abdil1234 · February 20, 2019 15:22 · Jan 26, 2019 · Jan 26, 2019 · Nov 3, 2017 · Nov 3, 2017
diff --git a/app.js b/app.js
@@ -34,7 +34,7 @@ api.patch("/account", permit('owner'), (req, res) => res.json({message: "updated
 api.delete("/account", permit('owner'), (req, res) => res.json({message: "deleted"}));
 
 // viewing account "GET" available to account owner and account member
-api.get("/account", permit('owner', 'employee'),  (req, res) => res.json({currentUser: request.user}));
+api.get("/account", permit('owner', 'employee'),  (req, res) => res.json({currentUser: req.user}));
 
 // mount api router
 app.use("/api", api);

diff --git a/app.js b/app.js
@@ -20,21 +20,21 @@ app.use("/api/private", permit("admin"));
 app.use(["/api/foo", "/api/bar"], permit("owner", "employee"));
 
 // setup requests handlers
-api.get("/private/whatever", (req, res) => response.json({whatever: true}));
-api.get("/foo", (req, res) => response.json({currentUser: req.user}));
-api.get("/bar", (req, res) => response.json({currentUser: req.user}));
+api.get("/private/whatever", (req, res) => res.json({whatever: true}));
+api.get("/foo", (req, res) => res.json({currentUser: req.user}));
+api.get("/bar", (req, res) => res.json({currentUser: req.user}));
 
 // setup permissions based on HTTP Method
 
 // account creation is public
-api.post("/account", (req, res) => req.json({message: "created"}));
+api.post("/account", (req, res) => res.json({message: "created"}));
 
 // account update & delete (PATCH & DELETE) are only available to account owner
-api.patch("/account", permit('owner'), (req, res) => req.json({message: "updated"}));
-api.delete("/account", permit('owner'), (req, res) => req.json({message: "deleted"}));
+api.patch("/account", permit('owner'), (req, res) => res.json({message: "updated"}));
+api.delete("/account", permit('owner'), (req, res) => res.json({message: "deleted"}));
 
 // viewing account "GET" available to account owner and account member
-api.get("/account", permit('owner', 'employee'),  (req, res) => req.json({currentUser: request.user}));
+api.get("/account", permit('owner', 'employee'),  (req, res) => res.json({currentUser: request.user}));
 
 // mount api router
 app.use("/api", api);

diff --git a/authentication.js b/authentication.js
@@ -1,9 +1,9 @@
 // middleware for authentication
-export default async function authorize(req, res, next) {
-  const apiToken = req.headers['x-api-token'];
+export default async function authorize(request, _response, next) {
+  const apiToken = request.headers['x-api-token'];
 
   // set user on-success
-  request.user = await req.db.users.findByApiKey(apiToken);
+  request.user = await request.db.users.findByApiKey(apiToken);
 
   // always continue to next middleware
   next();

diff --git a/loadDb.js b/loadDb.js
@@ -1,5 +1,5 @@
 // dummy middleware for db (set's request.db)
-export default function loadDb(req, res, next) {
+export default function loadDb(request, _response, next) {
 
   // dummy db
   request.db = {

diff --git a/permission.js b/permission.js
@@ -3,8 +3,8 @@ export default function permit(...allowed) {
   const isAllowed = role => allowed.indexOf(role) > -1;
 
   // return a middleware
-  return (req, res, next) => {
-    if (req.user && isAllowed(req.user.role))
+  return (request, response, next) => {
+    if (request.user && isAllowed(request.user.role))
       next(); // role is allowed, so continue on the next middleware
     else {
       response.status(403).json({message: "Forbidden"}); // user is forbidden

diff --git a/loadDb.js b/loadDb.js
@@ -8,12 +8,10 @@ export default function loadDb(req, res, next) {
         switch {
           case (token == '1234') {
             return {role: 'owner', id: 1234};
-            break;
           case (token == '5678') {
             return {role: 'employee', id: 5678};
-            break;
           default:
-            throw new Error('Record not found');
+            return null; // no user
         }
       }
     }

diff --git a/permission.js b/permission.js
@@ -1,6 +1,6 @@
 // middleware for doing role-based permissions
 export default function permit(...allowed) {
-  const isAllowed = role => _.indexOf(allowed, role) > -1;
+  const isAllowed = role => allowed.indexOf(role) > -1;
 
   // return a middleware
   return (req, res, next) => {

diff --git a/app.js b/app.js
@@ -1,7 +1,7 @@
 // the main app file
 import express from "express";
 import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
-import authorize from "./authorization"; // middleware for doing authorization
+import authenticate from "./authentication"; // middleware for doing authentication
 import permit from "./permission"; // middleware for checking if user's role is permitted to make request
 
 const app = express(),
@@ -10,9 +10,9 @@ const app = express(),
 // first middleware will setup db connection
 app.use(loadDb);
 
-// check authorization for each request
+// authenticate each request
 // will set `request.user`
-app.use(authorize);
+app.use(authenticate);
 
