The latest articles on DEV Community by Imo-owo Nabuk (@richienabuk). https://dev.to/richienabuk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F177737%2F1fd3ec7d-0814-4760-b062-ed11351f0ad9.jpeg https://dev.to/richienabuk en Imo-owo Nabuk Thu, 09 Sep 2021 22:03:46 +0000 https://dev.to/richienabuk/how-to-implement-dynamic-role-based-access-control-rbac-in-express-js-rest-api-54fe https://dev.to/richienabuk/how-to-implement-dynamic-role-based-access-control-rbac-in-express-js-rest-api-54fe <p>In this tutorial, I want to share how to implement dynamic role based access control (RBAC) system in express js (node js) API with Postgres, and Sequelize ORM with ES6+.</p> <p>There are many resources out there on creating a user account with role field in the user table. The limitation with this is that a user can only have one role at a time.</p> <p>Some software products such as management systems might require a user to share multiple roles and sometimes have direct permissions to perform an action.</p> <p>Let's explore how to create a user account with multiple roles and direct permissions for specific actions.</p> <p>For this implementation, we are going to continue from my previous tutorial on <a href="https://dev.to/richienabuk/setting-up-express-js-rest-api-postgres-and-sequelize-orm-with-es6-4m08">how to set up Express JS REST API, Postgres, and Sequelize ORM with ES6+</a> with a some tweaks.</p> <p>Clone <a href="https://github.com/richienabuk/express-js-postgres-sequelize" rel="noopener noreferrer">this</a> repository for the tutorial.</p> <p>Let's create util functions for hashing password and json responses. Create utils folder in src folder and add two files: hashing.js &amp; sendResponse.js</p> <p>In hashing.js, add the following codes:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">string</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">hash_compare</span> <span class="o">=</span> <span class="p">(</span><span class="nx">first_item</span><span class="p">,</span> <span class="nx">second_item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">is</span><span class="p">(</span><span class="nx">first_item</span><span class="p">,</span> <span class="nx">second_item</span><span class="p">);</span> </code></pre> </div> <p>Add the following to sendResponse.js:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">export</span> <span class="kd">const</span> <span class="nx">sendErrorResponse</span> <span class="o">=</span> <span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">errorMessage</span><span class="p">,</span> <span class="nx">e</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">code</span><span class="p">).</span><span class="nf">send</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">errorMessage</span><span class="p">,</span> <span class="na">e</span><span class="p">:</span> <span class="nx">e</span><span class="p">?.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">sendSuccessResponse</span> <span class="o">=</span> <span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">message</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Successful</span><span class="dl">'</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">code</span><span class="p">).</span><span class="nf">send</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Replace the codes in src/controllers/AuthController.js with</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span><span class="nx">Op</span><span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">sequelize</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">model</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../models</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span><span class="nx">sendErrorResponse</span><span class="p">,</span> <span class="nx">sendSuccessResponse</span><span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/sendResponse</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span><span class="nx">hash</span><span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/hashing</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">User</span><span class="p">}</span> <span class="o">=</span> <span class="nx">model</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">signUp</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">phone</span><span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span><span class="na">where</span><span class="p">:</span> <span class="p">{[</span><span class="nx">Op</span><span class="p">.</span><span class="nx">or</span><span class="p">]:</span> <span class="p">[{</span><span class="nx">phone</span><span class="p">},</span> <span class="p">{</span><span class="nx">email</span><span class="p">}]}});</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">422</span><span class="p">,</span> <span class="dl">'</span><span class="s1">User with that email or phone already exists</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">settings</span> <span class="o">=</span> <span class="p">{</span> <span class="na">notification</span><span class="p">:</span> <span class="p">{</span> <span class="na">push</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="nx">phone</span><span class="p">,</span> <span class="nx">settings</span> <span class="p">});</span> <span class="k">return</span> <span class="nf">sendSuccessResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">201</span><span class="p">,</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="p">}</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Account created successfully</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">);</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">500</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Could not perform operation at this time, kindly try again later.</span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In the routes folder, add a file authRouter.js and add the following code:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AuthController</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../controllers/AuthController</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/register</span><span class="dl">'</span><span class="p">,</span> <span class="nx">AuthController</span><span class="p">.</span><span class="nx">signUp</span><span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>Replace the code in src/routes/index.js with:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="nx">authRouter</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./authRouter</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sendErrorResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/sendResponse</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default </span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/auth</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">404</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Route does not exist</span><span class="dl">'</span><span class="p">));</span> <span class="p">};</span> </code></pre> </div> <p>Let's implement the API login. I prefer to persist the token in the database. The benefit of this is that a user will know the devices with active session and can choose to destroy the session. It's the approach used in telegram messaging app.