DEV Community: Alex Olivier The latest articles on DEV Community by Alex Olivier (@alexolivier). https://dev.to/alexolivier https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F253815%2F13c784e7-5692-4542-823c-f90140e3ff93.jpeg DEV Community: Alex Olivier https://dev.to/alexolivier en The Case Against Token-Based Authorization Alex Olivier Mon, 31 Jan 2022 10:09:57 +0000 https://dev.to/alexolivier/the-case-against-token-based-authorization-1i7o https://dev.to/alexolivier/the-case-against-token-based-authorization-1i7o <p>Have you ever scaled out a web application or an API? If so, you’ll have noticed your out-of-the-box web framework stores its user session in memory. You may have utilized sticky sessions in response, or stored your sessions in a shared database—but these solutions aren’t without problems. For example, in a shared database, you’d need to make an extra request to the database for every HTTP request.</p> <p>To account for such flaws, using a form of stateless authentication allows for better application scalability, as well as more efficient authentication of HTTP requests. Token-based authentication is perhaps the most common stateless authentication strategy, and JSON Web Tokens (JWTs) are today’s token of choice.</p> <p>While using JWTs for authentication is extremely common, some application developers are building authorization and permissions directly into their web tokens, risking serious security implications as a result. Baking authorization directly into JWTs also comes with several limitations that should be avoided.</p> <p>Data inside of JWTs are generally not encrypted, leaving them human-readable. While this lack of encryption is by design, it comes with some serious concerns around storing private, sensitive, and authorization-based information in JWTs. This is especially true when your organization is under certain regulatory compliance like HIPAA or SOC 2.</p> <p>In this article, you’ll learn why application developers should avoid using JWTs for authorization.</p> <h2> <strong>Defining JWTs</strong> </h2> <p>JWTs are like a key. A web application gives a client a token, which the client then uses to access protected resources. JWTs are composed of three parts: a header, a payload, and a signature.</p> <p>The header contains meta-information about the JWT.</p> <p>The payload contains the information used to identify the owner of the token: user ID, email address, etc. These are called claims. A <a href="https://datatracker.ietf.org/doc/html/rfc7519#page-9">standard set of claims</a> exists to ensure collisions of claim names are avoided. That being said, JWT payloads can hold custom claims. Essentially, this means they can hold whatever information you may need.</p> <p>The signature is what makes a JWT secure: it’s a way to verify if a token was created from the same issuer, and ensure it hasn't been tampered with.</p> <p>JWTs are usually not encrypted. The information within the header and payload is encoded (not encrypted), which means it can be decoded. The key to keeping JWTs secure is ensuring the header and payload are hashed using a secret, which is similar to hashing a password. The resulting hash is the signature that’s part of the JWT.</p> <p>Any party with access to a secret can use it to hash the header and payload values it receives and verify that the signature matches. If the hash and token signature don’t match, it means the JWT header and/or payload were tampered with.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--6J8s8y2---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/y5tnpwq01k3hlj3ddirq.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--6J8s8y2---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/y5tnpwq01k3hlj3ddirq.png" alt="JWT" width="781" height="536"></a></p> <h2> <strong>Token-Based Authentication</strong> </h2> <p>Token-based authentication is when you use a JWT (or other token technology) to verify the identity of a client.</p> <p>One of the most common benefits of using a JWT for authentication is not having to fetch user data from a database; you already have the essential user information embedded directly in the token. Whenever an API receives an HTTP request with a valid JWT, it extracts the user’s information and uses it as needed.</p> <p>This is why we call JWTs stateless: the API’s server doesn’t need to keep track of a user’s session state.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--giojgFP5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/a18te7emhb47g87ho3rs.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--giojgFP5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/a18te7emhb47g87ho3rs.png" alt="Request Path" width="880" height="410"></a></p> <h2> <strong>Token-Based Authorization</strong> </h2> <p>Similar to using JWTs for stateless authentication, JWTs can also be used to store authorization-based information like user permissions and roles.</p> <p>Storing a user’s role in a JWT means you won’t need to query a database to know whether a particular JWT is permitted to access certain resources. Based on this, JWTs can provide performance and scalability gains when it comes to authorization.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--jWtaajv3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4z35cuezekgnxiwxwj6f.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--jWtaajv3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4z35cuezekgnxiwxwj6f.png" alt="Token" width="880" height="521"></a></p> <p>As a software engineer, you often have to make trade-offs between security and performance. For example, modern password hashing techniques often sacrifice speed for added security. These techniques utilize high hashing iterations, avoiding timing attacks by using a <a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#compare-password-hashes-using-safe-functions">constant equality operation to compare hashes</a>.</p> <p>While storing authorization information in JWTs offers significant performance benefits, serious concerns emerge as a result. Let’s break down some of the most pressing:</p> <h3> <strong>JWT Payload Is Visible</strong> </h3> <p>With JWTs, all payload data is visible to the parties who have token access; to reiterate—they aren’t encrypted, but encoded. Authorization information may be considered sensitive information for a particular system, especially when your software systems are under compliance and governance restrictions.