0

I have an internal Web API which exposes JSON. I would like to expose some of the features based on roles of the authenticated user (or machine) from JWT or API-key.

E.g internal API where filter.customerId.eq and filter.vendorId.eq are optional query parameters:

GET /orders?filter.customerId.eq=customer1&filter.vendorId.eq=vendorA

{
  "items": [
    {
      "createdAt": "2022-12-12",
      "customerId": "customer1",
      "vendorId": "vendorA",
    },
    {
      "createdAt": "2022-01-22",
      "customerId": "customer1",
      "vendorId": "vendorA",
    }
]}

External API for role CUSTOMER should require query parameterfilter.customerId.eq=<ID_OF_AUTHENTICATED_USER>

Eg. GET /orders?filter.customerId.eq=customer1

{
  "items": [
    {
      "createdAt": "2019-02-21",
      "customerId": "customer1",
      "vendorId": "vendorA",
    },
    {
      "createdAt": "2022-01-22",
      "customerId": "customer1",
      "vendorId": "vendorB",
    },
    {
      "createdAt": "2022-08-08",
      "customerId": "customer1",
      "vendorId": "vendorC",
    }
]}

External API for role VENDOR should require query parameter filter.vendorId.eq=<ID_OF_AUTHENTICATED_USER>

Eg. GET /orders?filter.vendorId.eq=vendorA

{
  "items": [
    {
      "createdAt": "2019-04-01",
      "customerId": "customer999",
      "vendorId": "vendorA",
    },
    {
      "createdAt": "2022-01-22",
      "customerId": "customer1",
      "vendorId": "vendorA",
    },
    {
      "createdAt": "2022-01-22",
      "customerId": customer4",
      "vendorId": "vendorA",
    }
]}

I want to be able to declare the permissions on field level (e.g by in JSON Schema format) to reuse my API endpoint and avoid writing new code (or service, endpoints...) for new roles.

I have built a similar solution. But is there any product, service or open source lib which can do this for me? The API is written in Java and I use MongoDB/Postgres as database.

Niklas Eldberger
  • 225
  • 2
  • 8

0 Answers0