An RBAC proposal in a simple way

github: https://github.com/KeroVieux/RBAC-proposal

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges.
Further reading: https://en.wikipedia.org/wiki/Role-based_access_control && https://zhuanlan.zhihu.com/p/63769951

Even large information shows on the internet to tell people what the RBAC is. However, it still makes people feel difficult to understand it and use it in practice.
The concept is clear. The RBAC method enables you to control the permission of the data to show to different roles of users. For instance, people in different departments can read different announcements. In this case, how to set the permission for each announcement?
Following the RBAC concept, I developed a demo to show you how to use it in a simple situation, including database setting, initial data and querying the data.

How to run this demo

1. npm i to install dependencies
2. node generateRoles.mjs to generate roles
3. node generateUsers.mjs to generate users
4. node generateContent.mjs to generate news and permissions
5. node index.mjs to check the result
6. Go into the index.mjs to see more details

In this demo what you can get

Database setting

Querying the right news

1. Get the user info.
2. Get the user's read access for news. Here, you need to filter permissions that have the user's roles in its reaRoles filed && the user is not in the bannedUser list.
3. Get news which the user has the right to read
4. In an extra function, it uses the fuse.js to do the search work.

Limits

It is a demo for the RBAC concept, when you understand it, then you can design your own proposal.
It uses the pouchDB to get the data, in your case, you should shift it to your database or RESTful to query the data.

qiniu-uploader

使用七牛的用户，相比大部分都是国人，这里就使用中文做一下简介吧！
Hey guy, perhaps it's a wrong way for you here, if you are doing the qiniu in vue and there is a little hassle , I am eager to help , email me.
这是一个针对七牛上传文件的input[type="file"]，并不是一个封装完成的插件，仅供参考代码应用。但，加入了多选文件、loading效果、基础样式、用户体验的判断，只要照搬代码到你的项目中，基本能满足在客户端的上传动作。

github: https://github.com/KeroVieux/qiniu-uploader

依赖

• axios - 上传和获取token需要
• font-awesome - 图标

组件说明

props接收参数

• accepts - 限制上传文件类型，默认为图片
• multiple - 支持多选开关，true/false
• maxSize - 最大文件支持，默认为不限制（不建议）

方法说明

• upload - 选择文件后触发，从api获取token后上传文件到七牛服务器

使用例子说明

• 支持多选、选择完成后自动触发上传动作以及查看
• 并没有真正的删除已上传的文件

解决需求

github:https://github.com/KeroVieux/cloud-printer
用户在客户端上传自己所需要打印的文档，由映美云打印服务api触发自动打印，管理端可查看各种详细信息

技术栈

nodejs + mongoDB
vue 2.x

Open source https://github.com/KeroVieux/doge-micro-api

doge-micro-api

This a showcase of the 'arc.codes', also a startkit of a serverless proposal
more https://arc.codes

概念

1. aws的serverless全家桶可以降低运维成本、降低开发成本、提升扩展能力。只是在大陆并不好用（没有大陆服务器），开发者举步维艰（只有英文文档），我们需要思考如何设计架构能够达到上述3个效果
2. 其中FaaS（Functions as a Service）概念，居功至伟，是达到上述效果的关键所在

如何降低运维成本

1. 将 构建服务器获取代码 -> 安装依赖 -> 编译 -> 打包 -> 上传 ->重启服务，这个流程简化为服务器获取代码 -> 安装依赖。
2. 能够单独部署子功能
3. 从运维工作中就能定位到报错的原因

如何降低开发成本

1. 使用FaaS的思路，每个服务对应一个函数，每一个函数使用自己的依赖
2. 将业务函数和功能函数彻底分离，减少代码中的交叉import，更容易定位报错
3. 将依赖分区管理，每个函数的文件夹内单独安装依赖
4. 不再出现开发人员a改了一个函数，开发人员b发现报错，定位错误的时间缩短

