Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/venuu/jsonapi-authorization
Authorization for JSONAPI::Resource
https://github.com/venuu/jsonapi-authorization
authorization json-api jsonapi-authorization jsonapi-resources pundit
Last synced: 5 days ago
JSON representation
Authorization for JSONAPI::Resource
- Host: GitHub
- URL: https://github.com/venuu/jsonapi-authorization
- Owner: venuu
- License: mit
- Created: 2016-01-22T08:59:58.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2024-07-24T15:55:23.000Z (4 months ago)
- Last Synced: 2024-10-31T15:08:54.498Z (8 days ago)
- Topics: authorization, json-api, jsonapi-authorization, jsonapi-resources, pundit
- Language: Ruby
- Homepage: http://www.rubydoc.info/github/venuu/jsonapi-authorization
- Size: 301 KB
- Stars: 132
- Watchers: 10
- Forks: 59
- Open Issues: 16
-
Metadata Files:
- Readme: README-old.md
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-starred - venuu/jsonapi-authorization - Authorization for JSONAPI::Resource (others)
README
# JSONAPI::Authorization
[](https://travis-ci.com/venuu/jsonapi-authorization) [](https://rubygems.org/gems/jsonapi-authorization)
**NOTE:** This README is the documentation for `JSONAPI::Authorization`. If you are viewing this at the
[project page on Github](https://github.com/venuu/jsonapi-authorization) you are viewing the documentation for the `master`
branch. This may contain information that is not relevant to the release you are using. Please see the README for the
[version](https://github.com/venuu/jsonapi-authorization/releases) you are using.
---
`JSONAPI::Authorization` adds authorization to the [jsonapi-resources][jr] (JR) gem using [Pundit][pundit].
[jr]: https://github.com/cerebris/jsonapi-resources "A resource-focused Rails library for developing JSON API compliant servers."
[pundit]: https://github.com/elabs/pundit "Minimal authorization through OO design and pure Ruby classes"
The core design principle of `JSONAPI::Authorization` is:
**Prefer being overly restrictive rather than too permissive by accident.**
What follows is that we want to have:
1. Whitelist over blacklist -approach for authorization
2. Fall back on a more strict authorization
## Caveats
Make sure to test for authorization in your application, too. We should have coverage of all operations, though. If that isn't the case, please [open an issue][issues].
If you're using custom processors, make sure that they extend `JSONAPI::Authorization::AuthorizingProcessor`, or authorization will not be performed for that resource.
This gem should work out-of-the box for simple cases. The default authorizer might be overly restrictive for cases where you are touching relationships.
**If you are modifying relationships**, you should read the [relationship authorization documentation](docs/relationship-authorization.md).
## Installation
Add this line to your application's Gemfile:
```ruby
gem 'jsonapi-authorization'
```
And then execute:
$ bundle
Or install it yourself as:
$ gem install jsonapi-authorization
## Compatibility
* `v0.6.x` supports JR `v0.7.x`
* `v0.8.x` supports JR `v0.8.x`
* Later releases support JR `v0.9.x`
* **JR `v0.10.x` is NOT SUPPORTED.** See https://github.com/venuu/jsonapi-authorization/issues/64 for more details and to offer help.
We aim to support the same Ruby and Ruby on Rails versions as `jsonapi-resources` does. If that's not the case, please [open an issue][issues].
## Versioning and changelog
`jsonapi-authorization` follows [Semantic Versioning](https://semver.org/). We prefer to make more major version bumps when we do changes that are likely to be backwards incompatible. That holds true even when it's likely the changes would be backwards compatible for a majority of our users.
Given the nature of an authorization library, it is likely that most changes are major version bumps.
Whenever we do changes, we strive to write good changelogs in the [GitHub releases page](https://github.com/venuu/jsonapi-authorization/releases).
## Usage
First make sure you have a Pundit policy specified for every backing model that your JR resources use.
