• Stars
    star
    320
  • Rank 131,126 (Top 3 %)
  • Language
    JavaScript
  • Created over 10 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Authorization plumbing for NodeJS/ExpressJS/ConnectJS apps

MustBe: Authorization Plumbing For NodeJS / Express Apps

MustBe is not a complete authorization framework, with roles and responsibilities and models and data access and everything that you need. Rather, it is the underlying plumbing that you need to secure your site. It allows you to fill in the necessary parts to manage data access, roles and users, and gives you the activity based plumbing to secure it all.

Authorization, Not Authentication

MustBe is an authorization system - the part of a security system that decides whether or not you are allowed to do something. This is the second of authentication and authorization, where authentication simply determines who you are.

Specifically, MustBe is an activity based authorization system. It allows you to verify that a user has permissions to perform any given activity in your application.

What Is Activity Based Authorization?

The gist of it is that you check whether or not a user has permission to perform an activity. How they get permission to do that activity is up to you. Maybe it's throug a role, maybe it's through data they have been assigned to. But the permission for the activity is what needs to be checked.

For more detail on this, check out my 2011 article on using activity based authorization checks. It will give you the core of what you need to know about whey role-based authorization checks are a bad idea, and why activity based permissions are the way to go.

Documentation

Detailed documentation about the configuration and use of MustBe can be found in the documentation folder.

Demo App

There is a small demo app located in the /demo folder of this repository. You can run the demo app by first installing the dependencies for mustbe with:

npm install

And then going in to the demo folder and running the following:

npm install

npm start

Now go to http://localhost:3000 and you will see a small demonstration of various MustBe features.

Getting Started

The first thing you need to do is install MustBe, and save it to your package.json file.

npm install --save mustbe

Configure Once In Your App

In your app.js (or whatever bootstraps your app), require the MustBe module, and also bring in a mustbe-config module which you will define in a moment.

Call the .config method on the mustBe object, and pass in the function that is exported from the config module.

// app.js

var mustBe = require("mustbe");
var mustBeConfig = require("./mustbe-config");
mustBe.configure(mustBeConfig);

Create The Configuration

Now you can create a mustbe-config.js file for your application. Having the config file separate from the app.js bootstrapper file helps to keep things clean.

Open the mustbe-config.js file and build your configuration. Provide configuration for your user identity, route helpers, activities and/or overrides.

Here is a basic configuration example from which you can start:

// ./mustbe-config.js
var mustBe = require("mustbe");
module.exports = function(config){

  config.routeHelpers(function(rh){
    // get the current user from the request object
    rh.getUser(function(req, cb){
      // return cb(err); if there is an error
      cb(null, req.user);
    });

    // what do we do when the user is not authorized?
    rh.notAuthorized(function(req, res, next){
      res.redirect("/login?msg=you are not authorized");
    });
  });

  config.activities(function(activities){
    // configure an activity with an authorization check
    activities.can("view thing", function(identity, params, cb){
      var id = params["id"];
      someLib.anotherThing(id, function(err, thing){
        if (err) { return cb(err); }
        var hasThing = !!thing;
        cb(null, hasThing);
      });
    });
  });

};

Now you can run the mustBe functions on your routes.

var mustbe = require("mustbe").routeHelpers();
var express = require("express");

var router = express.Router();
router.get("/:id", mustBe.authorized("view thing"), view);

function view(req, res, next){
  res.render("/something");
}

Be sure to read the full documentation, linked above, for the complete set of options and methods that can be called to configure and use MustBe.

Legal Junk

MustBe is Copyright 2014 Muted Solutions, LLC. All Rights Reserved.

Distributed under MIT License.

More Repositories

1

backbone.modelbinding

awesome model binding for Backbone.js
JavaScript
700
star
2

backbone.memento

store and restore your model's state
JavaScript
367
star
3

Albacore

Dolphin-Safe Rake Tasks For .NET Systems
Ruby
240
star
4

jasmine.async

Make Jasmine's asynchronous testing suck less.
JavaScript
136
star
5

backbone.picky

selectable entities as mixins for Backbone.Model and Backbone.Collection
JavaScript
129
star
6

rabbus

A micro-service bus with built-in messaging patterns, for NodeJS and RabbitMQ
JavaScript
116
star
7

express-sub-app-demo

Demonstrates the ability to mount multiple Express apps into a single Express host app
JavaScript
111
star
8

solid-javascript

SOLID JavaScript In A Wobbly World (Wide Web)
JavaScript
70
star
9

nanit

Node Application Initializers
JavaScript
56
star
10

migroose

MongoDB database / data-structure migrations, for MongooseJS models and schemas
JavaScript
55
star
11

appcontroller

An example Application Controller implementation for C# WinForms applications
C#
35
star
12

emberclonemail

A sample application written with EmberJS
Ruby
32
star
13

backbone.compute

Computed fields for Backbone.Model
JavaScript
31
star
14

presentations-and-training

Material used for presentations and training classes
C#
26
star
15

backbone.fwd

forward events from one backbone object, through another
JavaScript
20
star
16

bowie

An experiment in beautiful models with ES6 elegance
JavaScript
19
star
17

hands-on-backbone

The sample code to go along with the "Hands-on Backbone.js" screencast series from PragProg.com
JavaScript
18
star
18

iam

Simple authentication plumbing and middleware for Node/Express apps
JavaScript
15
star
19

bada55-node-dev

How to build your own #BADA55 NodeJS development environment
JavaScript
14
star
20

