4.7 Policies and Responses
Sails uses policies to enforce access control in our application. In this lesson, let's use policies to make sure that only authenticated users are able to view the dashboard. We'll also take a look at the responses that are included with Sails and add a new response to handle unauthenticated users.
1.Introduction3 lessons, 11:27
2.Sails.js From the Front-End2 lessons, 20:07
3.Sails Blueprints2 lessons, 13:34
4.Building the Back-End7 lessons, 58:40
5.Additional Techniques2 lessons, 09:55
6.Conclusion1 lesson, 01:28
4.7 Policies and Responses
Hi folks. In this lesson, we're gonna take a look at policies in Sails. Our app now features authentication. So if we visit the sign in URL we'll see a page that will let us supply a username and password, in order to signin. Once the sign in has occurred successfully, the browser is then redirected back to the homepage. That's great. But at this point, there's nothing stopping an unauthenticated user just visiting the homepage directly. What we really need is a way to ensure that only authenticated users are able to view the homepage. And any unauthenticated users are redirected to the sign in page, so that they can sign in in order to get to the homepage. Policies allows us to quickly and easily achieve this. Policies are tools that are used to grant or deny access to controllers based on conditions. In this case, the condition will be whether a user is authenticated. If we open up the policies directory, We should find that there is already a policy in there called sessionAuth. Let's open this file up and take a look. So what this policy does is to check the request.session for the authenticated property, and if that's true, it invokes a callback called next. And if the authenticate property is not set on the session then it sends a forbidden message back to the client. So this sounds almost perfect, I mean this is almost exactly what we need. This brings to light another aspect of sales, responses. If we open up the responses folder now. We see that there is a file in here called forbidden.js. So when the sessionAuth policy returns the forbidden message, it will actually use this response here. So there's quite a lot going on in here. We won't go through that in too much detail. Instead we can add our own response to handle unauthenticated users. So let's create a new file in this directory and we'll call this unauthenticated.js. So this file will need to be a module. So it's pretty much a standard node module and the module is called unauthenticated. We will be needing the response object so we can get this from this .res. So, first of all, let's set the status of the response to 401. And we can then redirect back to our sign in page. Great, so that's all we actually need to do. So now let's go back to the sessionAuth policy and change res.forbidden to res.authenticated to use our new response. So at the moment the sessionAuth policy isn't being applied. We need to configure it in config/policies. First of all, we want to deny access to everything. So let's uncomment these star which matches all controllers and apply our new sessionAuth policy. Now, all controllers by default will be subject to the sessionAuth policy. Awesome, however, our homepage doesn't have any controller associated with it. So our policy won't be applied and any random visitor will still be able to access the homepage without logging in. So let's create a super basic controller for the homepage, which simply shows the homepage. And let's have Sails create the controller for us. So we used the generate sales command and we told it to generate us a new controller called home. And in the response we can see that it created the new controller at api/controllers/homecontroller. So let's open that up now and add a new action. And we can just have a simple action called showHomePage. So, all we want to do is invoke the next method of the response object. And this will result in the homepage being shown. So now we need to add a route for our new controller to config/routes.js So very, very simple. The URL this time is just slash and we map that to the HomeControler.showHomePage action that we just added. So now all requests to / will map to the showHomePage action in the HomeController, so let's lift Sails at this point. And let's try to visit /. And we see a 500 server error, so something hasn't worked. So we've got some output in the console, here. Let's have a look. So it's saying that unAuthenticated is not a function. And that looks like it's the casing on the filename, so let's correct that. And let's try to lift Sails again. And let's trying going back to / in the browser. So it's redirected us straight to the sign in page, which is exactly what we wanted. However, we do still have one problem. Unfortunately, we won't be able to sign in now, because the sessionAuth policy is being applied to all controllers. Including the UserController, which means that users will need to be signed in in order to sign in, and that's not quite right. So, let's go back to conflict/policies and we can add an exception for the UserController, which we do want to be public. And we can make the sign in action public by setting signin to true. So, let's relift Sails again. And let's start at the start and try to access /. So, it redirects us to sign in. And let's try to sign in. And a redirects us back to the homepage, which at this page is still broken, but that's fine. The policies that we created are being applied correctly and everything is working as expected. So, in this lesson we saw how to add policies in order to provide access control for our controllers. We saw how to apply the built in sessionAuth policy to all of our controllers by mapping this policy to start in config/policies. And we saw how to modify this built in policy to point to a new response called unAuthenticated. And we added this new response, which basically just redirects any unAuthenticated user to the sign in page. We also saw how to open up the sign in action controller on the user controller by setting it's true in conflicts/policies in order to allow unauthenticated users to sign in. Thanks for watching.