Reputation: 5126
Client authorization with angular and express
I've just started to learn the basics of how to develop a server-side using node.js and express. I'm familiar with authenticating users using passport and local/OAuth strategies.
What I'm struggling with is how to authorize authenticated users to perform "mini-features"? By mini features, I mean extra features that are embedded within a page that is available for all users, but those features, should only available to particular users. For example: a comments page that should be available to all, but commenting can only be done by certain users, or deleting a comment can only be done by its owner or an administrator.
What I've learned is to use some authentication function as middleware that will block/accept access to the page/request accordingly, but what I really want to do is somehow querying the currently logged in user from angular, and only show/hide certain buttons (for deleting a comment or posting one) accordingly.
This seems to be somewhat a nooby question but I'd appreciate any with that.
Upvotes: 0
Views: 144
Answers (2)
Reputation: 616
There are several techniques you need to employ here surrounding the locking down of the client and server based on roles. So each logged in user may have a number of roles assigned to them such as:
- View
- Commenter
- Admin
- Superuser
All your server side endpoints should be role annotated so that only a user with the correct permissions can access them.
Hey but I was asking about the client what about that?
Well on the client you have to replicate that, so as part of the Angular SPA you will also have some sort of Auth or User service which you can query to find out a) whether a user is logged in and b) what roles they have permissions to. Using that information and appropriate routing and ng-if and ng-show attributes you can prevent the user from doing and or seeing things in the client application.
Shameless Plug Coming Up
For client side route role based permissions I have a github open source project which does something similar. MEANP-SEED thinkjones Github link. In this I lock down the routes (client side), but it easily extended to create a service which returns role information to use in altering the look and feel of your app based on permissions.
tl;dr
Make sure your server side is locked down, then alter your client app to simply hide / show / prevent routes based on role.
Upvotes: 2
Reputation: 158
You can write a middleware to check is req.session.XXX exists, then it would mean that the user is still authenticated,
something along the lines of
function requireLogIn(req,res,next){
if(req.session.user)
next();
else if(!req.session.user) {
res.redirect('/loginPage');
}
}
app.get('/dashboard, requireLogIn, function(err,res){//dosomething});
this will always check if req.session.user exists,
so in loginPage you can do
app.get('/loginPage, function(err,res){
User.findOne(param,function(err,response){
if(err) throw err;
else{
res.session.user = response.user;
}
}
For example you want only for users with username==admin to use admin dashboard you can do
function requireAdmin(req,res,next){
if(req.session.user==='admin')
next();
else
res.send('you need to be admin to do this');
}
app.get('/adminDashboard', requireAdmin, function(err,res){//do something};
Upvotes: 1
Related Questions
- How do I pass command line arguments to a Node.js program and receive them?
- What's the difference between tilde(~) and caret(^) in package.json?
- Using async/await with a forEach loop
- What's the difference between dependencies, devDependencies, and peerDependencies in NPM package.json file?
- How can I update Node.js and npm to their latest versions?
- Error: Can't set headers after they are sent to the client
- What is the difference between angular-route and angular-ui-router?
- How to get the full URL in Express?
- bodyParser is deprecated express 4
- How to access POST form fields in Express