UnitOfWork

A C# UnitOfWork Implementation For NHibernate. Supports WinForms and ASP.NET.
C#
12
star
21

epa

simple environment configuration for nodejs apps, using json files
JavaScript
11
star
22

speccy

simple javascript specification pattern implementation for nodejs / browserify
JavaScript
9
star
23

appcontroller.cf

Application Controller example code for the .NET Compact Framework
C#
8
star
24

jquery-to-backbone-marionette

code demo for my "jQuery To Backbone + Marionette" talk
JavaScript
8
star
25

boebotjs

Make Your Bot GO! With JavaScript!
JavaScript
8
star
26

Security

A small, role based security module for .NET apps
C#
7
star
27

vimbacore

a playground to try out c# coding in vim and figure out what albacore's csc task needs
Ruby
7
star
28

docker4js

Docker for JavaScript Developers - 2 day, hands-on training course from Derick Bailey
JavaScript
5
star
29

migroose-cli

command line tooling for mongrate, the mongodb/mongoosejs migration framework
JavaScript
5
star
30

5-tips-to-improve-js-with-es6

presentation given at Crater Remote Conf, Feb 10th, 2016
JavaScript
5
star
31

backbone-sinatra-boilerplate

My boilerplate cruft for working with Backbone.js in a Sinatra-backed app
JavaScript
5
star
32

MyFirstMVCSeleniumTest

How To Get Started With Selenium Core And ASP.NET MVC
JavaScript
4
star
33

classyobjects

A class-y inheritance example for JavaScript
JavaScript
3
star
34

backboneplugins

website for backboneplugins.com
CSS
3
star
35

ninject.rhinomocks.cf

Automocking container for RhinoMocks, running on Compact Framework
C#
3
star
36

5-stages-of-developer-grief

Presented at SpaceCityJS 2015
3
star
37

vimfiles.osx

my osx .vim folder and .vimrc
Vim Script
3
star
38

5-stages-of-entrepreneurial-grief

presentation for PrarieDevCon 2015
3
star
39

ninject.rhinomocks

Automocking container for RhinoMocks
C#
3
star
40

growing-express-architecture

Growing Express.js Architecture - a talk given at JSRemoteConf on Jan 15, 2016.
3
star
41

node-oracledb-cpu-leak

app to demonstrate node-oracledb cpu leak / spike
JavaScript
2
star
42

gitup

Automate the git update dance
Shell
2
star
43

execubot.js

A sample WebTask.io project: Read and execute code from a gist, post it in slack channel.
JavaScript
2
star
44

backbone.presentation

My slide deck for a Backbone.js presentation
JavaScript
2
star
45

cheesewiz

Correctly package localized resource files in .NET Comptact Framework .cab deployment projects
C#
2
star
46

jsfuncalc

An exercise in creating a functional javascript calculator
Ruby
2
star
47

ocarina

Simplified API for Oracle, built on top of official orabledb library
JavaScript
2
star
48

apologypro

apology.pro: because you're an amateur
JavaScript
2
star
49

boxing

terrible dropbox api and express middleware
JavaScript
2
star
50

mutedsolutions

website for my company
CSS
2
star
51

alt-tekpub

An open rewrite of Tekpub using Node, MongoDB and other buzzwords
JavaScript
1
star
52

objects

1
star
53

vimfiles.windows

my vim files and _vimrc for windows
Vim Script
1
star
54

derickbailey.github.com

My Github Homepage!
1
star
55

rabbus-sequence

process messages in sequential order with Rabbus and RabbitMQ
JavaScript
1
star
56

puzzleblocks

a command line game inspired by the Nintaii game that I play on my Droid
Ruby
1
star
57

traffic-limiter

Limit the number of tasks being run, based on task key/type
JavaScript
1
star
58

express-depot

mount Express sub-apps and middleware from a directory listing
JavaScript
1
star
59

react-todo-example

a basic example of organizing code in a basic react/redux app
JavaScript
1
star
60

wacotechlunch

Waco Tech Lunch
1
star
61

dotfiles

my dotfiles
Vim Script
1
star
62

node-jasmine-async

Making Jasmine's async suck less (for Jasmine v1.3)
JavaScript
1
star