 // setup permission middleware,
 // check `request.user.role` and decide if ok to continue 

diff --git a/app.js b/app.js
@@ -4,8 +4,8 @@ import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
 import authorize from "./authorization"; // middleware for doing authorization
 import permit from "./permission"; // middleware for checking if user's role is permitted to make request
 
-let app = express(),
-    api = express.Router();
+const app = express(),
+      api = express.Router();
 
 // first middleware will setup db connection
 app.use(loadDb);
@@ -17,7 +17,7 @@ app.use(authorize);
 // setup permission middleware,
 // check `request.user.role` and decide if ok to continue 
 app.use("/api/private", permit("admin"));
-app.use(["/api/foo", "/api/bar"], permit("account-owner", "account-member"));
+app.use(["/api/foo", "/api/bar"], permit("owner", "employee"));
 
 // setup requests handlers
 api.get("/private/whatever", (req, res) => response.json({whatever: true}));
@@ -30,11 +30,11 @@ api.get("/bar", (req, res) => response.json({currentUser: req.user}));
 api.post("/account", (req, res) => req.json({message: "created"}));
 
 // account update & delete (PATCH & DELETE) are only available to account owner
-api.patch("/account", permit('account-owner'), (req, res) => req.json({message: "updated"}));
-api.delete("/account", permit('account-owner'), (req, res) => req.json({message: "deleted"}));
+api.patch("/account", permit('owner'), (req, res) => req.json({message: "updated"}));
+api.delete("/account", permit('owner'), (req, res) => req.json({message: "deleted"}));
 
 // viewing account "GET" available to account owner and account member
-api.get("/account", permit('account-member', 'account-owner'),  (req, res) => req.json({currentUser: request.user}));
+api.get("/account", permit('owner', 'employee'),  (req, res) => req.json({currentUser: request.user}));
 
 // mount api router
 app.use("/api", api);

diff --git a/authentication.js b/authentication.js
@@ -1,10 +1,10 @@
 // middleware for authentication
-export default function authorize(req, res, next) {
-  let apiToken = req.headers['x-api-token'];
+export default async function authorize(req, res, next) {
+  const apiToken = req.headers['x-api-token'];
 
-  req.db
-     .users
-     .findByApiKey(apiToken)
-     .then(user => req.user = user) // set user on-success
-     .finally(next); // always continue to next middleware
+  // set user on-success
+  request.user = await req.db.users.findByApiKey(apiToken);
+
+  // always continue to next middleware
+  next();
 }
diff --git a/loadDb.js b/loadDb.js
@@ -4,18 +4,18 @@ export default function loadDb(req, res, next) {
   // dummy db
   request.db = {
     users: {
-      findByApiKey: token => new Promise((resolve, reject) => {
+      findByApiKey: async token => {
         switch {
           case (token == '1234') {
-            resolve({role: 'account-owner', id: 1234});
+            return {role: 'owner', id: 1234};
             break;
           case (token == '5678') {
-            resolve({role: 'account-member', id: 5678});
+            return {role: 'employee', id: 5678};
             break;
           default:
-            reject();
+            throw new Error('Record not found');
         }
-      })
+      }
     }
   };
 

diff --git a/permission.js b/permission.js
@@ -1,6 +1,6 @@
 // middleware for doing role-based permissions
 export default function permit(...allowed) {
-  let isAllowed = role => _.indexOf(allowed, role) > -1;
+  const isAllowed = role => _.indexOf(allowed, role) > -1;
 
   // return a middleware
   return (req, res, next) => {

diff --git a/permission.js b/permission.js
@@ -1,10 +1,10 @@
 // middleware for doing role-based permissions
 export default function permit(...allowed) {
-  let isValidRole = role => _.indexOf(allowed, role) > -1;
+  let isAllowed = role => _.indexOf(allowed, role) > -1;
 
   // return a middleware
   return (req, res, next) => {
-    if (req.user && isValidRole(req.user.role))
+    if (req.user && isAllowed(req.user.role))
       next(); // role is allowed, so continue on the next middleware
     else {
       response.status(403).json({message: "Forbidden"}); // user is forbidden

diff --git a/authentication.js b/authentication.js
@@ -3,8 +3,8 @@ export default function authorize(req, res, next) {
   let apiToken = req.headers['x-api-token'];
 
   req.db
-      .users
-      .findByApiKey(apiToken)
-      .then(user => req.user = user) // set user on-success
-      .finally(() => next()); // always continue to next middleware
+     .users
+     .findByApiKey(apiToken)
+     .then(user => req.user = user) // set user on-success
+     .finally(next); // always continue to next middleware
 }
diff --git a/permission.js b/permission.js
@@ -1,5 +1,5 @@
 // middleware for doing role-based permissions
-export default function permit(...allowedRoles) {
+export default function permit(...allowed) {
   let isValidRole = role => _.indexOf(allowed, role) > -1;
 
