Authentication doesn't make sense if the APIs can't be protected by a mechanism
takes use of it. Permissions usually take the account from the request and
validate against permission rules.
Permission on the account itself
Let's implement a quite simple logic: a user can update and delete himself.
Create a file named schema.teo with this content.
Create a file named .env.
Start the server.
Create a user and try to update the user. Send this JSON input to
/User/create.
Hide HTTP response
Send this to /User/update.
Hide HTTP response
You get a unauthorized error since you are not signed in. Sign in with the
account. Send this to /User/signIn.
Hide HTTP response
Update the user again with header authorization set to Bearer #token#.
Hide HTTP response
This time, Teo detects the correct user identity and updates the user.
Permission on direct owned models
Update schema.teo with this content. This time we define a new model Post.
Look at the new code, a post can be created, updated and deleted by the owner.
Other accounts cannot mutate this post. Feel free to create posts with
different users and try with the API requests.
Admin's permissions
It's common that a web platform has a lot of admins. Admins have different
roles. Replace the schema with this.
Let's describe the rule that we just newly created.
Admin can mutate users
Admin can delete a post if the post contains illegal or offensive content
Only admin can read admins
Only the normal admin himself and root admins can mutate the admin record
Indirect permissions
We cannot simply describe the indirect permissions with the pipeline items.
Let's write some programmatic code to do this. Let's say, there are many
projects belongs to teams, and a user can join any team. A team has many users.
Only team user can read or mutate the projects. Let's transform our thoughts
to code like this.
Transform the current directory into a project.
Let's generate the entity from the schema for programming.
Now start the server with the app entrance. Try create, update and read with
different user accounts.
Try to create a project on a team that the user doesn't belong to, will cause
an error.
Hide HTTP response
Summary
Like anything else in Teo, permissions are readable and clear, too. Developing
protected APIs and defining permission rules are quite fast and easy.