创建可由 2 个角色 NodeJs 访问的路由的最佳实践是什么

Question

Regarding best practice in creating routes in Node.Js Express.Js. For example, if I have 4 roles, namely headmaster, student and teacher, then I have a route called /sliders , which in the application these sliders can be seen by both teacher, student, and administrator only.

When creating routes and middleware for checking roles, what are the best practices?

I. Should I create 1 endpoints and 1 middleware that can be access by student and teacher only?

For example:

v1.get('/sliders', isUserOrTeacher, controller.findAll)

and my middleware code:

const isUserOrTeacher = (req, res, next) => {
  User.findById(req.payload.aud).exec((err, user) => {
    if (err) {
      res.status(500).send({ message: err })
      return
    }

    Role.find(
      {
        _id: { $in: user.roles }
      },
      (err, roles) => {
        if (err) {
          res.status(500).send({ message: err })
          return
        }

        for (let i = 0; i < roles.length; i++) {
          if (roles[i].name === 'student' || roles[i].name === 'teacher' || roles[i].name === 'admin') {
            next()
            return
          }
        }

        logger.error(req.method, req.originalUrl, '. Error isUserOrTeacher: ' + req.payload)
        return sendUnauthorized(res)
      }
    )
  })
}

II. or i should make 2 different endpoint and 2 middleware

for example:

v1.get('/user/sliders', isUser, controller.findAll)
v1.get('/teacher/sliders', isTeacher, controller.findAll)

III. or can i make route like this?? And how the coding? for middleware:

v1.get('/sliders', isUser, isTeacher, isAdmin, controller.findAll)

Which one is the best practice?

Answer 1

There are three concerns that you should separate and not mix up:

• which resource is accessed (the route)
• which user is accessing the resource (authentication)
• which role does the user need to access the resource (authorisation)

Consequently, you'd use different middlewares for this:

v1.get('/sliders', isAuthenticated, hasRole(['teacher', 'admin']), controller.findAll)

The isAuthenticated middleware would load the user object from the database or session store and store it on the request object (or throw if the client is not logged in). The middleware created by hasRole would then check whether the user object has one of the given roles, or throw a "missing permission" error. The controller would finally load and return the resource.
You can also make the role check part of the data provider (eg a database service) that the controller uses, so that it is done consistently for all accesses, no matter from where.

Answer 2

I will do a middleware named canGet<Controller name> and the code in it will be

 switch(userRole): 
  case 'teacher':
    next();
    break;
  case 'user':
    next();
    break;
  default:
   res.statut(403);

And then you can add any role in it, and without changing the name of the function in your route

Answer 3

I am agreeable with option No.1. I have one project which has to handle 7 roles. It has been running for 2 months now. I declare the roles as below:

  const express = require("express");
  const router = express.Router();
  const role = require("../authentication/authRole");
  const auth = require("../authentication/authentication");

  router.get('/sliders', auth.isAuthenticated, role.isUserOrTeacher("admin", "teacher", "student"), controller.findAll)

  // You can add more routes and define which role is allowed to access

  module.exports = router;

authRole.js

  const isUserOrTeacher = (roleOne, roleTwo, roleThree) => {
    return (req, res, next) => {
      // codes
      for (let i = 0; i < roles.length; i++) {
        if (roles[i].name === roleOne || roles[i].name === roleTwo || roles[i].name === roleThree) {
          // codes
      }
      // codes
    }
  }