auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon vapor

Add System for Authorization Checks

Open daSkier opened this issue 8 years ago • 6 comments

I've been wanting to add some permissions around my routes and I thought I'd write my thoughts down as as suggestions or ideas for future development. I'm new to Vapor and backend development, so please take this with a grain of salt.

Roles/Permissions

First, I thought it would be great to be able to add some ability to define permissions levels or roles in conjunction with the User model. It seems like the most flexible system would allow the author to define these levels on their own (These could be defined as either one-to-one or one-to-many). Alternatively, Vapor could provide preset permissions levels, but that seems like possible overkill. Presumably this could be built as a Protocol any model could conform to, but concrete implementations could be provided as well.

Authorizable Could be designed like Timestampable:

extension User: Authorizable {
    // Adds mapping to Authorizable key path properties
    static var permissionsKey: WritableKeyPath<User, [PermissionType]> { return \.roleLevel }
}

Rules/Authorization

Now, to add Authorization the routes you could add an extra function to the route chain like .authorize(using: .FooPolicy). This could be done with a closure or function that accepts arguments that could be used to define a true/false or pass/fail test. Laravel does something similar with their Authorization system.

If you start with a collection of routes like this:

let athleteRoutes = router.grouped("api", "athletes")
athleteRoutes.get(use: index)
athleteRoutes.post(use: create)
athleteRoutes.delete(Athlete.parameter, use: delete)

With Authorization the route group could end up looking like the following:

let athleteRoutes = router.authorize(using: athletePolicy).grouped("api", "athletes")
athleteRoutes.get(use: index)
athleteRoutes.post(use: create)
athleteRoutes.delete(Athlete.parameter, use: delete)

Or:

let athleteRoutes = router.grouped("api", "athletes")
athleteRoutes.get(use: index)
athleteRoutes.authorize(using: athleteEditPolicy).post(use: create)
athleteRoutes.authorize(using: athleteEditPolicy).delete(Athlete.parameter, use: delete)

Ideally, you could add this authorization component at both the individual route or route group level.

The authorization function could look something like this:

func athletePolicy(_ req: Request) throws -> Future<Bool> {
    return user.permissions.contains(.athleteEditor) // pseudocode for getting user permissions levels 
}

Or:

func athleteEditPolicy(_ req: Request) throws -> Future<Bool> {
    return try req.content.decode(Athlete.self).map(to: Bool.self) { athlete in 
        return athlete.ownerID == user.ID //pseudocode for getting user.ID
    }
}

In the event that the Authorization process fails, I'd be great if Vapor sent the appropriate HTTP error code (I think this would be a 403, but I could be wrong).

daSkier avatar Mar 22 '18 06:03 daSkier

I like the implementation above but I feel like authentication and authorization shouldn't be part of the same package. This should be separate.

natebird avatar Mar 20 '19 01:03 natebird

This actually was a part of the first version of this package, we just didn't have time to port it over during Vapor 3's release. See: https://github.com/vapor/auth/tree/1.2.1/Sources/Authorization

Hopefully I'll have time for Vapor 4's release to work on it. I think the "policy" idea here is interesting. I also like how Laravel does it: https://laravel.com/docs/5.8/authorization.

tanner0101 avatar Mar 20 '19 03:03 tanner0101

Oh, interesting. I might be able to help with it. I'll have need of something like that in my app in a couple of weeks.

natebird avatar Mar 20 '19 11:03 natebird

Cool, that would be greatly appreciated. For this large of a change, I'd recommend doing a pitch first to really flesh out the idea and get feedback before code is written. You can see a couple examples of that here:

https://forums.swift.org/tags/c/related-projects/vapor/pitch

tanner0101 avatar Mar 20 '19 14:03 tanner0101

Hi @tanner0101

I started a generic package for RBAC. It's currently stalled as it can't compile with Swift 5 due to a regression I logged with the Swift team. It's based off the NIST model. I've used it with Yii and it allowed me really granular control over routes and to apply custom rule files to those routes. I was hoping to get it finished before Vapor 4. But depends on when this bug is fixed. But if it sounds like it or aspects of it might be useful let me know i'd be happy to help. Gotta earn that contributor/maintainer badge somehow :)

jonny7 avatar Apr 09 '19 18:04 jonny7

I've posted a pitch on the forum here with some ideas: https://forums.swift.org/t/pitch-vapor-4-authorization-system/22980

jdmcd avatar Apr 12 '19 01:04 jdmcd