</p> <p>For example, personally identifiable information such as a person’s name, email address, or phone number are all considered protected health information under <a href="https://www.luc.edu/its/aboutits/itspoliciesguidelines/hipaainformation/18hipaaidentifiers/">HIPAA</a>. If you’re storing this kind of data in JWTs while under HIPAA compliance, you could have a major security and compliance risk on your hands depending on where your JWTs are being used (internal network vs. public client).</p> <p>Note: There are techniques that can help protect user information tokens, like using <a href="https://ldapwiki.com/wiki/Phantom%20Token%20Flow">phantom tokens</a>. However, this makes using JWTs much more involved and complicated.</p> <h3> <strong>Stale Payload</strong> </h3> <p>Imagine a token for a customer named Bob has a payload identifying him as an <code>admin</code>. It’s discovered that Bob is a bad actor (a spy or an upset employee). As a result, you disable Bob from inside your web application. Except… the JWT that Bob is using from his mobile application hasn’t expired yet.</p> <p>Bob can keep issuing requests until the JWT expires. Since authorization is baked into the token, you aren’t querying the database to get the most up-to-date information about Bob’s role or permissions. Bob can continue to do damage to your system—even though he’s supposed to be disabled.</p> <p>There are two common ways to avoid this scenario:</p> <ol> <li>Make tokens extremely short-lived (e.g. every five minutes).</li> <li>Store all tokens in a database, and allow your web application to revoke them.</li> </ol> <p>But these “solutions” come with their own issues.</p> <p>Short-lived tokens don’t necessarily solve your problem. It wouldn’t take long for a disgruntled and disabled administrator to harm a system—even less than five minutes. This can also cause user experience issues for clients; they would have to refresh their access token more often, or sign-in to the service again. Negatively impacting user experience is something you should always try to avoid.</p> <p>Storing valid tokens in a database so they can be revoked destroys the main reason for using JWTs in the first place—to avoid unnecessary trips to your database.</p> <p>One of the best ways to mitigate this is to store user roles and permissions in a dedicated access control tool like <a href="https://cerbos.dev/">Cerbos</a>. You could also store user permission information in an efficient storage system like <a href="https://redis.io/">Redis</a>.</p> <h3> <strong>Bloated JWTs</strong> </h3> <p>JWTs are much larger than the standard session cookies that a web application would typically use. Once you start adding more data into a JWT’s payload, its size may cause HTTP requests to perform slower.</p> <p>HTTP headers have size limits too, depending on the web server stack being used.</p> <h3> <strong>JWTs Are Complex</strong> </h3> <p>Once you go beyond the basics, implementing JWTs is complicated, increasing the chances of developers making mistakes as a result. For example, even <a href="https://insomniasec.com/blog/auth0-jwt-validation-bypass">Auth0</a>—one of the sponsors of <a href="https://jwt.io/">JWT.io</a>—had a JWT vulnerability with their API back in 2020!</p> <p>Similarly, improperly configuring your JWT by using a third-party library or service could allow someone else to attack your system—something you want to avoid at all costs.</p> <h2> <strong>JWTs Are Not a Cache</strong> </h2> <p>JWTs are not a cache—they shouldn’t be treated as a caching technology. It can be easy to shove as much information about a user and associated resources into your tokens as possible, but that doesn’t mean you should.</p> <p>Again, this data is not hidden to anyone who can see the JWT. All data in the payload is stale, which can affect the performance of HTTP requests.</p> <p>Much like the issue with stale data in JWT payloads, you should use an efficient caching technology to cache data, or a dedicated access control service like <a href="https://cerbos.dev/">Cerbos</a>.</p> <h3> <strong>You’ll Eventually Need to Fetch a User Anyway</strong> </h3> <p>JWTs are supposed to help you avoid making extra database requests to fetch user information. Despite this, it’s routine to query your database to fetch extra user information.</p> <p>Any non-trivial piece of business logic will need to know details about a user: what department they’re part of, special mappings to resources in your system, special business rules that can’t be expressed by a mere data attribute, etc.</p> <p>It doesn’t make sense to bloat your JWTs when you’re going to need to fetch that same information (and more) anyway.</p> <h2> <strong>Conclusion</strong> </h2> <p>JWTs can be a great way to authenticate clients, giving them a way to access protected resources by using a short-lived token as a ”key”. When it comes to making distributed services more scalable and efficient, JWTs shine.</p> <p>However, when it comes to storing authorization details, JWTs come with a number of risks. JWTs come with the added cost of larger HTTP requests, negatively impacting HTTP performance. Depending on your traffic, this could cause a significant increase in the associated usage costs of your cloud services, slower endpoints, and the risk of blowing past HTTP header size limits.</p> <p>In addition to performance issues, JWTs face regulatory compliance difficulties, as well as expiration problems which leave you open to system attacks. Plus, you’ll probably be fetching user information from a cache or database anyway.</p> <p>This is why a dedicated access control service like Cerbos can be a better option. Cerbos’ ultra-fast API is designed to make access control decisions within milliseconds, while providing a simple way to configure them. To learn more, check out <a href="https://cerbos.dev/">Cerbos.dev</a>.