Class: Otto::Security::Authentication::RouteAuthWrapperComponents::RoleAuthorization

Inherits:

Object

• Object
• Otto::Security::Authentication::RouteAuthWrapperComponents::RoleAuthorization

Defined in:

lib/otto/security/authentication/route_auth_wrapper/role_authorization.rb

Overview

Note:

This is Layer 1 authorization only. Layer 2 (resource-level) authorization should be handled in Logic classes via raise_concerns.

Handles Layer 1 (route-level) role-based authorization

Extracts user roles from authentication results and checks against route requirements using OR logic (user needs ANY of the required roles).

Examples:

authorizer = RoleAuthorization.new(route_definition)
authorizer.check!(strategy_result, env)  # raises or returns true

Instance Method Summary

• #authorized?(result) ⇒ Boolean

  Check authorization, returning boolean.

• #check(result, env) ⇒ true, Hash

  Check if authentication result satisfies role requirements.

• #initialize(route_definition) ⇒ RoleAuthorization constructor

  A new instance of RoleAuthorization.

• #requirements ⇒ Array<String>

  Get the role requirements for error messages.

Constructor Details

#initialize(route_definition) ⇒ RoleAuthorization

Returns a new instance of RoleAuthorization.

Parameters:

• route_definition (RouteDefinition) —

  Route with role requirements

# File 'lib/otto/security/authentication/route_auth_wrapper/role_authorization.rb', line 21

def initialize(route_definition)
  @route_definition = route_definition
end

Instance Method Details

#authorized?(result) ⇒ Boolean

Check authorization, returning boolean

Parameters:

• result (StrategyResult) —

  Authentication result

Returns:

• (Boolean) —

  true if authorized

# File 'lib/otto/security/authentication/route_auth_wrapper/role_authorization.rb', line 55

def authorized?(result)
  role_requirements = @route_definition.role_requirements
  return true if role_requirements.empty?

  user_roles = extract_roles(result)
  (user_roles & role_requirements).any?
end

#check(result, env) ⇒ true, Hash

Check if authentication result satisfies role requirements

Parameters:

• result (StrategyResult) —

  Authentication result

• env (Hash) —

  Rack environment (for logging)

Returns:

• (true) —

  if authorized

• (Hash) —

  failure info if not authorized: { authorized: false, required: […], actual: […] }

# File 'lib/otto/security/authentication/route_auth_wrapper/role_authorization.rb', line 31

def check(result, env)
  role_requirements = @route_definition.role_requirements
  return true if role_requirements.empty?

  user_roles = extract_roles(result)

  # OR logic: user needs ANY of the required roles
  if (user_roles & role_requirements).any?
    log_success(env, role_requirements, user_roles)
    true
  else
    log_failure(env, role_requirements, user_roles, result)
    {
      authorized: false,
      required: role_requirements,
      actual: user_roles,
    }
  end
end

#requirements ⇒ Array<String>

Get the role requirements for error messages

Returns:

• (Array<String>) —

  Required roles

# File 'lib/otto/security/authentication/route_auth_wrapper/role_authorization.rb', line 66

def requirements
  @route_definition.role_requirements
end