</p> <p>Run the sequelize command to create the token model and migration<br> <code>sequelize model:generate --name PersonalAccessToken --attributes name:string,token:string,last_used_at:string,last_ip_address:string</code></p> <p>Update the PersonalAccessToken model with the following code:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">Model</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">sequelize</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">PROTECTED_ATTRIBUTES</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">];</span> <span class="k">export</span> <span class="k">default </span><span class="p">(</span><span class="nx">sequelize</span><span class="p">,</span> <span class="nx">DataTypes</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">class</span> <span class="nc">PersonalAccessToken</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="nf">toJSON</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// hide protected fields</span> <span class="kd">const</span> <span class="nx">attributes</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="k">this</span><span class="p">.</span><span class="nf">get</span><span class="p">()</span> <span class="p">};</span> <span class="c1">// eslint-disable-next-line no-restricted-syntax</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">a</span> <span class="k">of</span> <span class="nx">PROTECTED_ATTRIBUTES</span><span class="p">)</span> <span class="p">{</span> <span class="k">delete</span> <span class="nx">attributes</span><span class="p">[</span><span class="nx">a</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">attributes</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Helper method for defining associations. * This method is not a part of Sequelize lifecycle. * The `models/index` file will call this method automatically. */</span> <span class="kd">static</span> <span class="nf">associate</span><span class="p">(</span><span class="nx">models</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// define association here</span> <span class="nx">PersonalAccessToken</span><span class="p">.</span><span class="nf">belongsTo</span><span class="p">(</span><span class="nx">models</span><span class="p">.</span><span class="nx">User</span><span class="p">,</span> <span class="p">{</span> <span class="na">foreignKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="na">as</span><span class="p">:</span> <span class="dl">'</span><span class="s1">owner</span><span class="dl">'</span><span class="p">,</span> <span class="na">onDelete</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CASCADE</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">models</span><span class="p">.</span><span class="nx">User</span><span class="p">.</span><span class="nf">hasMany</span><span class="p">(</span><span class="nx">PersonalAccessToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">foreignKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="na">as</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tokens</span><span class="dl">'</span><span class="p">,</span> <span class="na">onDelete</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CASCADE</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">PersonalAccessToken</span><span class="p">.</span><span class="nf">init</span><span class="p">({</span> <span class="na">user_id</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">INTEGER</span><span class="p">,</span> <span class="na">allowNull</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="na">name</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">STRING</span><span class="p">,</span> <span class="na">token</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">STRING</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">allowNull</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="na">last_used_at</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">DATE</span><span class="p">,</span> <span class="na">last_ip_address</span><span class="p">:</span> <span class="nx">DataTypes</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">sequelize</span><span class="p">,</span> <span class="na">modelName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PersonalAccessToken</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">PersonalAccessToken</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>We just added the associations for the token and the user model and can then create our login controller.</p> <p>Add this function to the user model before the return statement:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="cm">/** * Create a new personal access token for the user. * * @return Object * @param device_name */</span> <span class="nx">User</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">newToken</span> <span class="o">=</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">newToken</span><span class="p">(</span><span class="nx">device_name</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Web FE</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">plainTextToken</span> <span class="o">=</span> <span class="nc">Random</span><span class="p">(</span><span class="mi">40</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">createToken</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">device_name</span><span class="p">,</span> <span class="na">token</span><span class="p">:</span> <span class="nf">hash</span><span class="p">(</span><span class="nx">plainTextToken</span><span class="p">),</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">accessToken</span><span class="p">:</span> <span class="nx">token</span><span class="p">,</span> <span class="na">plainTextToken</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">token</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">|</span><span class="p">${</span><span class="nx">plainTextToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>Remember to import the hashing utils in the user model. Add a random token generator and import as well. Create src/utils/Random.js and add the code: </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default </span><span class="p">(</span><span class="nx">length</span> <span class="o">=</span> <span class="mi">6</span><span class="p">,</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">alphanumeric</span><span class="dl">'</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="nx">length</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="nb">Number</span><span class="p">.</span><span class="nf">isFinite</span><span class="p">(</span><span class="nx">length</span><span class="p">)))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">TypeError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Expected a `length` to be a non-negative finite number</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">characters</span><span class="p">;</span> <span class="k">switch </span><span class="p">(</span><span class="nx">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">numeric</span><span class="dl">'</span><span class="p">:</span> <span class="nx">characters</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">0123456789</span><span class="dl">'</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">url-safe</span><span class="dl">'</span><span class="p">:</span> <span class="nx">characters</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~</span><span class="dl">'</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">alphanumeric</span><span class="dl">'</span><span class="p">:</span> <span class="na">default</span><span class="p">:</span> <span class="nx">characters</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789</span><span class="dl">'</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Generating entropy is faster than complex math operations, so we use the simplest way</span> <span class="kd">const</span> <span class="nx">characterCount</span> <span class="o">=</span> <span class="nx">characters</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">maxValidSelector</span> <span class="o">=</span> <span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="mh">0x10000</span> <span class="o">/</span> <span class="nx">characterCount</span><span class="p">)</span> <span class="o">*</span> <span