</p> authorization accesscontrol jwt authentication Adding Authorization to Your Node.js Application Using Cerbos Alex Olivier Mon, 06 Dec 2021 10:47:26 +0000 https://dev.to/alexolivier/adding-authorization-to-your-nodejs-application-using-cerbos-496d https://dev.to/alexolivier/adding-authorization-to-your-nodejs-application-using-cerbos-496d <p>Authorization is critical to web applications. It grants the correct users access to sections of your web application on the basis of their roles and permissions. In a simple application, adding in-app authorization to your application is relatively straightforward. But with complex applications comes a need to create different roles and permissions, which can become difficult to manage. </p> <p>In this tutorial, you’ll learn how to use <a href="https://cerbos.dev/">Cerbos</a> to add authorization to a Node.js web application, simplifying the authorization process as a result.</p> <h2> Setting Up the Node.js Application </h2> <p>Before we get started with Cerbos, you’ll need to create a new Node.js application (or use an existing one). Let’s set up a blog post Node.js application as our example. </p> <h3> Defining User Permissions </h3> <p>The blog post application will contain two roles: <strong>member</strong> and <strong>moderator</strong>. </p> <p>The member role will have the following permissions:</p> <p>– create a new blog post<br> – update blog posts created by the member<br> – delete blog posts created by the member<br> – view all blog posts created by all members<br> – view a single blog post created by any member</p> <p>The moderator role will have the following permissions:</p> <p>– view all blog posts created by all members<br> – view a single blog post created by any member<br> – disable and enable a malicious post</p> <blockquote> <p>Members and moderators cannot perform any action if they are disabled.</p> </blockquote> <h3> Creating the Application </h3> <h4> Step 1 </h4> <p>Launch your terminal or command-line tool and create a directory for the new application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mkdir blogpost </code></pre> </div> <h4> Step 2 </h4> <p>Move into the blog post directory and run the command below—a <code>package.json</code> file will be created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm init -y </code></pre> </div> <h4> Step 3 </h4> <p>Open the <code>package.json</code> file and paste the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"blogpost"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"index.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nodemon index.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mocha --exit --recursive test/**/*.js"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"keywords"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"author"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"license"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ISC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cerbos"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"express"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.17.1"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"devDependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"chai"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.3.4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"chai-http"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.3.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mocha"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^9.0.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"nodemon"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^2.0.12"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Two main packages are in the dependencies section of the<code>package.json</code>—Cerbos and Express:</p> <ul> <li>Cerbos is the authorization package responsible for creating roles and permissions.</li> <li>Express is a Node.js framework used to set up and create faster server-side applications. </li> </ul> <p>In the devDependencies, there are four packages: Chai, Chai HTTP, Mocha, and Nodemon. Chai, Chai HTTP, and Mocha are used to run automated test scripts during and after development. Nodemon is used to ensure the application server is restarted whenever a change is made to any file during development.</p> <h4> Step 4 </h4> <p>Run <code>npm install</code> to install the packages in the <code>package.json</code>.</p> <h4> Step 5 </h4> <p>Create the following files:</p> <p>– <code>index.js</code>, which contains the base configuration of the demo application.<br> – <code>routes.js</code>, which contains all the routes needed in the demo application.<br> – <code>db.js</code>, which exports the demo database. For the sake of this demo, you will be using an array to store the data—you can use any database system you desire.<br> – <code>authorization.js</code>, which contains the Cerbos authorization logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> touch index.js routes.js db.js authorization.js </code></pre> </div> <p>Then, paste the following codes in the respective files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">//index.js</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./routes</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nx">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nx">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nx">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/posts</span><span class="dl">"</span><span class="p">,</span> <span class="nx">router</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">((</span><span class="nx">error</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nx">json</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">stack</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nx">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">App listening on port 3000!