Setting admin role using connect-roles & Passport.JS

Question

I am currently trying to set up an admin role in order to access a simple admin page using the following documentation provided via : connect-roles

I ave been banging my head against it for a while and am still lost on how to set a role E.G As of right now am pulling a admin value out of the DB and storing it in a global var for the time being but I have no idea how to use that with connect-roles say to only allow access to my admin page for a specific user.

Can anyone clarify or show an example on how to do this/some guidance as I documentation didn't help me to ensure access to a web page only if the user is an admin?

Ave posted some of the code kinda showing what it looks like at the moment.

Code

var admin = 'Admin';
var mysql = require('mysql');
var connection = mysql.createConnection({
    host : 'localhost',
    user : 'root',
    password : '',
    database : 'test'
  });
var passport = require('passport');
var ConnectRoles = require('connect-roles');
var roles = new ConnectRoles();
var passportLocal = require('passport-local');


  app.use(passport.initialize());
  app.use(passport.session());
  app.use(roles.middleware());

  passport.use(new passportLocal.Strategy(function (username, password, done) {
      connection.query({
        sql : 'SELECT * from `userman_users` WHERE `username`= ?AND`password` = sha1(?)',
        timeout : 40000, // 40s
        values : [username, password]
      }, function (error, results, rows) {
        if (results.length > 0) {
          response = "Success";
        } else {
          console.log('Error while performing Query.');
          response = "Failed";
        }
        if (response === "Success") {
          done(null, {
            id : username
          });
        } else if (response === "Failed") {
          done(null, null);
        }
      });

    })
  );

  passport.serializeUser(function (user, done) {
    done(null, user.id);
  });

  passport.deserializeUser(function (id, done) {
    done(null, {
      id : id
    });
  });

roles.use(function (req, action) {
  if (!req.isAuthenticated()) return action === 'access home page';
})

roles.use(function (req) {
  if (req.user.role === 'admin') {
    return true;
  }
});

  app.get('/', redirectToIndexIfLoggedIn, function (req, res) {
    res.render('login');
  });

  app.get('/index', checkLoggedIn, function (req, res) {
    res.render('index', {
      isAuthenticated : req.isAuthenticated(),
      user : req.user
    });
  });

app.get('/admin', user.can('access admin page'), function (req, res) {
  res.render('admin');
});

  function checkLoggedIn(req, res, next) {
    if (req.isAuthenticated())
      return next();
    res.redirect('/');
  }

score 5 · Accepted Answer · answered Feb 23 '16 at 18:52

this is an example:

var express = require('express');
...
var passport = require('passport');
var LocalStrategy = require('passport-local');
var ConnectRoles = require('connect-roles');

...
var app = express();

//===============PASSPORT=================

// Passport session setup.
passport.serializeUser(function(user, done) {
  console.log("serializing " + user.username);
  done(null, user);
});

passport.deserializeUser(function(obj, done) {
  console.log("deserializing " + obj);
  // simulate an admin user
  obj.role = obj.username == 'admin' ? 'admin' : 'user';
  done(null, obj);
});

...

//===============CONNECTION RULES=================

var user = new ConnectRoles({
  failureHandler: function (req, res, action) {
    // optional function to customise code that runs when
    // user fails authorisation
    var accept = req.headers.accept || '';
    res.status(403);
    if (~accept.indexOf('html')) {
      res.render('access-denied', {action: action});
    } else {
      res.send('Access Denied - You don\'t have permission to: ' + action);
    }
  }
});


...
app.use(passport.initialize());
app.use(passport.session());
app.use(user.middleware());


//anonymous users can only access the home page
//returning false stops any more rules from being
//considered
user.use(function (req, action) {
  if (!req.isAuthenticated()) return action === 'access home page';
});

//users logged can access to public pages
user.use(function(req, action){
    if(req.isAuthenticated() && action != 'access private page' && action != 'access admin page')
      return true;
});

//moderator users can access private page, but
//they might not be the only ones so we don't return
//false if the user isn't a moderator
user.use('access private page', function (req) {
  console.log('access private page');
  if (req.user.role === 'moderator') {
    return true;
  }
});

//admin users can access all pages
user.use(function (req) {
  if (req.user.role === 'admin') {
    return true;
  }
});


...


