StormPath groups authorization using express-stormpath

Question

Using stormpath.groupsRequired middleware call,

router.get('/', stormpath.loginRequired, stormpath.groupsRequired(['org1-admin']), function (req, res) { res.render('index', {}); });

I can not hardcode the ‘org1-admin’ role, what options do I have? If I put this into a session , the session is not available for middleware. Any thoughts?

The user role ‘org1-admin’ will be identified when the app is launched based on the org1 param passed in the initial launch request url and ‘admin’ role read from config entry.

After the initial launch , this role should be available for subsequent routes to authorize. Appreciate your feedback!

Answer 1

If the group to check is determined on a per-request basis, you’ll need to modify the flow to use the groupsRequired middleware more like a function:

app.get('/', stormpath.loginRequired, function (req, res) {
  var group = 'foo'; // grab the group from your request context

  stormpath.groupsRequired([group])(req,res,function(){
    // If we got here, the user is in the group.  Otherwise the groupsRequired middleware would have ended the response with 403
    res.render('index', {});
  });
});

I hope this helps! This is a good use-case and I’d like to add something to this library which makes it easier to do this.