</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">//routes.js</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nx">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./db</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authorization</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./authorization</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">checkPostExistAndGet</span> <span class="o">=</span> <span class="p">(</span><span class="nx">id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">getPost</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nx">find</span><span class="p">((</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nb">Number</span><span class="p">(</span><span class="nx">id</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">getPost</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Post doesn't exist</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">getPost</span><span class="p">;</span> <span class="p">};</span> <span class="nx">router</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">;</span> <span class="k">await</span> <span class="nx">authorization</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">create</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newData</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nx">floor</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nx">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">999999</span> <span class="o">+</span> <span class="mi">1</span><span class="p">),</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nb">Number</span><span class="p">(</span><span class="nx">userId</span><span class="p">),</span> <span class="na">flagged</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">};</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">newData</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nx">json</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="mi">201</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">newData</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Post created successfully</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">getPosts</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nx">filter</span><span class="p">((</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">flagged</span> <span class="o">===</span> <span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">;</span> <span class="k">await</span> <span class="nx">authorization</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">view:all</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">getPosts</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">All posts fetched successfully</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:id</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">getPost</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nx">find</span><span class="p">(</span> <span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">flagged</span> <span class="o">===</span> <span class="kc">false</span> <span class="o">&amp;&amp;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nb">Number</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">;</span> <span class="k">await</span> <span class="nx">authorization</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">view:single</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">getPost</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Post fetched successfully</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nx">patch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:id</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">updatedContent</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span> <span class="p">};</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">postId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="nx">checkPostExistAndGet</span><span class="p">(</span><span class="nx">postId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tempUpdatedPosts</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nx">map</span><span class="p">((</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">item</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nb">Number</span><span class="p">(</span><span class="nx">postId</span><span class="p">))</span> <span class="p">{</span> <span class="nx">updatedContent</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">item</span><span class="p">,</span> <span class="p">...</span><span class="nx">updatedContent</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">updatedContent</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">item</span><span class="p">;</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">authorization</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">update</span><span class="dl">"</span><span class="p">,</span> <span class="nx">updatedContent</span><span class="p">);</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span> <span class="o">=</span> <span class="nx">tempUpdatedPosts</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">updatedContent</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Post updated successfully</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:id</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">postId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="nx">checkPostExistAndGet</span><span class="p">(</span><span class="nx">postId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">allPosts</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nx">filter</span><span class="p">(</span> <span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">flagged</span> <span class="o">===</span> <span class="kc">false</span> <span class="o">&amp;&amp;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span> <span class="o">!==</span> <span class="nb">Number</span><span class="p">(</span><span class="nx">postId</span><span class="p">)</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">authorization</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">delete</span><span class="dl">"</span><span class="p">,</span> <span class="nx">post</span><span class="p">);</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span> <span class="o">=</span> <span class="nx">allPosts</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Post deleted successfully</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/flag/:id</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">flaggedContent</span> <span class="o">=</span> <span class="p">{</span> <span class="na">flagged</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">flag</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">postId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="nx">checkPostExistAndGet</span><span class="p">(</span><span class="nx">postId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tempUpdatedPosts</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nx">map</span><span class="p">((</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">item</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nb">Number</span><span class="p">(</span><span class="nx">postId</span><span class="p">))</span> <span class="p">{</span> <span class="nx">flaggedContent</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">item</span><span class="p">,</span> <span class="p">...