I'm using sails.js and I can use API to modify data in mongodb, for example create new user, modify users etc. How to prohibit access to the API for non authorized users?
Asked
Active
Viewed 110 times
0
-
have you tried passport? http://passportjs.org/ – Enrique Fueyo Jun 06 '16 at 09:51
2 Answers
1
Quite a bit to get into here so without any further background information in short you will need:
Policies: These are functions which execute when a route e.g. /api/view is called. They can ensure a valid user is stored in your session before allowing access to the routes controller logic
Authentication system: Someone has mentioned passportjs. Personally I would create my own user model, user controller and views in order to sign up, login, forgotten password someone. Why? Because you need to learn at some point how sails works with authentication, sessions, policies and other processes. In short, create a user model to store info of your user, maybe have an oncreate method which encrypts a password before the user record is saved as new. Create a user controller which manages login, logout, registration and forgotten passwords. Create routes to each of these controller actions, a login view would call your login action in the controller and find a user model comparing the given password against the stored encrypted password.
Session management: Once a user is logged in or logged out you need to manage their "session". Put simply if you dont manage sessions a user will keep having to login as the system wont remember them. This is quite easy to do in sails and I recommend reading: http://sailsjs.org/documentation/concepts/sessions To keep it simple, when a user logs in you will set a session variable such as req.session.User.id = 1 and when you want them logged out you can nullify the session which forces them to go back to the login page.
Back to Policies: I mentioned these before, but a policy is where you will check the session to see if they are authorised to view each controller action. This means you can be really granular in detail about what actions they can and cant utilise. Policy examples can be found here: http://sailsjs.org/documentation/concepts/policies In my policy I simply have a LoggedIn function that checks a user has a valid session and if not sends them to a login route. This basic protection stops people viewing what they shouldnt with out being logged in.
Blueprint routes/actions: You will need to turn off the inbuilt blueprint that sails has turned on by default. These are great in development when you want to read/write/delete items from your database via the Api interface, but in production this is dangerous and you will want policies to do the work along with sessions. To turn off blueprints view the guide here: http://sailsjs.org/documentation/anatomy/my-app/config/blueprints-js See how they are all mostly set to true? read the comments for each item and decide if that needs to be switched to a false.
If you need any further help on any aspect of this just let me know. Be as specific as you can as it helps a lot. I recommend taking a look at "Sails in action" its an ebook which covers this information really clear with example code too!
munkee
- 759
- 1
- 9
- 23
