Authorization can be enabled by using
@plumier/jwt package and plugging
JwtAuthFacility into Plumier application
JwtAuthFacility will check for environment variable named
PLUM_JWT_SECRET, if both not provided an error will be thrown.
Plumier authorization uses standard token based authentication using json web token, internally it uses koa-jwt middleware.
To be able to authorize user, you need to specify
role field when signing json web token on the login process.
Value of the role can be a string or an array of string that will be used by
JwtAuthFacility will look for
role field in your signed token. If you don't like the
role field on the signed token you can specify the
roleField with the name of the field in your token.
Example, your role field in the signed token is
Specify the field name on the
If you require a real time access to the role vs reading from token claim (because the user role changes needs to wait for the token to expired first), you can provide a function to get the user role for real time role access. But keep in mind that this trick will make every request touch the database that will impact performance:
JwtAuthFacility all routes are secured, means if end user access your API without token they will receive 403.
You can provided global public authorization if you like it
To make specific route accessible by public, use
@authorize.public() to allow access to all user including user without token.
Authorize access to specific route using
@authorize.route(<list of role>)
Decorated action one by one will be cumbersome, you can apply
@authorize decorator on controller to apply authorization on all routes contained.
From controller scoped authorization you can specify which actions will be applied by setting the
action option like below
If controller and action decorated with
@authorize decorator, the action authorization will replace the controller authorization
To get login user information from within action, you can use
@bind.user() parameter binding.
LoginUser class is a class that the properties match with claims when you signed the token.
Grant access to pass value to parameter to specific role. This feature useful when you want to restrict the API consumer to set some property of your domain without creating a new domain/method.
Using above code, only admin can disabled the user, if user doesn't have admin role Plumier will return 401 with informative error result.
Applying authorize decorator on a domain property automatically project data returned based on client role like example below
By using code above, the
basePrice data will only visible if client has
admin role, other than that will return
Note that the
@reflect.type() is required to describe the return type of the action.
Its possible to control the access of the authorization to only get (read) or write (set) by specifying the proper decorator like below
Using above code
basePrice will only can be set by
admin and retrieved by both
You can specify parameter or model property that filterable using specific role by using
By using above code
/items/list?filter[basePrice]=100 wil restricted only to
As mentioned above, by default all routes is secured when
JwtAuthFacility applied, you can override this default behavior by applying
authorize on the
JwtAuthFacility configuration like below: