Security - npolar/api.npolar.no GitHub Wiki
Security
Transport-level security
Make sure to run all APIs that require authentication and/or authorization using transport-level security (TLS/https), see [Install] for how you might set this up using Nginx and Unicorn.
Authentication and authorization
Use Npolar::Rack::Authorizer
for authentication and simple role-based access control.
The Authorizer restricts editing (POST
, PUT
, and DELETE
) to users with a editor
role.
and reading to users with a reader
role.
The Authorizer needs an Auth backend, see
Npolar::Auth::Ldap
(or Net::LDAP) for LDAP authentication (authorization is @todo)Npolar::Auth::Couch
for a CouchDB-backed solution
map "/arctic/animal" do
auth = Npolar::Auth::Couch.new("https://localhost:6984/api_user")
use Npolar::Auth::Authorizer, { :auth => auth, :system => "arctic_animal" }
run Npolar::Api::Core.new(nil, { :storage => "https://localhost:6984/arctic_animal" })
end
You can modify the behavior of the Authorizer by injecting lambda functions.
For example, here is how you can tighten security to users with a sysadmin
role:
use Npolar::Rack::Authorizer, { :auth => Npolar::Auth::Couch.new("https://localhost:6984/api_user"), :system => "api", :authorized? =>
lambda { | auth, system, request | auth.roles(system).include? Npolar::Rack::Authorizer::SYSADMIN_ROLE }
}
For free/open data, you might want to loosen security by allowing anyone to read. Easy using :except?
use Npolar::Rack::Authorizer, { :auth => api_user, :system => "metadata",
:except? => lambda {|request| ["GET", "HEAD"].include? request.request_method } }