/* GET home page. */
app.get('/', user.can('access home page'), function(req, res, next) {
  res.render('index', { title: 'Express' });
});

//displays our signup page
app.get('/signin', function(req, res){
  res.render('signin');
});

//sends the request through our local signup strategy, and if successful takes     user to homepage, otherwise returns then to signin page
app.post('/local-reg', passport.authenticate('local-signup', {
  successRedirect: '/',
  failureRedirect: '/signin'
  })
);

//sends the request through our local login/signin strategy, and if successful    takes user to homepage, otherwise returns then to signin page
app.post('/login', passport.authenticate('local-signin', {
    successRedirect: '/',
    failureRedirect: '/signin'
  })
);

// Simple route middleware to ensure user is authenticated.
app.use(function(req, res, next) {
    if (req.isAuthenticated()) { return next(); }
      req.session.error = 'Please sign in!';
      res.redirect('/signin');
});

//logs user out of site, deleting them from the session, and returns to homepage
app.get('/logout', function(req, res){
  var name = req.user.username;
  console.log("LOGGIN OUT " + req.user.username)
  req.logout();
  res.redirect('/');
  req.session.notice = "You have successfully been logged out " + name + "!";
});

app.get('/private', user.can('access private page'), function (req, res) {
  res.render('private');
});

app.get('/admin', user.can('access admin page'), function (req, res) {
  res.render('admin');
});


app.use('/users', users);

....


module.exports = app;

With connect-rules you define the rules do you want to use (user.use in this case). If you pass an action as first parameter the strategy is only used if the action passed in the function is equal to it. Then you trigger the rules in the routes with user.can passing the action. In this example I define an extra filter strategy to grant access to users that are logged and request routes that are not marked with admin or moderator privileges e.g

/* GET home page. */
app.get('/', user.can('access home page'), function(req, res, next) {
  res.render('index', { title: 'Express' });
});

After the user is logged, we need to have another strategy in case the user isn't admin or moderator.

score 2 · Answer 2 · answered Feb 23 '16 at 16:36

2

U can use framework like sailsJS and npm module sails-generate-auth

And after setup, use your own middleware to block routes

//allow admin only  localhost:PORT/admin at policies.js
'admin': ['passport', 'sessionAuth', 'isAdmin'],
'*': ['passport', 'sessionAuth'],


//isAdmin policy
module.exports = function(req, res, next) {
// User is allowed, proceed to the next policy, 
// or if this is the last policy, the controller
if (req.user.role == 'admin') {
    return next();
}

// User is not allowed
return res.forbidden('You are not permitted to perform this action.');
};

answered Feb 23 '16 at 16:36

mikrafizik

349
1
10

I will look into it, thanks for the suggestion but ideally at the moment I want to use what I am currently, no experience with sailsJS but ill look into it. – Studento919 Feb 23 '16 at 17:15
Look here, i think it will help you http://stackoverflow.com/questions/11321635/nodejs-express-what-is-app-use – mikrafizik Feb 23 '16 at 18:31

score 1 · Answer 3 · answered Jun 15 '16 at 09:45

Using the following logic I was able to have admin functionality based on value within the DB:

app.get('/admin', function (req, res) {
        connection.query({
            sql : 'SELECT role from `auth_users` WHERE `username`= ?',
            timeout : 40000, // 40s
            values : [req.user['id']]
        }, function (error, results, rows) {
            if (results[0]['role'] === "admin") {
                admin = (results[0]['role']);
                res.render('admin', {
                    isAuthenticated : req.isAuthenticated(),
                    user : req.user
                });
            } else {
                admin = "";
                res.redirect('/index');
            }
        })
    });

Setting admin role using connect-roles & Passport.JS

3 Answers3