Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cerbos/express-mongoose-cerbos
An example application of integrating Cerbos with an Express server using Mongoose as the ORM.
https://github.com/cerbos/express-mongoose-cerbos
Last synced: 6 days ago
JSON representation
An example application of integrating Cerbos with an Express server using Mongoose as the ORM.
- Host: GitHub
- URL: https://github.com/cerbos/express-mongoose-cerbos
- Owner: cerbos
- License: apache-2.0
- Created: 2023-07-19T15:53:06.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-12-16T03:19:15.000Z (19 days ago)
- Last Synced: 2024-12-20T07:44:06.104Z (14 days ago)
- Language: TypeScript
- Size: 436 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# express-mongoose-cerbos
An example application of integrating [Cerbos](https://cerbos.dev) with an [Express](https://expressjs.com/) server using [Mongoose](https://mongoosejs.com/) as the ORM. Cerbos helps you super-charge your authorization implementation by writing context-aware access control policies for your application resources. Author access rules using an intuitive YAML configuration language, use your Git-ops infrastructure to test and deploy them and, make simple API requests to the Cerbos PDP to evaluate the policies and make dynamic access decisions.
## Dependencies
- Node.js
- MongoDB 7.0
- Docker for running the [Cerbos Policy Decision Point (PDP)](https://docs.cerbos.dev/cerbos/installation/container.html)
## Getting Started
1. Install node dependencies
```bash
npm install
```
2. Start up the Cerbos PDP instance docker container. This will be called by the express app to check authorization.
```bash
./cerbos/start.sh
```
3. Start up Mongo
```bash
npm run mongo
```
4. Start the express server
```bash
npm run dev
```
## Seed Users
The seed command will create the following users in the database. Authentication is done via Basic authentication using the following credentials. The Role and Department is loaded from the database after successful authentication.
| ID | Username | Password | Role | Department |
| --- | -------- | ------------ | ----- | ---------- |
| 1 | alice | supersecret | Admin | IT |
| 2 | john | password1234 | User | Sales |
| 3 | sarah | asdfghjkl | User | Sales |
| 4 | geri | pwd123 | User | Marketing |
## Policies
This example has a simple CRUD policy in place for a resource kind of `contact` - like a CRM system would have. The policy file can be found in the `cerbos/policies` folder [here](https://github.com/cerbos/express-mongoose-cerbos/blob/main/cerbos/policies/contact.yaml).
Should you wish to experiment with this policy, you can try it in the Cerbos Playground.
The [policy](./cerbos/policies/contact.yaml) expects one of two roles to be set on the principal - `admin` and `user` and an attribute which defines their department as either `IT`, `Sales` or `Marketing`.
These roles are authorized as follows:
| Action | Role: User | Role: Admin |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| `read` | If they own the contact, the contact is active and the department is `Sales`, or the contact is active, they are in `Marketing` and `marketingOptIn` is true. | Y |
| `create` | Only if department is `Sales` | Y |
| `update` | Only if they own the contact being accessed | Y |
| `delete` | Only if they own the contact being accessed | Y |
## Example Requests
### Get all contact
As a Admin user => `200 OK` with all contacts
```
curl -i http://alice:supersecret@localhost:3000/contacts
```
As a Sales user => `200 OK` with filtered results
```
curl -i http://john:password1234@localhost:3000/contacts
```
As a Marketing user => `200 OK` with filtered results
```
curl -i http://geri:pwd123@localhost:3000/contacts
```