Authorization is a basic feature of modern web applications. It’s a mechanism of specifying access rights or privileges to resources according to user roles. In case of CMS like applications, it needs to be equipped with advanced libraries and authorization techniques. But for minimal applications a full fledged library can be an overhead.

授權是現代Web應用程序的基本功能。 這是一種根據用戶角色指定對資源的訪問權限或特權的機制。 如果是類似CMS的應用程序，則需要配備高級庫和授權技術。 但是對于最少的應用程序來說，完整的庫可能會增加開銷。

I will discuss a dead simple authorization technique based on HTTP verbs, for this particular purpose.

為此，我將討論一種基于HTTP動詞的簡單授權技術。

事前要考慮的事情 (Things to consider beforehand)

This technique isn’t something you can implement anywhere. Use this only if your requirements match the particular scenario.

您無法在任何地方實施此技術。 僅當您的要求符合特定情況時才使用此選項。

• It works only for REST APIs. Everything happens on middleware layer. If you have a simple MVC based REST APIs, this is for you.
  它僅適用于REST API。 一切都發生在中間件層上。 如果您有一個簡單的基于MVC的REST API，則適合您。
• It heavily relies on the HTTP verbs and the URL naming convention. So API endpoints should be super clear and structured. Similar to some structure like this one.
  它在很大程度上依賴于HTTP動詞和URL命名約定。 因此，API端點應該超級清晰和結構化。 類似于這種結構。

List Products  : GET    /products
Product Detail : GET    /products/{id}
Create Product : POST   /products
Update Product : PUT    /products/{id}
Delete Product : DELETE /products/{id}

• A URL can perform many stuffs; but all cannot be expressed just in its naming and HTTP verb. If you require complex authorization, you can’t just rely on this technique.
  URL可以執行許多工作； 但不能僅使用其命名和HTTP動詞來表示所有內容。 如果您需要復雜的授權，則不能僅僅依靠這種技術。

Lets implement the dead simple authorization technique based on HTTP verbs. For demo purpose we will be using Nodejs. You can implement it on any language and platform of your choice: core Nodejs, ExpressJS, aws Lambda etc..

讓我們基于HTTP動詞實現完全無效的簡單授權技術。 出于演示目的，我們將使用Nodejs。 您可以在您選擇的任何語言和平臺上實現它：核心Node.js，ExpressJS，aws Lambda等。

步驟1：將用戶角色編碼為JWT令牌 (Step 1: Encode user role into JWT Token)

JWT token is the key thing here. It contains the user role encoded in it. The token is returned when user logs in.

JWT令牌是這里的關鍵。 它包含其中編碼的用戶角色。 用戶登錄時將返回令牌。

const jwt = require(‘jsonwebtoken’);const token = jwt.sign({
 …
 role: userData.role 
}, JWT_KEY);

On the next API call, the token is passed as the value of Authorization header field.

在下一個API調用中，令牌作為Authorization標頭字段的值傳遞。

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdW...

第2步：解碼令牌并檢查權限 (Step 2: Decode token and check permissions)

When request is sent to the web server with JWT token attached on header, it goes through a middleware layer. Inside the layer the token is extracted, decoded. To check for permission we require two information.

當請求發送到帶有標頭上的JWT令牌的Web服務器時，請求將通過中間件層。 在該層內部，令牌被提取，解碼。 要檢查許可，我們需要兩個信息。

• User role: decoded from token
  用戶角色：從令牌解碼
• Resource name: identified from request URL
  資源名稱：從請求URL標識

const jwt = require('jsonwebtoken');// extract token from header
let authHeader = request.header.Authorization;
let token = authHeader.split(" ")[1];// decode token and get user's 'role'
let decodedVal = jwt.verify(token, process.env.JWT_KEY);
let role = decodedVal.role;// get resource name(based on your web framework)
// eg:
// GET /products/1 => 'products'
// PUT /users/3    => 'users'
// POST /orders    => 'orders'
let resourceName = request.url.split("/")[1];

The mechanism of retrieving HTTP verb and resource name may differ according to the language or framework being used. Above code is only for demonstration purpose.

根據所使用的語言或框架，檢索HTTP動詞和資源名稱的機制可能有所不同。 上面的代碼僅用于演示目的。

The permissions for resources according to user roles are stored in the following manner. Each of the roles have access to certain resources. Within resources they can perform certain actions determined by HTTP verbs.

根據用戶角色的資源許可以以下方式存儲。 每個角色都可以訪問某些資源。 在資源內，他們可以執行由HTTP動詞確定的某些動作。

const PERMISSIONS = {"vendor": {"products": ["POST", "PUT", "DELETE", "GET"],"orders": ["POST", "PUT", "DELETE", "GET"],"stores": ["POST", "PUT", "DELETE", "GET"],"dashboard": ["GET"]},"customer": {"products": ["GET"],"orders": ["GET"],"stores": ["GET"],"comments": ["GET", "POST"],"shopping-carts": ["GET", "POST"],"dashboard": ["GET"]},"admin": {"products": ["POST", "PUT", "DELETE", "GET"],"orders": ["POST", "PUT", "DELETE", "GET"],"stores": ["POST", "PUT", "DELETE", "GET"],"comments": ["POST", "PUT", "DELETE", "GET"],"shopping-carts": ["POST", "PUT", "DELETE", "GET"],"dashboard": ["POST", "PUT", "DELETE", "GET"]}
};

The method below returns whether the user is allowed to access the resource or not.

下面的方法返回是否允許用戶訪問資源。

function checkPermission(role, resource, httpVerb){if (PERMISSIONS[role] && PERMISSIONS[role][resource]) return PERMISSIONS[role][resource].includes(httpVerb);return false;
}// Example// request from "admin" 
// POST https://test-domain.com/products/ => true// request from "customer" 
// POST https://test-domain.com/products/ => false

Based on the result, the API request can be forwarded to the next middleware layer/controller or the request can be denied with error response.

根據結果??，可以將API請求轉發到下一個中??間件層/控制器，也可以通過錯誤響應拒絕該請求。

The approach may work only for certain use cases(as mentioned above). If you have the same scenario, instead of relying on heavy libraries you can implement the technique fast and easy.

該方法可能僅適用于某些用例(如上所述)。 如果您具有相同的方案，則無需依賴繁瑣的庫，而是可以快速輕松地實現該技術。

What do you think about this technique ? Do you have some other better approach ? Please share it on the comments below.

您如何看待這種技術？ 您還有其他更好的方法嗎？ 請在下面的評論中分享。