Authentication

Two possible ways to protect data with password:

  • limit access to tables or columns
  • filter data by authenticated user.

Zazler supports basic authentication. Users are in SQL table. Configration says how to query user and if at least one matching row then authentication is successful.

If there was table users(login, pwd) it can was something like that:

zazler.db("name", "uri...", { 
  auth: { table: "users",
          where: "login=req.user:pwd=req.pass"
        }
});

Special fields that can be used:

  • req.user – username
  • req.pass – plain text password
  • req.passMd5 – md5 hashed password

Notice that joins are also available. And no need to query from same database, if table is "db/table" then another database is used ("db" is first argument of zazler.db call, not database natural name).

Easy table/column based protection

Parameter protect says which tables and columns need auhtentication. To protect whole database: protect: "*" (like for read).

Data filtering by user

After successful authentication there is meta table auth that can be used in table filters. Everything that auth SQL query resulted can be used in auth.

If zazler finds auth usage, authentication is called automatically.

zazler.db("name","uri", {
  read: "*",
  protect: "sometable othertable(a)", // only one column can be protected
  auth: {
     table: "users",
     select: "group,id",
     where: "login=req.user:pwd=req.passMd5",
     }
  filter: { table: "products",  // filter by my group
            where: "userGroup=auth.group"
          },
          { table: "users"      // show only user own row
            where: "id=auth.id"
          }
  }
})