topic Re: Implement Authorization for $batch request XSJS in Application Development and Automation Discussions

Implement Authorization for $batch request XSJS

sunojmichael1 — Sat, 11 Jul 2020 15:22:15 GMT

Hi,

I have an oData on SCP Cloud foundry XSA.

I want to implement authorization check for $batch request. Basically i am having express + passport for the user auth related aspects.

A set of users have GET privilege, another set have update prevliage etc.

The logics works perfectly fine for GET/PUT/POST/DELETE request.

But for $batch as we know its at POST request with multiple request in request body. It can be a GET/PUT etc.

So how do we do such a thing?

Re: Implement Authorization for $batch request XSJS

jhodel18 — Sun, 12 Jul 2020 05:57:05 GMT

Hi Sunoj,

You don't put authorization check on batch request itself. You do the authorization check on those individual CRUD operations that are put inside the batch request.

Re: Implement Authorization for $batch request XSJS

sunojmichael1 — Sun, 12 Jul 2020 16:13:28 GMT

Hi Jhodel,

Thanks!.

Ya, totally agree that we put authorization check for CRUD requests inside batch.

That's my doubt as well.

How do we get the request details inside. I know about that the code added below can give me the request body content as a string which, I might be able to phase based on boundary and changeset. But rather than that, is there any npm package ? Or is there a better way to do that?

Basically what I need, is to get the all the requests that are inside the request body, as a request array. So that, I can process them in sequence.

var body = [];
req.on('data', (chunk) => {
  body.push(chunk);
}).on('end', () => {
  body = Buffer.concat(body).toString();<br>

Re: Implement Authorization for $batch request XSJS

jhodel18 — Mon, 13 Jul 2020 13:41:03 GMT

Wait?! Where did you inject that code? To me, it looks like you have injected a middleware to your XSJS or XSODATA implementation, is this correct assumption?

If you are using XSJS just like what you mentioned on the title of your post, the parsing of the body of the $batch request is already handled by the XSODATA framework and you shouldn't really bother yourself about parsing it yourself. The only thing you need to do is use the XSJS event hooks (before, on, and after events) that the framework provided to you.

Re: Implement Authorization for $batch request XSJS

sunojmichael1 — Tue, 14 Jul 2020 10:30:12 GMT

Yes Jhodel.

We have a middleware+ passport in server.js file. and process some of the odata request there - which is needed.

My only issue was with $batch, I can have validation exits like you said.

But do the hook evens trigger for GET requests[I would be bypassing the $batch from server.js].