class="nx">characterCount</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// Using values above this will ruin distribution when using modular division</span> <span class="kd">const</span> <span class="nx">entropyLength</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">ceil</span><span class="p">(</span><span class="mf">1.1</span> <span class="o">*</span> <span class="nx">length</span><span class="p">);</span> <span class="c1">// Generating a bit more than required so chances we need more than one pass will be really low</span> <span class="kd">let</span> <span class="nx">string</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">stringLength</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">stringLength</span> <span class="o">&lt;</span> <span class="nx">length</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// In case we had many bad values, which may happen for character sets of size above 0x8000 but close to it</span> <span class="kd">const</span> <span class="nx">entropy</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="nx">entropyLength</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">entropyPosition</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">entropyPosition</span> <span class="o">&lt;</span> <span class="nx">entropyLength</span> <span class="o">&amp;&amp;</span> <span class="nx">stringLength</span> <span class="o">&lt;</span> <span class="nx">length</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">entropyValue</span> <span class="o">=</span> <span class="nx">entropy</span><span class="p">.</span><span class="nf">readUInt16LE</span><span class="p">(</span><span class="nx">entropyPosition</span><span class="p">);</span> <span class="nx">entropyPosition</span> <span class="o">+=</span> <span class="mi">2</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">entropyValue</span> <span class="o">&gt;</span> <span class="nx">maxValidSelector</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Skip values which will ruin distribution when using modular division</span> <span class="c1">// eslint-disable-next-line no-continue</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="nx">string</span> <span class="o">+=</span> <span class="nx">characters</span><span class="p">[</span><span class="nx">entropyValue</span> <span class="o">%</span> <span class="nx">characterCount</span><span class="p">];</span> <span class="c1">// eslint-disable-next-line no-plusplus</span> <span class="nx">stringLength</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">string</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>Let's create login method in the src/controllers/AuthController.js file</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">async</span> <span class="nf">login</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">login</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">device_name</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">login</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">404</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Incorrect login credentials. Kindly check and try again</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">checkPassword</span> <span class="o">=</span> <span class="nf">hash_compare</span><span class="p">(</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">checkPassword</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">400</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Incorrect login credentials. Kindly check and try again</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">status</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">401</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Your account has been suspended. Contact admin</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">newToken</span><span class="p">();</span> <span class="k">return</span> <span class="nf">sendSuccessResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="na">token</span><span class="p">:</span> <span class="nx">token</span><span class="p">.</span><span class="nx">plainTextToken</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Login successfully</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">);</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">500</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Server error, contact admin to resolve issue</span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Use postman to test login</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyrp5q879t2vdxkka0l1h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyrp5q879t2vdxkka0l1h.png" alt="image"></a></p> <p>With the sign up and login features completed, let's dive into creating models for Roles and Permission. You can later add an endpoint for the user to login of other device, that's beyond the scope of this tutorial.</p> <p>We are going to create Role, Permission, UserRole, RolePermission and UserPermission models and migrations.</p> <p>Check <a href="https://github.com/richienabuk/express-js-api-rbac" rel="noopener noreferrer">repo</a> for models and relationship.</p> <p>Next, add this static method to PersonalAccessToken model:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="cm">/*** * Verify the token and retrieve the authenticated user for the incoming request. * @param authorizationToken * @returns {Promise&lt;{user}&gt;} */</span> <span class="kd">static</span> <span class="k">async</span> <span class="nf">findToken</span><span class="p">(</span><span class="nx">authorizationToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">authorizationToken</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">accessToken</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authorizationToken</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">|</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">token</span><span class="p">:</span> <span class="nf">hash</span><span class="p">(</span><span class="nx">authorizationToken</span><span class="p">)</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="dl">'</span><span class="s1">owner</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">id</span><span class="p">,</span> <span class="nx">kToken</span><span class="p">]</span> <span class="o">=</span> <span class="nx">authorizationToken</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">|</span><span class="dl">'</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">instance</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">findByPk</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">include</span><span class="p">:</span> <span class="dl">'</span><span class="s1">owner</span><span class="dl">'</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">instance</span><span class="p">)</span> <span class="p">{</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nf">hash_compare</span><span class="p">(</span><span class="nx">instance</span><span class="p">.</span><span class="nx">token</span><span class="p">,</span> <span class="nf">hash</span><span class="p">(</span><span class="nx">kToken</span><span class="p">))</span> <span class="p">?</span> <span class="nx">instance</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">accessToken</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">currentAccessToken</span><span class="p">:</span> <span class="kc">null</span> <span class="p">};</span> <span class="nx">accessToken</span><span class="p">.</span><span class="nx">last_used_at</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">());</span> <span class="k">await</span> <span class="nx">accessToken</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nx">accessToken</span><span class="p">.</span><span class="nx">owner</span><span class="p">,</span> <span class="na">currentAccessToken</span><span class="p">:</span> <span class="nx">accessToken</span><span class="p">.