</span><span class="nx">flaggedContent</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">flaggedContent</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">item</span><span class="p">;</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">authorization</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">flag</span><span class="dl">"</span><span class="p">,</span> <span class="nx">flaggedContent</span><span class="p">);</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span> <span class="o">=</span> <span class="nx">tempUpdatedPosts</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">flaggedContent</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`Post </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">flag</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">flagged</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">unflagged</span><span class="dl">"</span><span class="p">}</span><span class="s2"> successfully`</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">//db.js</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="p">{</span> <span class="na">users</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">John Doe</span><span class="dl">"</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="na">blocked</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Snow Mountain</span><span class="dl">"</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="na">blocked</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">David Woods</span><span class="dl">"</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="na">blocked</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Maria Waters</span><span class="dl">"</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">moderator</span><span class="dl">"</span><span class="p">,</span> <span class="na">blocked</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Grace Stones</span><span class="dl">"</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">moderator</span><span class="dl">"</span><span class="p">,</span> <span class="na">blocked</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">posts</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">366283</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Introduction to Cerbos</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">"</span><span class="s2">In this article, you will learn how to integrate Cerbos authorization into an existing application</span><span class="dl">"</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">flagged</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">db</span><span class="p">;</span> </code></pre> </div> <blockquote> <p>The demo database includes five users, consisting of three members and two moderators. Among the three members, there are two active members and one blocked member. Among the two moderators, one is an active moderator and the other is a blocked moderator. </p> </blockquote> <p>In the meantime, the <code>authorization.js</code> will contain an empty scaffolding to see how the application works, before integrating the Cerbos authorization package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">principalId</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resourceAtrr</span> <span class="o">=</span> <span class="p">{})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="p">};</span> </code></pre> </div> <h4> Step 6 </h4> <p>The demo application has been successfully set up. It’s now time to see how the application looks before integrating the Cerbos authorization package.</p> <p>Start the server with the command below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm run start </code></pre> </div> <p>You should see the following in your terminal to indicate your application is running on port 3000:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[nodemon] 2.0.12 [nodemon] to restart at any time, enter `rs` [nodemon] watching path(s): *.* [nodemon] watching extensions: js,mjs,json [nodemon] starting `node index.js` App listening on port 3000! </code></pre> </div> <h2> Testing the Application Without Authorization </h2> <p>Now it’s time to test the application. You can use any HTTP client of your choice, such as Postman, Insomnia, or cURL. For this example, we’ll use cURL. </p> <p>Make the following requests—you should find no restrictions. Change the user_ID from 1 through 5, and you should receive a valid response. </p> <h3> Create Post </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">curl</span> <span class="o">--</span><span class="nx">location</span> <span class="o">--</span><span class="nx">request</span> <span class="nx">POST</span> <span class="dl">'</span><span class="s1">http://localhost:3000/posts/</span><span class="dl">'</span> <span class="o">--</span><span class="nx">header</span> <span class="dl">'</span><span class="s1">user_id: 1</span><span class="dl">'</span> <span class="o">--</span><span class="nx">header</span> <span class="dl">'</span><span class="s1">Content-Type: application/json</span><span class="dl">'</span> <span class="o">--</span><span class="nx">data</span><span class="o">-</span><span class="nx">raw</span> <span class="dl">'</span><span class="s1">{ "title": "Introduction to Cerbos", "content": "Welcome to Cerbos authorization package" }</span><span class="dl">'</span> </code></pre> </div> <h3> Update Post </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">curl</span> <span class="o">--</span><span class="nx">request</span> <span class="nx">PATCH</span> <span class="dl">'</span><span class="s1">http://localhost:3000/posts/351886</span><span class="dl">'</span> <span class="o">--</span><span class="nx">header</span> <span class="dl">'</span><span class="s1">user_id: 1</span><span class="dl">'</span> <span class="o">--</span><span class="nx">header</span> <span class="dl">'</span><span class="s1">Content-Type: application/json</span><span class="dl">'</span> <span class="o">--</span><span class="nx">data</span><span class="o">-</span><span class="nx">raw</span> <span class="dl">'</span><span class="s1">{ "title": "Welcome to Cerbos", "content": "10 things you need to know about Cerbos" }</span><span class="dl">'</span> </code></pre> </div> <h3> View