Security - npolar/api.npolar.no GitHub Wiki

Security

Transport-level security

Make sure to run all APIs that require authentication and/or authorization using transport-level security (TLS/https), see [Install] for how you might set this up using Nginx and Unicorn.

Authentication and authorization

Use Npolar::Rack::Authorizer for authentication and simple role-based access control.

The Authorizer restricts editing (POST, PUT, and DELETE) to users with a editor role. and reading to users with a reader role.

The Authorizer needs an Auth backend, see

• Npolar::Auth::Ldap (or Net::LDAP) for LDAP authentication (authorization is @todo)
• Npolar::Auth::Couch for a CouchDB-backed solution

map "/arctic/animal" do 
  auth = Npolar::Auth::Couch.new("https://localhost:6984/api_user")    
  use Npolar::Auth::Authorizer, { :auth => auth, :system => "arctic_animal" }
  run Npolar::Api::Core.new(nil, { :storage => "https://localhost:6984/arctic_animal" }) 
end

You can modify the behavior of the Authorizer by injecting lambda functions.

For example, here is how you can tighten security to users with a sysadmin role:

  use Npolar::Rack::Authorizer, { :auth => Npolar::Auth::Couch.new("https://localhost:6984/api_user"), :system => "api", :authorized? =>
      lambda { | auth, system, request | auth.roles(system).include? Npolar::Rack::Authorizer::SYSADMIN_ROLE }
  }

For free/open data, you might want to loosen security by allowing anyone to read. Easy using :except?

  use Npolar::Rack::Authorizer, { :auth => api_user, :system => "metadata",
    :except? => lambda {|request| ["GET", "HEAD"].include? request.request_method } }