</span><span class="nx">token</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">currentAccessToken</span><span class="p">:</span> <span class="kc">null</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Let's create a seeder for our default roles and permissions using the command</p> <p><code>sequelize seed:generate --name roles-permissions-admin-user</code></p> <p>Add the following to the seeder file located at src/database/seeders:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">hash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../utils/hashing</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">model</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../models</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Constants</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../utils/constants</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">User</span><span class="p">,</span> <span class="nx">Role</span><span class="p">,</span> <span class="nx">Permission</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">model</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="c1">// eslint-disable-next-line no-unused-vars</span> <span class="na">up</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">queryInterface</span><span class="p">,</span> <span class="nx">Sequelize</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="cm">/** * Add seed commands here. * * Example: * await queryInterface.bulkInsert('People', [{ * name: 'John Doe', * isBetaMember: false * }], {}); */</span> <span class="k">await</span> <span class="nx">Role</span><span class="p">.</span><span class="nf">bulkCreate</span><span class="p">([</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">ROLE_SUPER_ADMIN</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">ROLE_ADMIN</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">ROLE_MODERATOR</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">ROLE_AUTHENTICATED</span> <span class="p">},</span> <span class="p">]);</span> <span class="k">await</span> <span class="nx">Permission</span><span class="p">.</span><span class="nf">bulkCreate</span><span class="p">([</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">PERMISSION_VIEW_ADMIN_DASHBOARD</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">PERMISSION_VIEW_ALL_USERS</span> <span class="p">},</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">superAdminUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">John Doe</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">johndoe@node.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nf">hash</span><span class="p">(</span><span class="dl">'</span><span class="s1">Password111</span><span class="dl">'</span><span class="p">),</span> <span class="na">phone</span><span class="p">:</span> <span class="dl">'</span><span class="s1">+2348123456789</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">superAdminRole</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Role</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">ROLE_SUPER_ADMIN</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">superAdminPermissions</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Permission</span><span class="p">.</span><span class="nf">findAll</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="p">[</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">PERMISSION_VIEW_ADMIN_DASHBOARD</span><span class="p">,</span> <span class="nx">Constants</span><span class="p">.</span><span class="nx">PERMISSION_VIEW_ALL_USERS</span><span class="p">,</span> <span class="p">],</span> <span class="p">},</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">superAdminUser</span><span class="p">.</span><span class="nf">addRole</span><span class="p">(</span><span class="nx">superAdminRole</span><span class="p">);</span> <span class="k">await</span> <span class="nx">superAdminRole</span><span class="p">.</span><span class="nf">addPermissions</span><span class="p">(</span><span class="nx">superAdminPermissions</span><span class="p">);</span> <span class="p">},</span> <span class="c1">// eslint-disable-next-line no-unused-vars</span> <span class="na">down</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">queryInterface</span><span class="p">,</span> <span class="nx">Sequelize</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="cm">/** * Add commands to revert seed here. * * Example: * await queryInterface.bulkDelete('People', null, {}); */</span> <span class="k">await</span> <span class="nx">Role</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="k">await</span> <span class="nx">Permission</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>Here, we've created a super admin user, default roles and permissions and sync the models.</p> <p>Update the user model with the following:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">User</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">hasRole</span> <span class="o">=</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hasRole</span><span class="p">(</span><span class="nx">role</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">role</span> <span class="o">||</span> <span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">undefined</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getRoles</span><span class="p">();</span> <span class="k">return</span> <span class="o">!!</span><span class="nx">roles</span><span class="p">.</span><span class="nf">map</span><span class="p">(({</span> <span class="nx">name</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="nx">name</span><span class="p">)</span> <span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">role</span><span class="p">);</span> <span class="p">};</span> <span class="nx">User</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">hasPermission</span> <span class="o">=</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hasPermission</span><span class="p">(</span><span class="nx">permission</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">permission</span> <span class="o">||</span> <span class="nx">permission</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">undefined</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">permissions</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getPermissions</span><span class="p">();</span> <span class="k">return</span> <span class="o">!!</span><span class="nx">permissions</span><span class="p">.</span><span class="nf">map</span><span class="p">(({</span> <span class="nx">name</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="nx">name</span><span class="p">)</span> <span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">permission</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="p">};</span> <span class="nx">User</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">hasPermissionThroughRole</span> <span class="o">=</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hasPermissionThroughRole</span><span class="p">(</span><span class="nx">permission</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">permission</span> <span class="o">||</span> <span class="nx">permission</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">undefined</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getRoles</span><span class="p">();</span> <span class="c1">// eslint-disable-next-line no-restricted-syntax</span> <span class="k">for</span> <span class="k">await </span><span class="p">(</span><span class="kd">const</span> <span class="nx">item</span> <span class="k">of</span> <span class="nx">permission</span><span class="p">.