如何提升扩展能力

1. 依赖分区后，不再出现不敢动公共依赖导致不敢写公共类
2. 不再出现不敢写公共类，每个开发人员各自维护公共类

工具对比

腾讯出品 - Tars

1. https://github.com/TarsCloud/Tars
2. 算了，不想说了，觉得反而增加了开发的负担

zeit专用 - micro

1. https://github.com/vercel/micro
2. 实现了FaaS的思路
3. 开发体验一般……

aws专用 - arc

1. https://github.com/architect/architect
2. 实现了FaaS的思路
3. 一键安装/升级所有函数所需要的依赖
4. 自动编译修改后的文件
5. 这里就展示这个工具的使用例子

Use it as a startkit

Install

npm install -g @architect/architect

Start

edit /project/path/.arc

@app
your-app-name

@http
get /

execute the init command arc init , it will generate files like

├── src/
├── http
│   └── get-index
│       ├── .arc-config
│       └── index.js
└── .arc

execute the sandbox bash , arc sandbox
Now your have got an api which http://localhost:3333/ (get)

Add an function

edit /project/path/.arc

@app
your-app-name

@http
get /
get /add // what your needed

execute the init command, arc init, it will generate files like

├── src/
├── http
│   └── get-index
│       ├── .arc-config
│       └── index.js
│   └── get-add
│       ├── .arc-config
│       └── index.js
└── .arc

now your have got one more api which http://localhost:3333/add (get)
No need restart service

Install dependencies for a new function

$ cd /function/path/
$ echo {} > package.json && yarn add @architect/functions aws-sdk

Install new dependencies for a function which is exist

$ cd /function/path/
$ yarn add axios

Install/update dependencies for a function which is exist from the package.json

$ arc hydrate

or

$ arc hydrate update

Add some functions can be used for other function

$ cd /project/path/
$ mkidr shared
$ touch dataServerSDK.js
$ cd /project/path/shared
$ echo {} > package.json && yarn add @architect/functions aws-sdk

edit the file

module.exports = function layout(body) {
  return `
  <html>
    <body>
      <h1>layout</h1>
      ${body}
    </body>
  </html>
  `
}

And then use it

let layout = require('@architect/shared/layout')

exports.handler = async function http(req) {
  return {
    body: layout('hello world')
  }
}

deploy

1. git push in your side
2. login your server and execute git pull in the path of project
3. execute arc hydrate to refresh dependencies
4. if something goes wrong, just restart the service

其他

1. token授权在哪？ 可以写一个jwt的函数；也可以使用各大平台的oath2，在函数里面与授权服务通信来确定授权和身份；
2. 数据库在哪设置？ 可以写各种insert query的函数，在函数内单独设置与服务器的连接；也可以将数据服务独立，提供rest api，让函数与数据服务使用http通信；

开发建议

1. 建议必须的基础服务： 1. 授权服务； 2. 图片服务； 3. 用户资料服务； 4. 数据储存服务；等等，
2. 每个函数需要做好错误处理，拒绝500错误，返回正确的错误信息
3. 所有业务需求在前端处理

open source - https://github.com/KeroVieux/fingerprint-web-auth-proposal

why I show you this

There are many guys require to settle cross-domain token, but all most all reply is it not gonna happen, please change your mind.
Trust me, it easy to make it happen, just follow my step, this proposal will show you something brand new.

confirm that what you need to address

1. prohibit users to share the link to someone else;
2. always can get the user token or the userId, whatever the user link to which domain;

How to do

1. use fingerprint2 to identify the user's device
2. in order to increase the probability of detection that device as unique, get the user's IP is required.
3. set up a database to store the login record
4. when a user login one of your app, you insert a record to the database, like { authId, IP, fingerprint,jwtToken }
5. when a user needs to check the auth status, you can search the database, match this user's { authId, IP, fingerprint }

disadvantage

1. a user shared a link to a man who has the same fingerprint info, that will be leaked information ( I assert just a few people have the same fingerprint info)
2. users can share the link / authId / fingerprint info with other people(I just can say someone can share their account and password with other people, how can you stop it)

3 api

login

1. after the oauth action, you have got the userId
2. post the data { userId, fingerprint } to the login api, that will return a authId
3. store the authId in localstorage

check

1. post the data { authId, fingerprint } to the check api, that will return a userId and the jwtToken
2. if it is not a legal user, the api will return false

logout

1. remove the authId in localstorage
2. post the data { authId } to the logout api, that will return true.

enter an app in a different domain

1. the href should be xxx.com?authId=:authId
2. store the authId in localstorage
3. post the data { authId, fingerprint } to the check api, that will return a userId

what now

1. you can see, when a user stays in your app have the userId, it can assert it as a legal user.
2. post the userId to your access center server to check the user's auth
3. post the userId to your user center server to get user profile
4. use the jwtToken to require api what you need.

