-
Notifications
You must be signed in to change notification settings - Fork 2
/
context.remarkup
69 lines (55 loc) · 2.46 KB
/
context.remarkup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Context
`Context`s are central to how Sealious handle access control. Context is
basically a simple object that contains information about who and when is
performing a given request. Sealious creates a new context every time a user
sends an HTTP request to the app and passes it down to every subsequent function
call. The context is then used by all these methods to ensure that the user has
enough privileges to access or modify the given resource.
Thanks to that, even though the consequences of a single request can be complex,
the user will never see what they're not allowed to see and change what they're
not allowed to change.
Remember that in Sealious you don't have to write your own policy logic for each
endpoint. If you were to write your own endpoint, you don't have to perform any
access control checks. You can literally do:
```
lang=typescript
app.HTTPServer.router.get("/", Middlewares.extractContext(), async (ctx) => {
const users = await app.collections.users
.list(ctx.$context)
.fetch()
ctx.body = html(/* HTML */ `
<body>
<h1>My To do list</h1>
${users.map(user=>user.get("username")}
</body>
`);
});
```
And even if there are thousands of users within this app, this endpoint will
output only one user to every logged in user - themselves.
In short - thanks to Contexts and Policies, you define access control within the
collection definition and let Sealious worry about the rest.
## Super Context
A `SuperContext` is a context that passess all possible policy checks. It's like
`sudo` - with SuperContext you can see and modify basically everything. A user
using the sealious-made API endpoints has no ability to create a SuperContext.
`SuperContext` is only meant to be used in isolated places by the backend code.
Some ORM methods have their `super` equivalents. The Collection clas has `list`
and `suList`, for example. the `su`-prefixed methods don't ask for context and
create a SuperContext for you.
## Middlewares
When writing custom routes, you can use the `extractContext` middleware in order
to tell Sealious to extract context and session data from the request and pass
it to koa's `ctx`:
```
lang=typescript
import { Middlewares } from "sealious";
app.HTTPServer.router.get(
"/tasks",
Middlewares.extractContext(),
async (ctx) => {
const tasks = await app.collections.tasks.list(ctx.$context).fetch();
ctx.body.users = tasks.map((task) => task.get("title")).join("\n");
}
);
```