</span><span class="nx">roles</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">roles</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">role</span> <span class="o">=&gt;</span> <span class="nx">role</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="nx">item</span><span class="p">.</span><span class="nx">name</span><span class="p">).</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">};</span> <span class="nx">User</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">hasPermissionTo</span> <span class="o">=</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hasPermissionTo</span><span class="p">(</span><span class="nx">permission</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">permission</span> <span class="o">||</span> <span class="nx">permission</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">undefined</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">hasPermissionThroughRole</span><span class="p">(</span><span class="nx">permission</span><span class="p">)</span> <span class="o">||</span> <span class="k">this</span><span class="p">.</span><span class="nf">hasPermission</span><span class="p">(</span><span class="nx">permission</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>Next, we create a middleware for the route. We are going to create two middleware files, one for basic authentication and another for the permissions.</p> <p>In the src folder, create another folder called middleware and add Auth.js and canAccess.js files to it.</p> <p>Paste the following as the content for Auth.js file:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">sendErrorResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/sendResponse</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">model</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../models</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">PersonalAccessToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">model</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">401</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authentication required</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">bearerToken</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">currentAccessToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">PersonalAccessToken</span><span class="p">.</span><span class="nf">findToken</span><span class="p">(</span><span class="nx">bearerToken</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">401</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authentication Failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">status</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">403</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Your account is either suspended or inactive. Contact admin to re-activate your account.</span><span class="dl">'</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">currentAccessToken</span> <span class="o">=</span> <span class="nx">currentAccessToken</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">userData</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">);</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">401</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authentication Failed</span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>and canAccess.js</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">sendErrorResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/sendResponse</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">model</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../models</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">Role</span><span class="p">,</span> <span class="nx">Permission</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">model</span><span class="p">;</span> <span class="k">export</span> <span class="k">default </span><span class="p">(</span><span class="nx">permission</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">access</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Permission</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">permission</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="p">[{</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">],</span> <span class="na">model</span><span class="p">:</span> <span class="nx">Role</span><span class="p">,</span> <span class="na">as</span><span class="p">:</span> <span class="dl">'</span><span class="s1">roles</span><span class="dl">'</span><span class="p">,</span> <span class="na">through</span><span class="p">:</span> <span class="p">{</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="p">}],</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nx">userData</span><span class="p">.</span><span class="nf">hasPermissionTo</span><span class="p">(</span><span class="nx">access</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">You do not have the authorization to access this.</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nf">sendErrorResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">403</span><span class="p">,</span> <span class="dl">'</span><span class="s1">You do not have the authorization to access this</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>Finally, let's add our middlewares to the route by creating an adminRouter.js file in routes folder and add the following:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Auth</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../middlewares/Auth</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">can</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../middlewares/canAccess</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Constants</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/constants</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AdminController</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../controllers/AdminController</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sendSuccessResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/sendResponse</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">Auth</span><span class="p">,</span> <span class="nf">can</span><span class="p">(</span><span class="nx">Constants</span><span class="p">.</span><span class="nx">PERMISSION_VIEW_ALL_USERS</span><span class="p">),</span> <span class="nx">AdminController</span><span class="p">.</span><span class="nx">users</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="nx">Auth</span><span class="p">,</span> <span class="nf">can</span><span class="p">(</span><span class="nx">Constants</span><span class="p">.</span><span class="nx">PERMISSION_VIEW_ADMIN_DASHBOARD</span><span class="p">),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sendSuccessResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="dl">''</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Admin dashboard access allowed.</span><span class="dl">'</span><span class="p">)</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>Note, I created an AdminController file and used it in the route. You can organize your code however you want.</p> <p>The basic thing is that each route has a permission tag and that permission can be assigned to a role or directly to a user for the middleware to allow or deny.</p> <p>See complete API server codes on <a href="https://github.com/richienabuk/express-js-api-rbac" rel="noopener noreferrer">github</a>.</p> <p>The API documention is available <a href="https://www.getpostman.com/collections/faa987829f1e99090933" rel="noopener noreferrer">here</a></p> <p>If you have issues, questions or contribution, kindly do so in the comment section below.</p> <p>That's how to implement Dynamic Role based Access Control (RBAC) system in Express js (Node js) API. The code is not production ready, you are free to improve on it and use it.<br> Add logout controller, validation for data, endpoint for creating and assigning roles and permissions and other features your app will need.