sinatra-authorize

Authentication-agnostic rule-based authorization extension for Sinatra

Provides a flexible rule-based authorization framework:

• Define authorize block for evaluating rules
• Set default rule for all routes
• Override default rule per route

Choice of authentication approach is entirely up to the application.

Installation

gem install sinatra-authorize

Usage

Define authorize block for evaluating rules, and optionally set the default rule:

authorize :deny => :all do |rule, args|
  # evaluate rule 
end

Omitting a default rule when defining the authorize block makes :allow => [] the default rule.

Override default rule per route:

get '/', :allow => :all do
  # :allow => :all rule overrides default :deny => :all rule
end

Authorization is performed just before the route is evaluated, after the pattern has been matched and any other conditions have been evaluated.

Usage scenario

Simple scenario with default :allow rule, which is overriden for protected routes:

require 'sinatra'
require 'sinatra/authorize'

enable :sessions

authorize do |rule, args|
  if args == [:user]
    session[:user] != nil
  elsif args == [:admin]
    session[:admin] != nil
  end
end

# Availabe to all, as default rule is :allow => []
get '/' do
end

# Availabe to all, as default rule is :allow => []
post '/authenticate' do
  if params[:username] == 'username' && params[:password] == 'password'
    session[:user] = params[:username]

    if session[:user] == 'admin'
      session[:admin] = true
    end
  end
end

# Only run for authorized user requests, because of override rule 
get '/content/:id', :allow => :user do
end

# Only run for authorized admin requests, because of override rule 
get '/admin/content/:id', :allow => :admin do
end

The authorize block only needs to handle the :allow rules present in the scenario. Also, only the rule arguments used, :user and :admin, are accounted for. No default rule is set when defining the authorize block, thus making :allow => [] the default rule. The routes / and /authenticate is evaluated using the default :allow rule, whereas the /content/:id and /admin/content:id routes override the default rule.

License

sinatra-authorize is licensed under the MIT license. See LICENCE for further details.