All Posts </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">curl</span> <span class="o">--</span><span class="nx">request</span> <span class="nx">GET</span> <span class="dl">'</span><span class="s1">http://localhost:3000/posts/</span><span class="dl">'</span> <span class="o">--</span><span class="nx">header</span> <span class="dl">'</span><span class="s1">user_id: 1</span><span class="dl">'</span> </code></pre> </div> <h3> View Single Post </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">curl</span> <span class="o">--</span><span class="nx">request</span> <span class="nx">GET</span> <span class="dl">'</span><span class="s1">http://localhost:3000/posts/366283</span><span class="dl">'</span> <span class="o">--</span><span class="nx">header</span> <span class="dl">'</span><span class="s1">user_id: 1</span><span class="dl">'</span> </code></pre> </div> <h3> Flag Post </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl --request POST 'http://localhost:3000/posts/flag/366283' --header 'user_id: 5' --header 'Content-Type: application/json' --data-raw '{ "flag": true }' </code></pre> </div> <h3> Delete Post </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">curl</span> <span class="o">--</span><span class="nx">request</span> <span class="nx">DELETE</span> <span class="dl">'</span><span class="s1">http://localhost:3000/posts/366283</span><span class="dl">'</span> <span class="o">--</span><span class="nx">header</span> <span class="dl">'</span><span class="s1">user_id: 1</span><span class="dl">'</span> </code></pre> </div> <h2> Integrating Cerbos Authorization </h2> <p>As things stand, the application is open to authorized and unauthorized actions. Now, it’s time to implement Cerbos to ensure users perform only authorized operations.</p> <p>To get started, a policy folder needs to be created to store Cerbos policies. Cerbos uses these policies to determine which users have access to what resources. In the blog post directory, run the command below to create a directory called Cerbos. This will contain the policy directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mkdir cerbos &amp;&amp; mkdir cerbos/policies </code></pre> </div> <p>Next, switch to the policies folder and create two policy YAML files: <code>derived_roles.yaml</code> and <code>resource_post.yaml</code>.</p> <h3> The <code>derived_roles.yaml</code> File Description </h3> <p>Derived roles allow you to create dynamic roles from one or more parent roles. For example, the role <em>member</em> is permitted to view all blog posts created by other members, but is not allowed to perform any edit operation. To allow owners of a blog post who are also members make edits on their blog post, a derived role called <em>owner</em> is created to grant this permission.</p> <p>Now paste the code below in your <code>derived_roles.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># derived_roles.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">api.cerbos.dev/v1"</span> <span class="na">derivedRoles</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">common_roles</span> <span class="na">definitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">all_users</span> <span class="na">parentRoles</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">member"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">moderator"</span><span class="pi">]</span> <span class="na">condition</span><span class="pi">:</span> <span class="na">match</span><span class="pi">:</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">request.principal.attr.blocked == </span><span class="no">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">owner</span> <span class="na">parentRoles</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">member"</span><span class="pi">]</span> <span class="na">condition</span><span class="pi">:</span> <span class="na">match</span><span class="pi">:</span> <span class="na">all</span><span class="pi">:</span> <span class="na">of</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">request.resource.attr.userId == request.principal.attr.id</span> <span class="pi">-</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">request.principal.attr.blocked == </span><span class="no">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">member_only</span> <span class="na">parentRoles</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">member"</span><span class="pi">]</span> <span class="na">condition</span><span class="pi">:</span> <span class="na">match</span><span class="pi">:</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">request.principal.attr.blocked == </span><span class="no">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">moderator_only</span> <span class="na">parentRoles</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">moderator"</span><span class="pi">]</span> <span class="na">condition</span><span class="pi">:</span> <span class="na">match</span><span class="pi">:</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">request.principal.attr.blocked == </span><span class="no">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">unknown</span> <span class="na">parentRoles</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">unknown"</span><span class="pi">]</span> </code></pre> </div> <p>– <em><strong>apiVersion</strong></em> is the current version of the Cerbos derived role.<br> – <em><strong>derivedRoles</strong></em> contains the list of user roles that your application will be used for; each role will be configured based on the needs of the application.<br> – <em><strong>derivedRoles (name)</strong></em> allows you to distinguish between multiple derived roles files in your application that can be used in your resource policies.<br> – <em><strong>derivedRoles (definitions)</strong></em> is where you’ll define all the intended roles to be used in the application.<br> – <em><strong>name</strong></em> is the name given to the derived roles generated; for example, a resource could be accessed by members and moderators. With the help of derived roles, it’s possible to create another role that will grant permissions to the resource.<br> – <em><strong>parentRoles</strong></em> are the roles to which the derived roles apply, e.g. members and moderators.