-
-
Notifications
You must be signed in to change notification settings - Fork 34
Add System for Authorization Checks #32
Comments
I like the implementation above but I feel like authentication and authorization shouldn't be part of the same package. This should be separate. |
This actually was a part of the first version of this package, we just didn't have time to port it over during Vapor 3's release. See: https://github.com/vapor/auth/tree/1.2.1/Sources/Authorization Hopefully I'll have time for Vapor 4's release to work on it. I think the "policy" idea here is interesting. I also like how Laravel does it: https://laravel.com/docs/5.8/authorization. |
Oh, interesting. I might be able to help with it. I'll have need of something like that in my app in a couple of weeks. |
Cool, that would be greatly appreciated. For this large of a change, I'd recommend doing a pitch first to really flesh out the idea and get feedback before code is written. You can see a couple examples of that here: https://forums.swift.org/tags/c/related-projects/vapor/pitch |
Hi @tanner0101 I started a generic package for RBAC. It's currently stalled as it can't compile with Swift 5 due to a regression I logged with the Swift team. It's based off the NIST model. I've used it with Yii and it allowed me really granular control over routes and to apply custom rule files to those routes. I was hoping to get it finished before Vapor 4. But depends on when this bug is fixed. |
I've posted a pitch on the forum here with some ideas: https://forums.swift.org/t/pitch-vapor-4-authorization-system/22980 |
I've been wanting to add some permissions around my routes and I thought I'd write my thoughts down as as suggestions or ideas for future development. I'm new to Vapor and backend development, so please take this with a grain of salt.
Roles/Permissions
First, I thought it would be great to be able to add some ability to define permissions levels or roles in conjunction with the
User
model. It seems like the most flexible system would allow the author to define these levels on their own (These could be defined as either one-to-one or one-to-many). Alternatively, Vapor could provide preset permissions levels, but that seems like possible overkill. Presumably this could be built as a Protocol any model could conform to, but concrete implementations could be provided as well.Authorizable
Could be designed likeTimestampable
:Rules/Authorization
Now, to add
Authorization
the routes you could add an extra function to the route chain like.authorize(using: .FooPolicy)
. This could be done with a closure or function that accepts arguments that could be used to define a true/false or pass/fail test. Laravel does something similar with their Authorization system.If you start with a collection of routes like this:
With
Authorization
the route group could end up looking like the following:Or:
Ideally, you could add this authorization component at both the individual route or route group level.
The authorization function could look something like this:
Or:
In the event that the
Authorization
process fails, I'd be great if Vapor sent the appropriate HTTP error code (I think this would be a 403, but I could be wrong).The text was updated successfully, but these errors were encountered: