Authorization approaches and design patterns for Node.js applications

I am building a multiple page admin interface for an internal enterprise software platform. Think lots of glue logic tying together various APIs, db queries, and shell scripts.

We will be using node.js, the express framework (including jade templates), and LDAP for authentication.

I am struggling to find information regarding design patterns and best practices for authorization in node applications. Preferably, I would like to use the role-based model since my users are familiar with that approach and its care and feeding.

I am new to node.js so please don't assume I've already seen a module or popular blog post. It's probable that there's a wealth of information and I simply do not know where to look.

Thanks in advance for any information you are able to provide!

As per your first question, you want some authorization process implementation in NodeJs. I have explored and used number of APIs of NodeJs. I would prefer following APIs for enterprise applications.

• For Authentication: Passport or Satellizer if developing SPA (front-end) in AngularJS.

• For Authorization: ACL . Role based security on Methods and REST APIs. I would like to mention casbin if you want to use RABC, ABAC as well.

Second, you want some implementation and development approach in NodeJs.

• Easy and my favourite design pattern and Framework for NodeJs: MVC framework , SailsJs . For its ready to start and modular architecture. Code management is easy in long run (Most practical requirement for an enterprise application). Easy maintenance. SailsJs is also preconfigured with Socket.io, using which you can create real time modules, widgets, chat widgets with in your project.

• Express You can use Express and design your own custom MVC project structure. This is also popular and robust. You can find popular seed projects of the same on Yeoman

• Redis As a caching or session layer. It is always good to use seperate caching or session layer, because it won't block you to scale your application on cloud to nth instances.

• You can use Redis and Socket.io to create real-time features like Geo-location , user-presence(online/offline), chat, push-notification and many more.

• ORM: Waterline . For its easy querying approach. It is also the inbuilt and default ORM of SailsJs. You can also use Sequelizejs, if not using SailsJs. I would recommend to use native connectors provided by DB providers.

• Database: As per your requirement. Waterline ORM supports PostgreSQL, MySQL, MongoDB and more..

• My faviourite view engine: EJS. No need to learn new things for developing your presentation layer. It is also the inbuilt and default view engine of SailsJs, that's why I am a fan of SailsJs.

I think, I have covered all important information to create an Enterprise application in NodeJs. I don't say, above packages are best, but collaboratively, they can be best fitted to any enterprise scenario. There are other known packages, which you can use according to your own requirement.

Here are some information to get started:

• passport is a popular module for authentication
• express auth example shows how do implement simple authentication without extra modules
• express route middleware example explains how to implement role based authentication
• blog post on nodejs.org about the ldapjs module

Hope that makes it easier to start.

Another option is to use CASL which is very good integrated with MongoDB. Also there is an article of how to itegrate authorization based on CASL into expressjs app - https://medium.com/@sergiy.stotskiy/authorization-with-casl-in-express-app-d94eb2e2b73b

I should say Node-Authorization is also a good candidate. The idea is borrowed from SAP(ERP provider), it is an object oriented authorization. And it can also be used as an accompaniment with other frameworks like: Passport and Express.