Best practices for validating resource and access based on credentials and relations in DB | NestJS | Page 1

#Best practices for validating resource and access based on credentials and relations in DB

2 messages · Page 1 of 1 (latest)

tulip frost Apr 24, 2023, 11:31 AM

Let's assume I have an endpoint GET /v1/admin/organizations/{organizationId}/facilities/{facilityId} . To access facility by Id the following conditions have to be met

The endpoint is only accessible by users with role ADMIN
To view organization with a particular ID current use has to be the owner of the organization
To access faicility in organization the previous steps have to be met and additionally facility has to be in organization

How should I approach performing these 3 steps? As to number 1. I guess it's obvious to use a Guard. When it comes to 2 and 3 I have some doubts. For me these steps belong to the business logic rather than authorization but I may be wrong. Secondly, there will probably be many endpoints to the same resource, for example for update, delete. Moreover each facility can have places which would need /v1/admin/organizations/{organizationId}/facilities/{facilityId}/places/{placeId} and I would need to check if place is in a facility. The idea of creating multiple guards for checking each resource seems strange to me in such cases. Maybe I could create one individual guard for each endpoint for a particular resource which will check everything I need? Do you have any suggestions for this problem, maybe some articles or posts? Or maybe you have had similar requirements and implemented a solution for it?

bitter viper Apr 25, 2023, 7:08 PM

Hello

Personally I would put point 1 and 2 in to the guard. Point 3 sounds like something that should be handled by filtration on at the operation.

Would imagine something like this from your description:

user collection:

[
  {
    "id": 1,
    "name": "TestUser",
  },
  {
    "id": 2,
    "name": "SecondUser",
  },
]

organization collection:

[
  {
    "id": 1,
    "name": "my first best org",
    "owner": 1,
  },
  {
    "id": 2,
    "name": "my next org",
    "owner": 2,
  },
]

facilities collection:

[
  {
    "id": 1,
    "name": "bottler",
    "organization": 1,
  },
  {
    "id": 1,
    "name": "bottler",
    "organization": 1,
  },
]

Then also places collection....

Looking at it from this level the user + org combination is something that will always be important. Organization field will also be good to have even on the places entity if later you would like to list all the places that belong to the organization. If you would like to make it multi tenant, then again organization would be a must have on every request.