RBAC for API access (in addition to access tokens, etc)

[christiansmith]

This is a subject for discussion at this week's hangout on Thursday at 10am Pacific.

We're going to have administration services, client apps, and protected resources all trying to access different parts of this api. It may also be necessary to limit which services can take particular actions on a resource. Here's a little sketch of how RBAC might be implemented.

Authorization is a function of permissions for some actor to perform some action on a resource.

function check (permissions, actor, resource, action) {
  return (permissions[actor.role] 
       && permissions[actor.role][resource]
       && permissions[actor.role][resource][action])
          ? true
          : false  
}

We need a way to register permissions and the ability to check permissions for an actor.

function permit(actor, permissions) {
  actor.prototype.can = function (act, resource) {
    check(permissions, this, resource, act);
  }
}

Here's registration of permissions in action...

permit(Credentials, {
  administrator: {
    user:        ['create', 'find', 'update', 'destroy'],
    client:      ['create', 'find', 'update', 'destroy'],
    resource:    ['create', 'find', 'update', 'destroy'],
    credentials: ['create', 'find', 'update', 'destroy'] 
  },
  client: {
    user:        ['create', 'find', 'update', 'destroy'],
    client:      ['find', 'update', 'destroy']    
  },
  resource: {
    resource:    ['create', 'find', 'update', 'destroy']
  }
});

Finally, we'll need a some middleware to authorize access.

function authorize(act, resource) {
  return function (req, res, next) {
    if (req.isAuthenticated() && req.user.can(act, resource)) {
      next();
    } else {
      res.send(403);
    }
  }
}

Appreciate your thoughts on this. Thanks.