Role Based Access Control: Inline vs Centralized
I have a server with many methods that can be requested by a user (or other service). I want to implement a role based access control. I can think of 2 ways to do it. Inline: Each method has checkRole(req.role, 'some role') as its first line. Centralized: I have an object called RoleMethods that has, for each role, the list of allowed methods. Each request, before being routed to the method, will first call checkRoleAndMethod(req.role, req.method). (I'm guessing these are the 2 ways to do it, if they are bad and there's another better way please tell) Pros of inline: each method explicitly says what role it requires, making it clear and readable Cons of inline: devs have to include the line in every method, causing some repetition and they may forget it causing vulnerabilities. Pros of centralized: avoids the cons of inline by centralizing into one step Cons of centralized: the role for each method is defined outside of it, making it harder to grasp and follow the logic. You'll need extra middleware to extract and check the method name (instead of just routing using a lib like apollo server). Devs may forget to include a method name, leading to the method being unusable. Which way is considered best practice among professionals? Are there any other pros and cons I'm missing? I personally prefer inline because I think the permission level is something that belongs in the method itself, and having to keep track of an extra RoleMethods object is annoying.
I have a server with many methods that can be requested by a user (or other service). I want to implement a role based access control. I can think of 2 ways to do it.
Inline: Each method has
checkRole(req.role, 'some role')as its first line.Centralized: I have an object called
RoleMethodsthat has, for each role, the list of allowed methods. Each request, before being routed to the method, will first callcheckRoleAndMethod(req.role, req.method).
(I'm guessing these are the 2 ways to do it, if they are bad and there's another better way please tell)
- Pros of inline: each method explicitly says what role it requires, making it clear and readable
- Cons of inline: devs have to include the line in every method, causing some repetition and they may forget it causing vulnerabilities.
- Pros of centralized: avoids the cons of inline by centralizing into one step
- Cons of centralized: the role for each method is defined outside of it, making it harder to grasp and follow the logic. You'll need extra middleware to extract and check the method name (instead of just routing using a lib like apollo server). Devs may forget to include a method name, leading to the method being unusable.
Which way is considered best practice among professionals? Are there any other pros and cons I'm missing?
I personally prefer inline because I think the permission level is something that belongs in the method itself, and having to keep track of an extra RoleMethods object is annoying.
