Search code examples
feathersjsfeathers-authenticationfeathers-hook

How do I properly test permissions using Featherjs & Postman?

First of all, I would like to mention that I'm fairly new to coding so pardon my probably stupid question.

So I'm developing an application using FeatherJS and in my application I would like to use permissions to ensure that certain users are limited in the actions they can perform, i.e. only an administrator is allowed to create or update users.

To do so, I've installed feathers-permission using NPM and I've read the documentation but I'm stuck when trying to test if the functionality actually works. Here's my setup:

const checkPermissions = require('feathers-permissions');

module.exports = {
  before: {
    all: [],
    find: [ authenticate('jwt') ],
    get: [ authenticate('jwt') ],
    create: [ checkPermissions({
      roles: [ 'admin' ]
    }), authenticate('jwt') ],
    update: [ authenticate('jwt') ],
    patch: [ authenticate('jwt') ],
    remove: [ authenticate('jwt') ]
  },

So now when I try to create a user by sending a POST request to the users endpoint of my application (http://localhost:3030/users). Below you can find the body of the POST request that I make

 {
    "email": "[email protected]",
    "password": "somerandompassword",
    "permission": ["user:*"]
}

I always get the following message:

{
    "name": "Forbidden",
    "message": "You do not have the correct permissions (invalid permission entity).",
    "code": 403,
    "className": "forbidden",
    "errors": {}
}

Before I send the POST request, I authenticate myself and I retrieve a Bearer Token which I include in my POST message to identify myself. Off course I've also made sure that I have the necessary access rights to create the user.

Could anyone of you help me out on this? Am I doing something wrong in the configuration of the backend, i.e. have I forgotten to add some code in the Users service? Or should I pass some additional params in my POST request?

Any help would be greatly appreciated!

Solution

  • If you do send the proper bearer token it is probably just a question of the order. Specifically, authenticate('jwt') needs to run first to get the user that you want to check permissions on:

    const checkPermissions = require('feathers-permissions');

module.exports = {
  before: {
    all: [],
    find: [ authenticate('jwt') ],
    get: [ authenticate('jwt') ],
    create: [ authenticate('jwt'), checkPermissions({
      roles: [ 'admin' ]
    }) ],
    update: [ authenticate('jwt') ],
    patch: [ authenticate('jwt') ],
    remove: [ authenticate('jwt') ]
  },

    This is briefly mentioned at the beginning of the feathers-permission docs but I also just updated the first example to be more clear about this.