</p> <p>Thank you.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk4uw59lcpubry8r8vyan.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk4uw59lcpubry8r8vyan.png" alt="Alt Text"></a></p> node rbac express api Imo-owo Nabuk Mon, 01 Mar 2021 18:56:48 +0000 https://dev.to/richienabuk/simple-steps-to-deploy-laravel-5-6-7-website-on-shared-hosting-1821 https://dev.to/richienabuk/simple-steps-to-deploy-laravel-5-6-7-website-on-shared-hosting-1821 <p>Deploying on cPanel seems tricky because you cannot run `php artisan serve` command there and the index.php file resides in the public folder. If you deploy as is, you will have to visit your site as `domain.tld/public` and that's not workable for SEO and convenience.</p> <p>Using `git` and `composer`, you can easily deploy your site and manage further updates.</p> <p>Laravel is best hosted on a VPS or dedicated server but you may not want to pay more for hosting a small project and choose to settle for shared hosting.</p> <h3>Step 1 - Visit https://yourdomain.com/cpanel</h3> <li>Login with your cPanel credentials. <h3>Find the terminal icon or search for it and click it.</h3> <blockquote class="wp-block-quote"> <p>If the Terminal Icon does not exist, it means your shared account doesn't have "Shell Access" turned on. Ask your Hosting Provider to turn it on for you.</p> <p>It could also mean that your cPanel version doesn't have the terminal option. Download and use an SSH client but you'll have to enable it on the server. Contact your provider on how to use SSH client.</p> </blockquote> <p>It will launch the terminal. This is where you will do most of the work.</p> <ul> <li>Check PHP version and ensure it is &gt;= 7.1.3</li> <li>Check that composer is installed on the server by running the composer command</li> </ul> <pre class="wp-block-code"> <code> composer -V // Composer version 1.7.2 2018-08-16 16:57:12 </code> </pre> <blockquote class="wp-block-quote"><p>Most cPanel comes with Git pre-installed, if it is not, you might need to ask your hosting provider to have it installed.</p></blockquote> <h2>Step 2 - Set up the app</h2> <ul><li>Clone the repo to a folder named "project", it should be in /home/username/project</li></ul> <pre class="wp-block-code"><code> git clone git@github.com:username/repo.git project </code></pre> <ul><li>Go to the project folder and install the dependencies</li></ul> <pre class="wp-block-code"><code> cd project composer install </code></pre> <ul> <li>Create a new MySQL database in cPanel in DATABASES -&gt; MySQL Databases section. take note of the database name, username and password.</li> <li>copy the .env.example file to .env</li> </ul> <pre> <code> cp .env.example .env </code> </pre> <ul><li>edit the .env file and configure it with your setting</li></ul> <pre><code> nano .env </code></pre> <p>few key settings that is important are</p> <pre class="wp-block-code"><code> DB_HOST=localhost DB_CONNECTION=mysql DB_PORT=3306 DB_DATABASE=dbname DB_USERNAME=dbuser DB_PASSWORD=dbuserpass APP_ENV=production APP_DEBUG=false </code></pre> <ul><li>Generate the application key</li></ul> <pre class="wp-block-code"><code> php artisan key:generate </code></pre> <ul><li>Run the migrations</li></ul> <pre class="wp-block-code"><code> php artisan migrate </code></pre> <blockquote class="wp-block-quote"><p>If you received an error of "Specified key was too long; maxkey length is 1000 bytes", you need to check this article for the <a href="https://laravel-news.com/laravel-5-4-key-too-long-error">fix</a>. Apply the fix in the repo, then issue "git pull origin master" so that this copy will receive the fix . Then go to PhpMyAdmin, drop all the tables there and try running the migrate command again.</p></blockquote> <ul><li>Set the permission of the storage folder so that the web server can write to it</li></ul> <pre class="wp-block-code"><code> chmod -R 775 storage </code></pre> <ul><li>Optimize things up!</li></ul> <pre class="wp-block-code"><code> php composer dump-autoload php artisan config:cache php artisan route:cache </code></pre> <h2>Step 2 - Make the app accessible to public</h2> <p>right now, the app is not accessible outside because we placed it under /home/user/app directory. The only folder that is accessible to public is /home/user/public_html but we don't want to place all of our framework files into public_html folder. So what we gonna do is simply make a <a rel="noreferrer noopener" href="https://en.wikipedia.org/wiki/Symbolic_link">Symbolic link</a> to our /home/user/app/public folder.</p> <p>to do this, backup first a copy of the public_html folder</p> <pre class="wp-block-code"><code> mv public_html public_html_old </code></pre> <p>create the symlink</p> <pre class="wp-block-code"><code> ln -s /home/user/project/public /home/user/public_html </code></pre> <p>your folder structure should be similar to this</p> <pre class="wp-block-code"><code> public_html -&gt; /home/user/project/public public_html_old www -&gt; public_html </code></pre> <h3>Bravo! Your site should be working now.</h3> <ul><li>You can deploy further changes by `git pull`ing the latest version or you using Continuous Deployment integration.</li></ul> <p>Inspired by <a rel="noreferrer noopener" href="https://www.darwinbiler.com/how-to-properly-deploy-laravel-in-shared-hosting-2019">Darwin Biler</a></p> </li> Imo-owo Nabuk Tue, 02 Feb 2021 10:58:22 +0000 https://dev.to/richienabuk/setting-up-express-js-rest-api-postgres-and-sequelize-orm-with-es6-4m08 https://dev.to/richienabuk/setting-up-express-js-rest-api-postgres-and-sequelize-orm-with-es6-4m08 <p>Developing with express js (node js), Postgres and Sequelize ORM has been fun for me. I enjoy working with ORMs such as Sequelize as it aids me in building projects faster and efficiently. I want to share with you how I set up my Express js project with Postgres and Sequelize to code in ES6 and above.</p> <p>This tutorial assumes you have a fair knowledge of the JavaScript language.</p> <h3> Setup </h3> <p>To begin, install <a href="https://nodejs.org/en/">Node JS</a> on your computer. It comes with a package manager which you'll use for command-line operations.</p> <ul> <li><p>Create a folder where your project will reside, you can give it any name you want. we'll call it node-project</p></li> <li><p>Open your command line and change directory into it.</p></li> </ul> <p><code>cd node-project</code></p> <ul> <li>Initialize a NodeJS application by running the following command: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm init -y </code></pre> </div> <p>This will create a package.json file with a basic config. You can manually input the configuration by omitting the <code>-y</code> flag.</p> <h3> Express JS Setup </h3> <p>To install express js, run <code>npm i express</code> on your command line within the project folder.</p> <ul> <li><p>Create an <code>index.js</code> file.</p></li> <li><p>Add the following codes in the newly created index.js file<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const express = require('express'); const app = express(); app.use(express.urlencoded({ extended: true })); app.use(express.json()); // Create a catch-all route for testing the installation. app.get('*', (req, res) =&gt; res.status(200).send({ message: 'Hello World!', })); const port = 5000; app.listen(port, () =&gt; { console.log('App is now running at port ', port) }) </code></pre> </div> <ul> <li>Run <code>node ./index.js</code> on the terminal</li> <li>Visit <code>http://localhost:5000</code> on your browser to view your express API server. Any route will display the same welcome message because of the catch-all route we created.</li> </ul> <p>When we make changes, we'll have to kill the process and restart to see the effect. So, we'll install a package that will save us that stress: Nodemon.