionality is contained in the middleware, and it just isn't extensible there is no way to do what you want with this package without making a change so that it accepts a custom handler to decide what to pass to the middleware check.

Here's an example of the relevant open issue from 2017-08. The lack of funcitonality here is exactly why solutions like PolicyServer and Authress exist which do handle wildcard middleware and dynamic resource hierarchies.

推荐阅读