Hook up this gem as the default processor for JR, and optionally allow rescuing from `Pundit::NotAuthorizedError` to output better errors for unauthorized requests:
```ruby
# config/initializers/jsonapi-resources.rb
JSONAPI.configure do |config|
config.default_processor_klass = JSONAPI::Authorization::AuthorizingProcessor
config.exception_class_whitelist = [Pundit::NotAuthorizedError]
end
```
Make all your JR controllers specify the user in the `context` and rescue errors thrown by unauthorized requests:
```ruby
class BaseResourceController < ActionController::Base
include JSONAPI::ActsAsResourceController
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
private
def context
{user: current_user}
end
def user_not_authorized
head :forbidden
end
end
```
Have your JR resources include the `JSONAPI::Authorization::PunditScopedResource` module.
```ruby
class BaseResource < JSONAPI::Resource
include JSONAPI::Authorization::PunditScopedResource
abstract
end
```
### Policies
To check whether an action is allowed JSONAPI::Authorization calls the respective actions of your pundit policies
(`index?`, `show?`, `create?`, `update?`, `destroy?`).
For relationship operations by default `update?` is being called for all affected resources.
For a finer grained control you can define methods to authorize relationship changes. For example:
```ruby
class ArticlePolicy
# (...)
def add_to_comments?(new_comments)
record.published && new_comments.all? { |comment| comment.author == user }
end
def replace_comments?(new_comments)
allowed = record.comments.all? { |comment| new_comments.include?(comment) || add_to_comments?([comment])}
allowed && new_comments.all? { |comment| record.comments.include?(comment) || remove_from_comments?(comment) }
end
def remove_from_comments?(comment)
comment.author == user || user.admin?
end
end
```
For thorough documentation about custom policy methods, check out the [relationship authorization docs](docs/relationship-authorization.md).
## Configuration
You can use a custom authorizer class by specifying a configure block in an initializer file. If using a custom authorizer class, be sure to require them at the top of the initializer before usage.
```ruby
JSONAPI::Authorization.configure do |config|
config.authorizer = MyCustomAuthorizer
end
```
By default JSONAPI::Authorization uses the `:user` key from the JSONAPI context hash as the Pundit user. If you would like to use `:current_user` or some other key, it can be configured as well.
```ruby
JSONAPI::Authorization.configure do |config|
config.pundit_user = :current_user
# or a block can be provided
config.pundit_user = ->(context){ context[:current_user] }
end
```
## Troubleshooting
### "Unable to find policy" exception for a request
The exception might look like this for resource class `ArticleResource` that is backed by `Article` model:
```
unable to find policy `ArticlePolicy` for `Article'
```
This means that you don't have a policy class created for your model. Create one and the error should go away.
## Development
After checking out the repo, run `bundle install` to install dependencies. Then, run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
## Credits
Originally based on discussion and code samples by [@barelyknown](https://github.com/barelyknown) and others in [cerebris/jsonapi-resources#16](https://github.com/cerebris/jsonapi-resources/issues/16).
## Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/venuu/jsonapi-authorization.
[issues]: https://github.com/venuu/jsonapi-authorization/issues
## Contributors
Thanks goes to these wonderful people ([emoji key](https://github.com/kentcdodds/all-contributors#emoji-key)):
Vesa Laakso
π» π π β οΈ π π¬ π
Emil SΓ₯gfors
π» π π β οΈ π π¬ π
Matthias Grundmann
π» π β οΈ π¬
Thibaud Guillaume-Gentil
π»
Daniel SchweighΓΆfer
π»
Bruno Sofiato
π»
Adam Robertson
π
Greg Fisher
π» β οΈ
Sam
π» β οΈ
Justas Palumickas
π π» β οΈ
Nicholas Rutherford
π» β οΈ π
Matthijsy
π β οΈ π»
brianswko
π β οΈ π»
This project follows the [all-contributors](https://github.com/kentcdodds/all-contributors) specification. Contributions of any kind welcome!