{"id":19737965,"url":"https://github.com/devsu/condor-authorize","last_synced_at":"2026-04-16T14:04:22.621Z","repository":{"id":57205258,"uuid":"90177523","full_name":"devsu/condor-authorize","owner":"devsu","description":"Authorization middleware for Condor. GRPC microservices in node made easy.","archived":false,"fork":false,"pushed_at":"2017-05-03T18:05:36.000Z","size":10,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-06-09T14:17:10.501Z","etag":null,"topics":["authorization","condor","condor-framework","grpc","middleware","nodejs"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devsu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-05-03T17:52:47.000Z","updated_at":"2018-09-28T13:59:15.000Z","dependencies_parsed_at":"2022-09-12T22:50:52.336Z","dependency_job_id":null,"html_url":"https://github.com/devsu/condor-authorize","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/devsu/condor-authorize","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsu%2Fcondor-authorize","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsu%2Fcondor-authorize/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsu%2Fcondor-authorize/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsu%2Fcondor-authorize/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devsu","download_url":"https://codeload.github.com/devsu/condor-authorize/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsu%2Fcondor-authorize/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264604813,"owners_count":23635940,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","condor","condor-framework","grpc","middleware","nodejs"],"created_at":"2024-11-12T01:12:54.626Z","updated_at":"2026-04-16T14:04:22.594Z","avatar_url":"https://github.com/devsu.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# condor-authorize\n\nAn authorization Middleware for [Condor](http://condorjs.com). **Condor** is a [GRPC Framework for node](https://github.com/devsu/condor-framework).\n\n[![Build Status](https://travis-ci.org/devsu/condor-authorize.svg?branch=master)](https://travis-ci.org/devsu/condor-authorize)\n[![Coverage Status](https://coveralls.io/repos/github/devsu/condor-authorize/badge.svg?branch=master)](https://coveralls.io/github/devsu/condor-authorize?branch=master)\n\nThis module control access to **GRPC methods**, based on the **access rules** defined.\n\n## Installation\n\n```bash\nnpm i --save condor-framework condor-authorize\n```\n\n## How to use\n\n### Role-based authorization\n\nJust two steps:\n\n- Create a method that returns the roles / permissions the caller has.\n- Define the [access rules](#access-rules)\n\n```js\nconst Condor = require('condor-framework');\nconst jwt = require('condor-jwt');\nconst authorize = require('condor-authorize');\nconst Greeter = require('./greeter');\n\nconst jwtOptions = {\n 'secretOrPublicKey': 'shhhhhh', \n 'passthrough': true,\n};\n\nconst authorizeOptions = {\n 'getPermissions': (context) =\u003e {\n // do your magic here to obtain the permissions/roles from \n // the token (or from anywhere else).\n // You just need to return an array of strings.\n return ['user', 'admin', 'another-string:my-permission'];\n },\n};\n\nconst app = new Condor()\n .addService('./protos/greeter.proto', 'myapp.Greeter', new Greeter())\n .use(jwt(jwtOptions))\n .use(authorize(authorizeOptions))\n .start();\n```\n\nAs you can see, the example above uses [condor-jwt](https://github.com/devsu/condor-jwt) to decode and verify a JWT token. The token will be then accessible in `context.token`.\n\n### Any other strategy\n\nIf you need more advanced authorization rules, you can skip the getPermissions method, and just use **custom validators** when defining the [access rules](#access-rules).\n\n```js\nconst Condor = require('condor-framework');\nconst authorize = require('condor-authorize');\nconst Greeter = require('./greeter');\n\nconst app = new Condor()\n .addService('./protos/greeter.proto', 'myapp.Greeter', new Greeter())\n .use(authorize())\n .start();\n```\n\n## 2. Access Rules\n\nBy default, it will try to read the access rules from `access-rules.js`.\n\nThe rules file should export an object, with the full names of the services as keys. Also you can have a `default` key.