</p> <ul> <li><p>Run <code>npm i -D nodemon</code></p></li> <li><p>Edit scripts in package.json file to look like this:<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"scripts": { "dev": "nodemon index.js" }, </code></pre> </div> <p>Kill your current process and run <code>npm run dev</code> to start the server. Going forward, when you start the server this way, you won't need to restart it to see changes.</p> <p>The folder structure should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>node-project ├── node_modules ├── index.js ├── package.json ├── package-lock.json </code></pre> </div> <h4> Babel Setup for ES6 </h4> <p>To code in ES6 and above, you need to install babel packages,<br> Run the following command to install the necessary packages for our project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm i @babel/core @babel/node @babel/preset-env </code></pre> </div> <ul> <li>Create a .babelrc file in the folder and populate with the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "presets": [ [ "@babel/preset-env", { "targets": { "node": "current" } } ] ] } </code></pre> </div> <ul> <li>Edit the package.json file script command to use babel </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> "scripts": { "dev": "nodemon --exec babel-node index.js" }, </code></pre> </div> <p>The package.json file should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "name": "project", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "dev": "nodemon --exec babel-node index.js" }, "author": "", "license": "ISC", "dependencies": { "express": "^4.17.1", "@babel/core": "^7.12.10", "@babel/node": "^7.12.10", "@babel/preset-env": "^7.12.11" }, "devDependencies": { "nodemon": "^2.0.7" } } </code></pre> </div> <p>The index.js file should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import express from 'express'; const app = express(); app.use(express.urlencoded({ extended: true })); app.use(express.json()); // Create a catch-all route for testing the installation. app.get('*', (req, res) =&gt; res.status(200).send({ message: 'Hello World!', })); const port = 5000; app.listen(port, () =&gt; { console.log('App is now running at port ', port) }) </code></pre> </div> <ul> <li>Restart your server and you are ready to code your node js API with ES6 syntax</li> </ul> <h3> Sequelize Setup in Express JS App </h3> <p>We will be using Postgres DB in this tutorial but you can use any DB you are comfortable with such as MySQL, SQLite, etc.</p> <p>To get started with Sequelize ORM with Postgres, you need a Postgres DB which could be remote or on your local machine. Visit <a href="https://www.postgresql.org/download/">this link</a> to install Postgres on your computer.</p> <p>To use Sequelize in your node app with Postgres, you can install the Command Line Tool (CLI) package globally on your computer or in the app. You just need to know how to call it.</p> <p>In this tutorial, we will install it globally and in the project as well.</p> <p>Run the command to install it locally and globally<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install -g sequelize-cli npm install sequelize-cli </code></pre> </div> <p>Depending on which approach you choose, if globally installed, you will always make the command as <code>sequelize do:something</code>, if local, it'll be <code>./node_modules/.bin/sequelize</code> inside the project folder.</p> <ul> <li>Install Sequelize and Postgres packages by running the command: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm i sequelize pg </code></pre> </div> <ul> <li>Install babel to work with sequelize </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm i @babel/register </code></pre> </div> <ul> <li>Create <code>.sequelizerc</code> file and populate with the following configuration </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>require("@babel/register"); const path = require('path'); module.exports = { "config": path.resolve('./src/config', 'config.json'), "models-path": path.resolve('./src/models'), "seeders-path": path.resolve('./src/database/seeders'), "migrations-path": path.resolve('./src/database/migrations') }; </code></pre> </div> <p>The <code>sequelizerc</code> file contains how the folders for Sequelize will be organized. If you don't have it, it'll still work but everything will be placed in the root folder. The configuration will be in src/config, Sequelize models will reside in src/models folder, while seeders file and migration will be in src/database folder.</p> <ul> <li>Next, we initialize Sequelize in the project. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequelize init </code></pre> </div> <p>The command creates the necessary folders and files for Sequelize ORM.</p> <ul> <li>If you look at <code>src/models/index.js</code>, it is not written in ES6. Let's refactor that and it'll become: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import fs from 'fs'; import path from 'path'; import Sequelize from 'sequelize'; import enVariables from '../config/config.json'; const basename = path.basename(__filename); const env = process.env.NODE_ENV || 'development'; const config = enVariables[env]; const db = {}; let sequelize; if (config.use_env_variable) { sequelize = new Sequelize(process.env[config.use_env_variable], config); } else { sequelize = new Sequelize(config.database, config.username, config.password, config); } fs .readdirSync(__dirname) .filter(file =&gt; (file.indexOf('.') !== 0) &amp;&amp; (file !== basename) &amp;&amp; (file.slice(-3) === '.js')) .forEach(file =&gt; { // eslint-disable-next-line global-require,import/no-dynamic-require const model = require(path.join(__dirname, file)).default(sequelize, Sequelize.DataTypes); db[model.name] = model; }); Object.keys(db).forEach(modelName =&gt; { if (db[modelName].associate) { db[modelName].associate(db); } }); db.sequelize = sequelize; db.Sequelize = Sequelize; export default db; </code></pre> </div> <ul> <li>Create a DB and update the config/config.json file accordingly: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "development": { "username": "postgres", "password": "password", "database": "node-project", "port": "5434", "host": "127.0.0.1", "dialect": "postgres" }, "test": { "username": "root", "password": null, "database": "database_test", "host": "127.0.0.1", "dialect": "postgres" }, "production": { "username": "root", "password": null, "database": "database_production", "host": "127.0.0.1", "dialect": "postgres" } } </code></pre> </div> <h4> All is now set to create models and migration. </h4> <p>Let's create a model and migration for users.</p> <p>Run the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequelize model:generate --name User --attributes name:string,email:string,phone:string,password:string,status:string,last_login_at:date,last_ip_address:string </code></pre> </div> <p>This command creates a User model and migration table in the corresponding folders. The attributes are the fields we want to have on the table.