Add System for Authorization Checks

[daSkier]

I've been wanting to add some permissions around my routes and I thought I'd write my thoughts down as as suggestions or ideas for future development. I'm new to Vapor and backend development, so please take this with a grain of salt.

Roles/Permissions

First, I thought it would be great to be able to add some ability to define permissions levels or roles in conjunction with the User model. It seems like the most flexible system would allow the author to define these levels on their own (These could be defined as either one-to-one or one-to-many). Alternatively, Vapor could provide preset permissions levels, but that seems like possible overkill. Presumably this could be built as a Protocol any model could conform to, but concrete implementations could be provided as well.

Authorizable Could be designed like Timestampable:

extension User: Authorizable {
    // Adds mapping to Authorizable key path properties
    static var permissionsKey: WritableKeyPath<User, [PermissionType]> { return \.roleLevel }
}

Rules/Authorization

Now, to add Authorization the routes you could add an extra function to the route chain like .authorize(using: .FooPolicy). This could be done with a closure or function that accepts arguments that could be used to define a true/false or pass/fail test. Laravel does something similar with their Authorization system.

If you start with a collection of routes like this:

let athleteRoutes = router.grouped("api", "athletes")
athleteRoutes.get(use: index)
athleteRoutes.post(use: create)
athleteRoutes.delete(Athlete.parameter, use: delete)

With Authorization the route group could end up looking like the following:

let athleteRoutes = router.authorize(using: athletePolicy).grouped("api", "athletes")
athleteRoutes.get(use: index)
athleteRoutes.post(use: create)
athleteRoutes.delete(Athlete.parameter, use: delete)

Or:

let athleteRoutes = router.grouped("api", "athletes")
athleteRoutes.get(use: index)
athleteRoutes.authorize(using: athleteEditPolicy).post(use: create)
athleteRoutes.authorize(using: athleteEditPolicy).delete(Athlete.parameter, use: delete)

Ideally, you could add this authorization component at both the individual route or route group level.

The authorization function could look something like this:

func athletePolicy(_ req: Request) throws -> Future<Bool> {
    return user.permissions.contains(.athleteEditor) // pseudocode for getting user permissions levels 
}

Or:

func athleteEditPolicy(_ req: Request) throws -> Future<Bool> {
    return try req.content.decode(Athlete.self).map(to: Bool.self) { athlete in 
        return athlete.ownerID == user.ID //pseudocode for getting user.ID
    }
}

In the event that the Authorization process fails, I'd be great if Vapor sent the appropriate HTTP error code (I think this would be a 403, but I could be wrong).

[natebird]

I like the implementation above but I feel like authentication and authorization shouldn't be part of the same package. This should be separate.

[tanner0101]

This actually was a part of the first version of this package, we just didn't have time to port it over during Vapor 3's release. See: https://github.com/vapor/auth/tree/1.2.1/Sources/Authorization

Hopefully I'll have time for Vapor 4's release to work on it. I think the "policy" idea here is interesting. I also like how Laravel does it: https://laravel.com/docs/5.8/authorization.

[natebird]

Oh, interesting. I might be able to help with it. I'll have need of something like that in my app in a couple of weeks.

[tanner0101]

Cool, that would be greatly appreciated. For this large of a change, I'd recommend doing a pitch first to really flesh out the idea and get feedback before code is written. You can see a couple examples of that here:

https://forums.swift.org/tags/c/related-projects/vapor/pitch

[jonny7]

Hi @tanner0101

I started a generic package for RBAC. It's currently stalled as it can't compile with Swift 5 due to a regression I logged with the Swift team. It's based off the NIST model. I've used it with Yii and it allowed me really granular control over routes and to apply custom rule files to those routes. I was hoping to get it finished before Vapor 4. But depends on when this bug is fixed.
But if it sounds like it or aspects of it might be useful let me know i'd be happy to help. Gotta earn that contributor/maintainer badge somehow :)

[jdmcd]

I've posted a pitch on the forum here with some ideas: https://forums.swift.org/t/pitch-vapor-4-authorization-system/22980