Documentation
Tutorials
Changelog Contribution Guide Environment Setup Localization and Translation in the Open Innovation lab Technical guide for API developers CI Workflow Deployment Guide Reviewing pull requests Secret Access/Management

Tutorial

Role based access control flow

Role-based access control (RBAC) is an approach used to restrict access to resources based on the roles of individual users within an organization. This technique is used to enforce security policies and ensure that users only have access to the resources that they are authorized to use.

In this tutorial, we will be discussing how to implement RBAC using a middleware function in an Express.js application.

The middleware file for the RBAC permission handler is shown below:


module.exports = function (roles) {
    return asyncWrapper(async (req, res, next) => {
        const allowed_roles = roles.split(" ");

        if (!allowed_roles.includes(req.user.role)) {
            throw new ForbiddenError("Unauthorized access");
        }

        next();
    });
};

This middleware function takes a string of allowed roles as an input and returns another function that checks if the current user has the required role to access the protected route.

The asyncWrapper function is a utility function that wraps asynchronous functions and catches errors thrown by them, so we don't have to add a try-catch block for each middleware function.

The ForbiddenError is an error type defined in the errors.js file which will be thrown if the user does not have the required role.

To use the RBAC middleware in a route, we need to require it and call it with the allowed roles string:


const permit = require('../middlewares/permission_handler');

router.get('/protected_route', permit('admin superadmin'), (req, res) => {
    // Only users with the 'admin' or 'superadmin' roles can access this route
    res.json({ message: 'This route is protected' });
});

In the above example, only users with the roles 'admin' or 'superadmin' can access the /protected_route.

We use the permit() function to create a middleware function that only allows access to users with the specified roles.

In this example, we used the basicAuth() middleware to authenticate the user before checking the user's role with the permit() middleware.

In conclusion, RBAC is an effective way to manage permissions and access control in an application. By using a middleware function like the one discussed in this tutorial, we can easily implement RBAC in our Express.js applications.