\n\n### Rules Example\n\nThis example will show you the available options:\n\n```js\nmodule.exports = {\n 'default': '$authenticated',\n 'myapp.Greeter': {\n \t'sayHello': 'special',\n \t'sayHelloOther': 'another:special',\n \t'sayHelloCustom': customValidation,\n \t'sayHelloPublic': '$anonymous',\n \t'sayHelloMultiple': ['special', 'realm:admin', customValidation],\n },\n};\n\nfunction customValidation (ctx) =\u003e {\n\tif (ctx.token.payload.someKey === 'someValue' \u0026\u0026 ctx.metadata.get('anotherKey')[0] === 'anotherValue') {\n\t\treturn true; // allow to continue\n\t}\n\treturn false; // deny access\n}\n```\n\nUsing these rules, we're telling the application:\n\n- By default, for every method not defined in the file, the user must be authenticated (without taking into account any roles).\n- `sayHello` requires the user to have the `special` permission/role.\n- `sayHelloOther` requires the user to have the `another:special` permission/role.\n- `sayHelloCustom` access will be calculated by the `customValidation` method.\n- `sayHelloPublic` will be public (`$anonymous`)\n- `sayHelloMultiple` shows how you can pass not only one but an array of options to authorize the call. In this example, to authorize the method we are requiring any of these 3 conditions:\n\n - The user to have the `special` permission/role.\n - The user to have the `real:admin` permission/role.\n - The `customValidation` method to return true.\n\n### Rules Available\n\n#### $anonynous and $authenticated\n\nYou can use `$authenticated` to enforce a user to be authenticated before accessing the method (without verifying any roles). By default a user is considered authenticated when the token received in the metadata is valid.\n\nOn the other hand, you can use `$anonymous` to make a resource public. If you are using [condor-jwt](https://github.com/devsu/condor-jwt) make sure to use the `passthrough` option (Otherwise it will never reach to this middleware, and authorization won't be performed.)\n\n#### String with the role/permission\n\nIt will be matched against the array returned by the `getPermissions` method.\n\n#### Custom Validators\n\nIf you need some specific logic to authorize/deny access, just pass the function that must perform the validation (make sure to pass the actual function, not only the function name).\n\nThe validation function will be called with two parameters: \n\n- `context`: The context being processed.\n\nThe validation function must return a truthy value to allow access. Any falsy value will deny access.\n\n#### Multiple options for a method\n\nYou can pass not only one option, but an array of options to authorize the call. If any of them pass, the call will be authorized.\n\n#### How to require two roles/permissions? (use AND instead of OR)\n\nYou can use custom validation functions that do exactly what you want. You can have for example something like this:\n \n ```js\n module.exports = {\n 'default': '$authenticated',\n 'myapp.Greeter': {\n \t'sayHelloCustom': tokenHasAllRoles('special', 'admin'),\n },\n };\n \nfunction tokenHasAllRoles() {\n const roles = arguments;\n return (context) =\u003e {\n // Verify that the token has all the roles\n return roles.every((role) =\u003e {\n return context.token.payload.roles.contains(role);\n });\n };\n}\n ```\n\n## Options\n\nAll values are optional. Their default values are:\n\n| Option | Description |\n|--------------------|--------------------------------------------------------------------------------------------------------------------|\n| rulesFile | The path to the rules file. Default is `access-rules.js` |\n| rules | The access rules to use (can be used instead of rulesFile) |\n| getPermissions | Method to determine the permissions from the context. It receives the context, and must return (or resolve with) an array of strings.|\n| isAuthenticated | Method to determine if a user is authenticated. It receives the context, and must return (or resolve with) true/false. By default it will consider a call authenticated if context.token is set, false otherwise.|\n\n## License and Credits\n\nMIT License. Copyright 2017 \n\nBuilt by the [GRPC experts](https://devsu.com) at Devsu.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevsu%2Fcondor-authorize","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevsu%2Fcondor-authorize","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevsu%2Fcondor-authorize/lists"}