Authorization in Node.js Applications on Bluemix

DZone 's Guide to

Authorization in Node.js Applications on Bluemix

Dealing with authorization for your applications is simple thanks to the acl module. Read on to learn more.

· Cloud Zone ·
Free Resource

As with authentication, there are various ways to handle authorization in Node.js applications on Bluemix. Below is an example of how to use the Node module acl. With this module, you can use roles for authorization, both on the application and even the document level.

You can download the source code from GitHub and try the demo yourself. Follow the steps in the README and check out the screenshots.

In the sample, two users log in against the Bluemix Single Sign On service. One user gets the role 'admin', while the second user gets the role 'user'. In the Mongo database, person documents and ACLs are stored. Every authenticated user can read all person documents. Administrators even get write access to all person documents. Users, however, can only edit their own person documents.

Here is a simplified version of the code that defines the role of a user and ensures author/editor access to the person document.

app.get('/admin/adduser', authenticationUtils.ensureAuthenticated, function (req, res) {
 var personJson = req.user['_json'];
 var userDirectoryId = req.user['id'];
 var newDocumentId = mongodbUtils.getObjectId();
 "Developer Advocate",
 function(err, result) {
 var documentEditorRole = 'editor-' + newDocumentId;
 acl.addUserRoles(req.user['id'], ['user', documentEditorRole], function(err) { 
 acl.allow(['admin', documentEditorRole], newDocumentId, 'update');
 res.write('Success: User ' + req.user['id'] + ' added as user');

Check out the counterpart where the access rights are checked before users can update person documents.

In order to make building user interfaces easier without having to duplicate the authorization code, the REST API that returns specific person documents/objects also returns authorization information for the currently logged in user. This allows clients, for example, to display an 'edit' button only if the user is actually allowed to invoke this operation.

var canUpdate = false;
acl.isAllowed(req.user['id'], documentId, 'update', function (err, response) { 
 if (response) {
 canUpdate = true;
 var access = { canRead: true,
 canUpdate: canUpdate,
 canDelete: false};
 var output = { person: document, access: access};
 res.writeHead(200, {'Content-Type': 'application/json'});

This screenshot shows a REST call invoked by a user who updates his/her own person document. The operation is allowed since the user is authenticated and he/she has the appropriate role on document level.


bluemix, cloud, ibm, node.js

Published at DZone with permission of Niklas Heidloff , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}