Giter Club home page Giter Club logo

predix-acs-client's Introduction

predix-acs-client

Node module to check authorization for a user to perform an action against Predix ACS policies. Primarily used when protecting REST endpoints with UAA JWT tokens.

NOTE that the client credentials that you use to query ACS must have the appropriate permissions to do so. As this is a UAA client, these should be added as authorities, not scopes. The minimun is acs.policies.read and predix-acs.zones.your-acs-zone-id.user

Usage

Install via npm

npm install --save predix-acs-client

Basic usage with a known user and ACS endpoint

const config = {
    uaa: {
        uri: 'https://your-uaa-service.predix.io/oauth/token',
        clientId: 'your-uaa-client',
        clientSecret: 'your-uaa-secret'
    },
    acsUri: 'https://predix-acs.example.predix.io',
    zoneId: 'your-acs-zone-id'
};
const acs = require('predix-acs-client')(config);
acs.isAuthorized({ method: 'GET', path: 'example' }, 'my-user').then((result) => {
     // 'my-user' is authorized to perform the 'GET' action on the 'example' resource.
     console.log('Permission Granted');
}).catch((err) => {
    // Not authorized, or unable to check permissions due to an error
    console.log('No access for you', err);
});

As an expressjs middleware

'use strict';
const express = require('express');
const app = express();

// Configure the ACS client
const options = {
    uaa: {
        uri: 'https://your-uaa-service.predix.io/oauth/token',
        clientId: 'your-uaa-client',
        clientSecret: 'your-uaa-secret'
    },
    acsUri: 'https://predix-acs.example.predix.io',
    zoneId: 'your-acs-zone-id'
};
const acs = require('predix-acs-client')(options);

app.get('/hello', (req, res, next) => {
    res.send('Howdy, you can read this without authorization!');
});

// To ensure Authorization header has a bearer token
// use something like predix-fast-token https://github.com/PredixDev/predix-fast-token

// This assumes that the user token has been validated already
app.all('*', (req, res, next) => {
    // This would come from the token
    const username = 'demo';

	// This defaults to using:
	// req.method as the ACS action
	// req.path as the ACS resourceIdentifier
	// username as the ACS subjectIdentifier
	// If you want to use a resource name other than the path,
	// just pass in a new object - see example above
    acs.isAuthorized(req, username).then((result) => {
        console.log('Access is permitted');
        next();
    }).catch((err) => {
        console.log('Nope', err, err.stack);
        res.status(403).send('Unauthorized');
    });
});

app.get('/secure', (req, res, next) => {
    res.send('Hello, my authorized chum!');
});

// Need to let CF set the port if we're deploying there.
const port = process.env.PORT || 9001;
app.listen(port);
console.log('Started on port ' + port);

Working together with predix-fast-token as an expressjs middleware

'use strict';
const express = require('express');
const bearerToken = require('express-bearer-token');
const predixFastToken = require('predix-fast-token');
const app = express();

// Configure the ACS client
const options = {
    uaa: {
        uri: 'https://your-uaa-service.predix.io/oauth/token',
        clientId: 'your-uaa-client',
        clientSecret: 'your-uaa-secret'
    },
    acsUri: 'https://predix-acs.example.predix.io',
    zoneId: 'your-acs-zone-id'
};
const acs = require('predix-acs-client')(options);

const trusted_issuers = ['https://abc.predix-uaa.example.predix.io/oauth/token', 'https://xyz.predix-uaa.example.predix.io/oauth/token/oauth/token'];

app.get('/hello', (req, res, next) => {
    res.send('Howdy my unsecured friend!');
});

// Ensure Authorization header has a bearer token
app.all('*', bearerToken(), function(req, res, next) {
    console.log('Req Headers', req.headers);
    if(req.token) {
        predixFastToken.verify(req.token, trusted_issuers).then((decoded) => {
            acs.isAuthorized(req, decoded.user_name).then((result) => {
                console.log('Access is permitted');
                req.decoded = decoded;
                console.log('Looks good');
                next();
            }).catch((err) => {
                console.log('Nope', err);
                res.status(403).send('Unauthorized');
            });
        }).catch((err) => {
            console.log('Nope', err);
            res.status(403).send('Unauthorized');
        });
    } else {
        console.log('Nope, no token');
        res.status(401).send('Authentication Required');
    }
});

app.get('/secure', (req, res, next) => {
    res.send('Hello ' + req.decoded.user_name + ', my authenticated chum!');
});

// Need to let CF set the port if we're deploying there.
const port = process.env.PORT || 9001;
app.listen(port);
console.log('Started on port ' + port);

predix-acs-client's People

Contributors

bsyk avatar

Watchers

James Cloos avatar Alex Suttmiller avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.