</p> <p>The user model looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'use strict'; const { Model } = require('sequelize'); module.exports = (sequelize, DataTypes) =&gt; { class User extends Model { /** * Helper method for defining associations. * This method is not a part of Sequelize lifecycle. * The `models/index` file will call this method automatically. */ static associate(models) { // define association here } }; User.init({ name: DataTypes.STRING, email: DataTypes.STRING, phone: DataTypes.STRING, password: DataTypes.STRING, status: DataTypes.STRING, last_login_at: DataTypes.DATE, last_ip_address: DataTypes.STRING }, { sequelize, modelName: 'User', }); return User; }; </code></pre> </div> <p>And migrations like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'use strict'; module.exports = { up: async (queryInterface, Sequelize) =&gt; { await queryInterface.createTable('Users', { id: { allowNull: false, autoIncrement: true, primaryKey: true, type: Sequelize.INTEGER }, name: { type: Sequelize.STRING }, email: { type: Sequelize.STRING }, phone: { type: Sequelize.STRING }, password: { type: Sequelize.STRING }, status: { type: Sequelize.STRING }, last_login_at: { type: Sequelize.DATE }, last_ip_address: { type: Sequelize.STRING }, createdAt: { allowNull: false, type: Sequelize.DATE }, updatedAt: { allowNull: false, type: Sequelize.DATE } }); }, down: async (queryInterface, Sequelize) =&gt; { await queryInterface.dropTable('Users'); } }; </code></pre> </div> <p>Let's refactor the generated migration and model to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { Model } from 'sequelize'; export default (sequelize, DataTypes) =&gt; { class User extends Model { /** * Helper method for defining associations. * This method is not a part of Sequelize lifecycle. * The `models/index` file will call this method automatically. */ static associate(models) { // define association here } }; User.init({ name: DataTypes.STRING, email: DataTypes.STRING, phone: DataTypes.STRING, password: DataTypes.STRING, status: DataTypes.STRING, last_login_at: DataTypes.DATE, last_ip_address: DataTypes.STRING }, { sequelize, modelName: 'User', }); return User; }; </code></pre> </div> <p>and<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>export default { up: async (queryInterface, Sequelize) =&gt; { await queryInterface.createTable('Users', { id: { allowNull: false, autoIncrement: true, primaryKey: true, type: Sequelize.INTEGER }, name: { type: Sequelize.STRING }, email: { type: Sequelize.STRING }, phone: { type: Sequelize.STRING }, password: { type: Sequelize.STRING }, status: { type: Sequelize.STRING }, last_login_at: { type: Sequelize.DATE }, last_ip_address: { type: Sequelize.STRING }, createdAt: { allowNull: false, type: Sequelize.DATE }, updatedAt: { allowNull: false, type: Sequelize.DATE } }); }, down: async (queryInterface, Sequelize) =&gt; { await queryInterface.dropTable('Users'); } }; </code></pre> </div> <p>I like renaming the model name to use uppercase first and in some cases camel case.</p> <p>Since it's a user model we created and we have some protected fields, I'll quickly add a method to hide the fields on JSON response.</p> <p>Let's add some validations to the fields for user authentication with node js (express js).</p> <p>The model and migration will now look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { Model } from 'sequelize'; const PROTECTED_ATTRIBUTES = ['password']; export default (sequelize, DataTypes) =&gt; { class User extends Model { toJSON() { // hide protected fields const attributes = { ...this.get() }; // eslint-disable-next-line no-restricted-syntax for (const a of PROTECTED_ATTRIBUTES) { delete attributes[a]; } return attributes; } /** * Helper method for defining associations. * This method is not a part of Sequelize lifecycle. * The `models/index` file will call this method automatically. */ static associate(models) { // define association here } }; User.init({ name: DataTypes.STRING, email: { type: DataTypes.STRING, allowNull: { args: false, msg: 'Please enter your email address', }, unique: { args: true, msg: 'Email already exists', }, validate: { isEmail: { args: true, msg: 'Please enter a valid email address', }, }, }, phone: { type: DataTypes.STRING, unique: true, }, password: DataTypes.STRING, status: DataTypes.STRING, last_login_at: DataTypes.DATE, last_ip_address: DataTypes.STRING }, { sequelize, modelName: 'User', }); return User; }; </code></pre> </div> <p>and<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>export default { up: async (queryInterface, Sequelize) =&gt; { await queryInterface.createTable('Users', { id: { allowNull: false, autoIncrement: true, primaryKey: true, type: Sequelize.INTEGER }, name: { type: Sequelize.STRING }, email: { allowNull: false, unique: true, type: Sequelize.STRING, }, phone: { type: Sequelize.STRING, unique: true, }, password: { type: Sequelize.STRING }, status: { type: Sequelize.STRING }, last_login_at: { type: Sequelize.DATE }, last_ip_address: { type: Sequelize.STRING }, createdAt: { allowNull: false, type: Sequelize.DATE }, updatedAt: { allowNull: false, type: Sequelize.DATE } }); }, down: async (queryInterface, Sequelize) =&gt; { await queryInterface.dropTable('Users'); } }; </code></pre> </div> <p>We have to refactor any model and migration we create in the future to look like this.</p> <ul> <li>Next, we run the migration to create the DB tables: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequelize db:migrate </code></pre> </div> <p>Our database is now created.</p> <h4> Route and Controllers </h4> <p>Let's create route and controllers to be able to interact with our database.</p> <ul> <li>Create a <code>controllers</code> folder in <code>src</code> and add <code>AuthController.js</code> file to it. That's where our user management logic will reside.</li> </ul> <p>Add the following code to create user sign up controller logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { Op } from 'sequelize'; import model from '../models'; const { User } = model; export default { async signUp(req, res) { const {email, password, name, phone} = req.body; try { const user = await User.findOne({where: {[Op.or]: [ {phone}, {email} ]}}); if(user) { return res.status(422) .send({message: 'User with that email or phone already exists'}); } await User.create({ name, email, password, phone, }); return res.status(201).send({message: 'Account created successfully'}); } catch(e) { console.log(e); return res.status(500) .send( {message: 'Could not perform operation at this time, kindly try again later.'}); } } } </code></pre> </div> <p>Ideally, you will have to encrypt (hash) the user's password before storing it in the DB.</p> <p>Create the route folder with index.js file inside and add the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import AuthController from '../controllers/AuthController' export default (app) =&gt; { app.post('/register', AuthController.signUp); // Create a catch-all route for testing the installation. app.all('*', (req, res) =&gt; res.status(200).send({ message: 'Hello World!', })); }; </code></pre> </div> <p>Notice that we have transferred the first route we created here.<br> Our top level index.js file will now look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import express from 'express'; import route from './src/routes' const app = express(); app.use(express.urlencoded({ extended: true })); app.use(express.json()); route(app); const port = 5000; app.listen(port, () =&gt; { console.log('App is now running at port ', port) }) </code></pre> </div> <h4> Restart the server and use postman to test the API. </h4> <p>That's basically how I setup Express JS REST API, Postgres, and Sequelize ORM with ES6+.</p> <p>See the code on github <a href="https://github.com/richienabuk/express-js-postgres-sequelize">here</a>.</p> <p>If you have any concerns, kindly raise them in the comment section below.</p> <blockquote> <p>I wrote this tutorial as a foundation for an article I want to publish on <a href="https://dev.to/richienabuk/how-to-implement-dynamic-role-based-access-control-rbac-in-express-js-rest-api-54fe">how to implement dynamic Role-based Access Control (RBAC) in Express JS</a> where an admin can assign multiple roles to a user and a role can have multiple permissions.</p> </blockquote> <p>Update: <a href="https://dev.to/richienabuk/how-to-implement-dynamic-role-based-access-control-rbac-in-express-js-rest-api-54fe">How to implement dynamic Role-based Access Control (RBAC) in Express JS REST API</a></p> node sequelizejs postgres express