<br> – <em><strong>condition</strong></em> is a set of expressions that must hold true for the derived roles to take effect. For example, you can create derived roles from members and moderators, then add a condition that the derived roles can only take effect if members or moderators are active. This can be done through the condition key. For more information on conditions, check the condition guide <a href="https://docs.cerbos.dev/cerbos/policies/conditions.html">here</a>.</p> <h3> The <code>resource_post.yaml</code> File Description </h3> <p>The resource policy file allows you to create rules for parent/derived roles on different actions that can be performed on a resource. These rules inform the roles if they have permission to perform certain actions on a resource.</p> <p>Paste the following code in your <code>resource_post.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># resource_post.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">api.cerbos.dev/v1</span> <span class="na">resourcePolicy</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">default"</span> <span class="na">importDerivedRoles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">common_roles</span> <span class="na">resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">blogpost"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">view:all'</span><span class="pi">]</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">EFFECT_ALLOW</span> <span class="na">derivedRoles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">all_users</span> <span class="pi">-</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">view:single'</span><span class="pi">]</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">EFFECT_ALLOW</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">moderator</span> <span class="pi">-</span> <span class="s">member</span> <span class="pi">-</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">create'</span><span class="pi">]</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">EFFECT_ALLOW</span> <span class="na">derivedRoles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">member_only</span> <span class="pi">-</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">update'</span><span class="pi">]</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">EFFECT_ALLOW</span> <span class="na">derivedRoles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">owner</span> <span class="pi">-</span> <span class="s">moderator_only</span> <span class="na">condition</span><span class="pi">:</span> <span class="na">match</span><span class="pi">:</span> <span class="na">any</span><span class="pi">:</span> <span class="na">of</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">request.resource.attr.flagged == </span><span class="no">false</span><span class="s"> &amp;&amp; request.principal.attr.role == "member"</span> <span class="pi">-</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">request.resource.attr.flagged == </span><span class="no">true</span><span class="s"> &amp;&amp; request.principal.attr.role == "moderator"</span> <span class="pi">-</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">delete'</span><span class="pi">]</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">EFFECT_ALLOW</span> <span class="na">derivedRoles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">owner</span> <span class="pi">-</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">flag'</span><span class="pi">]</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">EFFECT_ALLOW</span> <span class="na">derivedRoles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">moderator_only</span> </code></pre> </div> <p>The resource policy file contains the permissions each role or derived roles can have access to:</p> <p>– <em><strong>apiVersion</strong></em> is the version for the resource policy file.<br> – <em><strong>resourcePolicy</strong></em> holds all the key attributes of the resource policy.<br> – <em><strong>version</strong></em> is used to identify the policy that should be used in the application; you can have multiple policy versions for the same resource.<br> – <em><strong>importDerivedRoles</strong></em> is used to specify the type of derived roles you want to import into the resource policy file.<br> – <em><strong>resource</strong></em> contains the resource you want to apply the roles and permissions to.<br> – <em><strong>rules</strong></em> is where you will set the rules for different operations, on the basis of user permissions.<br> – <em><strong>actions</strong></em> are operations to be performed.<br> – <em><strong>effect</strong></em> is to indicate whether to grant the user access to the operation, based on the roles and derived roles (and conditions, if they exist).<br> – <em><strong>derivedRoles</strong></em> contains the derived roles you formed in your <code>derived_roles yaml</code> file.<br> – <em><strong>roles</strong></em> are static default roles used by your application.<br> – <em><strong>condition</strong></em> specifies conditions that must be met before access can be granted to the operation.</p> <blockquote> <p>To ensure your policy’s YAML files do not contain errors, run this command in the blog post root directory. If it doesn’t return anything, then it is error-free:<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker run -i -t -v $(pwd)/cerbos/policies:/policies ghcr.io/cerbos/cerbos:0.10.0 compile /policies </code></pre> </div> <h2> Spinning Up the Cerbos Server </h2> <p>You’ve now successfully created the policy files that Cerbos will be using to authorize users in your application. Next, it’s time to spin the Cerbos server up by running the below command in your terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker run --rm --name cerbos -d -v $(pwd)/cerbos/policies:/policies -p 3592:3592 ghcr.io/cerbos/cerbos:0.6.0 </code></pre> </div> <p>Your Cerbos server should be running at <a href="http://localhost:3592">http://localhost:3592</a>. Visit the link, and if no error is returned the server is working fine. </p> <h2> Implementing Cerbos Into the Application </h2> <p>Now it’s time to fill the empty scaffolding in the <code>authorization.js</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">Cerbos</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">cerbos</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./db</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cerbos</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Cerbos</span><span