As I am granting access to pages using tools like connect-roles and loopback, a question arises regarding how I can retrieve the customer's role, read the session, and manage routes through connect-roles.
For instance, when a client logs in, I retrieve a string containing their assigned role and utilize it within a function that regulates page access.
This raises a query for me as I work on a large-scale service where multiple client sessions are often accessed simultaneously using a shared storage and check function.
Would it be efficient to store the customer's role using app.set() and app.get() functions?
app.get('/session-details', function (req, res) {
var AccessToken = app.models.AccessToken;
AccessToken.findForRequest(req, {}, function (aux, accesstoken) {
// console.log(aux, accesstoken);
if (accesstoken == undefined) {
res.status(401);
res.send({
'Error': 'Unauthorized',
'Message': 'You need to be authenticated to access this endpoint'
});
} else {
var UserModel = app.models.user;
UserModel.findById(accesstoken.userId, function (err, user) {
// console.log(user);
res.status(200);
res.json(user);
// storing employee role
app.set('employeeRole', user.accessLevel);
});
}
});
});
Everything seems to progress smoothly thus far; I successfully retrieve the role information linked with the client. Subsequently, I create a connect-roles function to validate this data.
var dsConfig = require('../datasources.json');
var path = require('path');
module.exports = function (app) {
var User = app.models.user;
var ConnectRoles = require('connect-roles');
const employeeFunction = 'Developer';
var user = new ConnectRoles({
failureHandler: function (req, res, action) {
// custom function to handle authorization failures
var accept = req.headers.accept || '';
res.status(403);
if (~accept.indexOf('ejs')) {
res.send('Access Denied - You don\'t have permission to: ' + action);
} else {
res.render('access-denied', {action: action});
// here
console.log(app.get('employeeRole'));
}
}
});
user.use('authorize access private page', function (req) {
if (employeeFunction === 'Manager') {
return true;
}
});
app.get('/private/page', user.can('authorize access private page'), function (req, res) {
res.render('channel-new');
});
app.use(user.middleware());
};
My concern lies particularly at the instance where I use
console.log(app.get('employeeRole')); app.get('/private/page', user.can('authorize access private page'), function (req, res) {
res.render('channel-new');
});
Consider a scenario where clients x and y connect simultaneously and share the same function for storing session data. Would printing the string via
console.log(app.get('employeeRole'));To address this, if my doubt is resolved and no problems arise with simultaneous connections, I plan to introduce a new variable with
var employeeFunction = app.get('employeeRole');if (employeeFunction === 'Any Role')failureHandler callback is triggered.
My testing environment is currently limited to scenarios of this nature, so any guidance on this matter would be greatly appreciated!