思路详述

当前流行方案JWT

流程

1. 账号密码登录，得到有时限的token
2. 存入localstorage，请求其他接口在headers.auth中加入token
3. 服务端验证token，匹配权限后进入自身逻辑

当前需求冲突

1. 现在的趋势是设备校验身份（参考手机的指纹验证进入app，mac的指纹验证进入系统），密码不再是唯一登录方式，
2. 用户更倾向于自己的设备不应该有授权时限，要求用户重复登录
3. 跨域使用token基本上很困难

重新设计fingerprint web auth - FWA

说明

目的

1. 用户只能自己浏览网页，阻止分享他人，泄露信息
2. 能够跨域使用授权信息
3. 取消授权时限，只依赖设备加密

使用方法

1. 使用fingerprint2，识别唯一设备(不是绝对成功)
2. 为了让同型号同设置的设备不重复，授权信息表加入ip记录，网络环境改变也需要重新登录
3. 身份校验需要authId fingerprint ip完全匹配

已知弊端

1. 用户分享自己的网页给一个拥有一样fingerprint的人，就会泄密(同型号、同批次、同设置、同网络下的你们，关系非同一般，泄密似乎不可怕……)
2. 恶意分享authId fingerprint给他人进行泄密(jwt还恶意分享账号密码呢……)

我一定要用jwt!

1. 当然可以，这个不冲突的，用这个设计思路把jwt token存入授权信息表中，跨域也能获得token

第一步 登录

初次登陆或注销后登陆

1. if !authId, 则需要扫码或点击按钮进行授权认证，得到userId
2. 在授权信息表储存身份信息, required: userId fingerprint,返回authId
3. localstorage储存authId

再次使用

1. if authId
2. 请求授权信息表，required: authId fingerprint，同时匹配返回userId

检验授权失败

1. 缺少authId
2. authId fingerprint ip，不完全匹配

授权信息表设计

1. userId
2. fingerprint
3. ip
4. createdAt

第二步 跳转其他域名获取授权

1. 跳转网址，query需要authId, 例如 xxx.com?authId=:authId
2. localstorage储存authId
3. 请求授权信息表，required: authId fingerprint，同时匹配返回userId

请求其他接口

1. 将authId fingerprint加密后加入header.Authorization字段中
2. 接口解密header请求授权信息表，required: authId fingerprint，同时匹配返回userId
3. 使用userId查询权限中心，当前用户和当前接口匹配后进入自身逻辑

注销

1. 清除localstorage的authId
2. 请求授权信息表，required: authId，软删除该记录
3. 重新登录

当前的两难境地描述：

1. 大众所认识的品牌路由器在售带web认证接入wifi的型号屈指可数，几乎只有百兆企业路由可选择；
2. 杂牌路由不一定敢使用，担心固件有后门，埋下隐患；
3. 主路由使用千兆路由，再由一个带web认证的百兆路由开启guest wifi，通常这类路由的无线功能比较弱鸡，所以还得继续给这个guest路由扩展AP，导致成本直线上升；
4. 下图为其中一个带web认证接入功能的路由，不一一列举，其实都差不多

解决方案

1. 使用wrt开源固件，定制一个与自用网络绝对隔离的guest网络；
2. 对guest网络配置限时、限速、限定访问、白名单、黑名单等功能；
3. 实现过程过于复杂和坎坷，不在此乱说了。。私聊。。
4. 设计扫码连接指引的广告单张、连接页面、与链接成功页面（此步骤对品牌宣传有相当的作用），如下图

广告单张

连接页面

成功页面