class="p">({</span> <span class="na">hostname</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3592</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// The Cerbos PDP instance</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">principalId</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resourceAtrr</span> <span class="o">=</span> <span class="p">{})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">find</span><span class="p">((</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nb">Number</span><span class="p">(</span><span class="nx">principalId</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">cerbosObject</span> <span class="o">=</span> <span class="p">{</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">create</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">view:single</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">view:all</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">update</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">delete</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">flag</span><span class="dl">"</span><span class="p">],</span> <span class="na">resource</span><span class="p">:</span> <span class="p">{</span> <span class="na">policyVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">default</span><span class="dl">"</span><span class="p">,</span> <span class="na">kind</span><span class="p">:</span> <span class="dl">"</span><span class="s2">blogpost</span><span class="dl">"</span><span class="p">,</span> <span class="na">instances</span><span class="p">:</span> <span class="p">{</span> <span class="na">post</span><span class="p">:</span> <span class="p">{</span> <span class="na">attr</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">resourceAtrr</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="na">principal</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">principalId</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">,</span> <span class="na">policyVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">default</span><span class="dl">"</span><span class="p">,</span> <span class="na">roles</span><span class="p">:</span> <span class="p">[</span><span class="nx">user</span><span class="p">?.</span><span class="nx">role</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">unknown</span><span class="dl">"</span><span class="p">],</span> <span class="na">attr</span><span class="p">:</span> <span class="nx">user</span><span class="p">,</span> <span class="p">},</span> <span class="na">includeMeta</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">cerbosCheck</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">cerbos</span><span class="p">.</span><span class="nx">check</span><span class="p">(</span><span class="nx">cerbosObject</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isAuthorized</span> <span class="o">=</span> <span class="nx">cerbosCheck</span><span class="p">.</span><span class="nx">isAuthorized</span><span class="p">(</span><span class="dl">"</span><span class="s2">post</span><span class="dl">"</span><span class="p">,</span> <span class="nx">action</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">isAuthorized</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">You are not authorized to visit this resource</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>The <code>cerbosObject</code> is the controller that checks if a user has access to certain actions. It contains the following keys:</p> <p>– <em><strong>Actions</strong></em> contains all of the available actions you’ve created in the resource policy file.<br> – <em><strong>Resource</strong></em> allows you to indicate which resource policy you want to use for the resource request from multiple resource policy files.<br> – The <strong>policyVersion</strong> in the resource key maps to <strong>version</strong> in the resource policy<br> file.<br> – <strong>kind</strong> maps to <strong>resource</strong> key in the resource policy file.<br> – Instances can contain multiple resource requests that you want to test against the<br> resource policy file. In the demo, you are only testing the blog post resource.<br> – <em><strong>Principal</strong></em> contains the details of the user making the resource request at that instance.</p> <p>The <code>cerbosCheck.isAuthorized()</code> method is used to check if the user/principal is authorized to perform the requested action at that instance.</p> <h2> Testing Cerbos Authorization with the Blog Post Application </h2> <p>You have successfully set up the required roles and permissions for each operation in the CRUD blog post demo application. It’s now time to test the routes again and observe what happens, using the table below as a guide for testing:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>action</th> <th>user_id</th> <th>user_role</th> <th>user_status</th> <th>response</th> </tr> </thead> <tbody> <tr> <td>create, view:all, view:single</td> <td>1 and 2</td> <td>member</td> <td>active</td> <td>OK</td> </tr> <tr> <td>All Actions</td> <td>3</td> <td>member</td> <td>blocked</td> <td>Not authorized</td> </tr> <tr> <td>All Actions</td> <td>5</td> <td>moderator</td> <td>blocked</td> <td>Not authorized</td> </tr> <tr> <td>Update its own post</td> <td>1</td> <td>member</td> <td>active</td> <td>OK</td> </tr> <tr> <td>Update another user post</td> <td>1</td> <td>member</td> <td>active</td> <td>Not authorized</td> </tr> </tbody> </table></div> <p>The above table displays a subset of the different permissions for each user implemented in the demo application. </p> <p>You can clone the demo application repository from <a href="https://github.com/tolustar/cerbos-authorization">GitHub</a>. Once you’ve cloned it, follow the simple instructions in the README file. You can run the automated test script to test for the different user roles and permissions.</p> <h2> Conclusion </h2> <p>In this article, you’ve learned the benefits of Cerbos authorization by implementing it in a demo Node.js application. You’ve also learned the different Cerbos policy files and their importance in ensuring authorization works properly.</p> <p>For more information about Cerbos, you can visit the official documentation <a href="https://docs.cerbos.dev/">here</a>.</p> node authorization cerbos authz