   // return a middleware

diff --git a/app.js b/app.js
@@ -5,7 +5,7 @@ import authorize from "./authorization"; // middleware for doing authorization
 import permit from "./permission"; // middleware for checking if user's role is permitted to make request
 
 let app = express(),
-    api = app.Router();
+    api = express.Router();
 
 // first middleware will setup db connection
 app.use(loadDb);

diff --git a/authentication.js b/authentication.js
@@ -1,6 +1,6 @@
 // middleware for authentication
 export default function authorize(req, res, next) {
-  let apiToken = req.header['x-api-token'];
+  let apiToken = req.headers['x-api-token'];
 
   req.db
       .users

diff --git a/app.js b/app.js
@@ -7,6 +7,9 @@ import permit from "./permission"; // middleware for checking if user's role is
 let app = express(),
     api = app.Router();
 
+// first middleware will setup db connection
+app.use(loadDb);
+
 // check authorization for each request
 // will set `request.user`
 app.use(authorize);

diff --git a/index.js → app.js b/index.js → app.js
diff --git a/authentication.js b/authentication.js
@@ -1,3 +1,4 @@
+// middleware for authentication
 export default function authorize(req, res, next) {
   let apiToken = req.header['x-api-token'];
 

diff --git a/index.js b/index.js
@@ -1,3 +1,4 @@
+// the main app file
 import express from "express";
 import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
 import authorize from "./authorization"; // middleware for doing authorization

diff --git a/loadDb.js b/loadDb.js
@@ -1,3 +1,4 @@
+// dummy middleware for db (set's request.db)
 export default function loadDb(req, res, next) {
 
   // dummy db
@@ -16,7 +17,7 @@ export default function loadDb(req, res, next) {
         }
       })
     }
-  }
+  };
 
   next();
 }
diff --git a/permission.js b/permission.js
@@ -1,3 +1,4 @@
+// middleware for doing role-based permissions
 export default function permit(...allowedRoles) {
   let isValidRole = role => _.indexOf(allowed, role) > -1;
 

diff --git a/authentication.js b/authentication.js
@@ -0,0 +1,9 @@
+export default function authorize(req, res, next) {
+  let apiToken = req.header['x-api-token'];
+
+  req.db
+      .users
+      .findByApiKey(apiToken)
+      .then(user => req.user = user) // set user on-success
+      .finally(() => next()); // always continue to next middleware
+}
diff --git a/index.js b/index.js
@@ -0,0 +1,39 @@
+import express from "express";
+import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
+import authorize from "./authorization"; // middleware for doing authorization
+import permit from "./permission"; // middleware for checking if user's role is permitted to make request
+
+let app = express(),
+    api = app.Router();
+
+// check authorization for each request
+// will set `request.user`
+app.use(authorize);
+
+// setup permission middleware,
+// check `request.user.role` and decide if ok to continue 
+app.use("/api/private", permit("admin"));
+app.use(["/api/foo", "/api/bar"], permit("account-owner", "account-member"));
+
+// setup requests handlers
+api.get("/private/whatever", (req, res) => response.json({whatever: true}));
+api.get("/foo", (req, res) => response.json({currentUser: req.user}));
+api.get("/bar", (req, res) => response.json({currentUser: req.user}));
+
+// setup permissions based on HTTP Method
+
+// account creation is public
+api.post("/account", (req, res) => req.json({message: "created"}));
+
+// account update & delete (PATCH & DELETE) are only available to account owner
+api.patch("/account", permit('account-owner'), (req, res) => req.json({message: "updated"}));
+api.delete("/account", permit('account-owner'), (req, res) => req.json({message: "deleted"}));
+
+// viewing account "GET" available to account owner and account member
+api.get("/account", permit('account-member', 'account-owner'),  (req, res) => req.json({currentUser: request.user}));
+
+// mount api router
+app.use("/api", api);
+
+// start 'er up
+app.listen(process.env.PORT || 3000);
diff --git a/loadDb.js b/loadDb.js
@@ -0,0 +1,22 @@
+export default function loadDb(req, res, next) {
+
+  // dummy db
+  request.db = {
+    users: {
+      findByApiKey: token => new Promise((resolve, reject) => {
+        switch {
+          case (token == '1234') {
+            resolve({role: 'account-owner', id: 1234});
+            break;
+          case (token == '5678') {
+            resolve({role: 'account-member', id: 5678});
+            break;
+          default:
+            reject();
+        }
+      })
+    }
+  }
+
+  next();
+}
diff --git a/permission.js b/permission.js
@@ -0,0 +1,12 @@
+export default function permit(...allowedRoles) {
+  let isValidRole = role => _.indexOf(allowed, role) > -1;
+
+  // return a middleware
+  return (req, res, next) => {
+    if (req.user && isValidRole(req.user.role))
+      next(); // role is allowed, so continue on the next middleware
+    else {
+      response.status(403).json({message: "Forbidden"}); // user is forbidden
+    }
+  }
+}