is middleware or ( || ) operator not working

[erikkallen]

In my application I have added multiple roles such as administrator and I am trying to limit routes to specific roles as shown in the documentation

Route.post('/device/:id/upload', 'DeviceController.upload')
  .middleware(['auth:jwt', 'is:(administrator || support || productionOwner)'])

however only the first role is considered and if I have a support role (in this example) I receive a forbidden error.

Looking at the code in the middleware (src/Middlewares/Is.js)

class Is {
  async handle ({ auth }, next, ...args) {
    let expression = args[0]
    if (Array.isArray(expression)) {
      expression = expression[0]
    }
    console.log("Expression ", args, expression)
    const is = await auth.user.is(expression)
    if (!is) {
      throw new ForbiddenException()
    }

    await next()
  }
}

I looked at the values passed and it seems to me the method does not receive the expected input
Expression [ [ '(administrator ' ] ] (administrator where to me it looks like the function expects something like 'administrator || support'

Looking at the documentation of adonis middleware it seems that the pipe operator is used for passing multiple middlewares Middleware uses the pipe expression to define props. this might have recently changed (I see no mention of the pipe syntax in the adonis 3.2 docs)

I would like to know if I am missing something obvious if not my guess is that the passing of operators has to be changed to text versions like 'or' and 'and'

[erikkallen]

I have created a pull request with a possible fix/workaround

[cmelgarejo]

No need on a workaround, just an update to the README.md feel free to merge #24 or just use @erikkallen 's PR when he corrects the README.md too. 👍

[gideaoms]

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

[AndreCosta101]

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

It works!! Many thanks!

[ajkal5]

Hi Erik Kallen,

I have tried with || and or, for both I get Invalid Expression when I test from PostMan.

Route.resource('/permissions', 'PermissionController').apiOnly().middleware(['auth', 'is:(administrator or moderator)'])

Any suggestions with changes?

Thanks

Ajay K

[erikkallen]

I think you are missing which auth provider to use, auth:jwt or auth:api you only have auth.

…

On Sun, 24 May 2020 at 21:00, ajakl5 ***@***.***> wrote: Hi Erik Kallen, I have tried with || and or, for both I get Invalid Expression when I test from PostMan. Route.resource('/permissions', 'PermissionController').apiOnly().middleware(['auth', 'is:(administrator or moderator)']) Any suggestions with changes? Thanks Ajay K — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#22 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD57ZANCPBD47CBU77AA2LRTFVF3ANCNFSM4FSF6HOQ> .

[ajkal5]

Erik,

I have changed to :

Route.resource('/roles', 'RoleController').apiOnly().middleware(['auth:jwt', 'is:(administrator || moderator)'])
, still same issue.

Thanks

Ajay K

[erikkallen]

Now try with or

…

On Sun, 24 May 2020 at 21:15, ajakl5 ***@***.***> wrote: Erik, I have changed to : Route.resource('/roles', 'RoleController').apiOnly().middleware(['auth:jwt', 'is:(administrator || moderator)']) , still same issue. [image: 2020-05-25_003442] <https://user-images.githubusercontent.com/48468112/82762868-0f897f00-9e21-11ea-873a-ceace2d7a722.png> Thanks Ajay K — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#22 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD57ZA3WLCFPUJZQPJM42DRTFW6XANCNFSM4FSF6HOQ> .

[ajkal5]

Hi Erik,

Yes, it finally works.

Thanks

Ajay K

[Kledenai]

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

owwwwwwwwww mannn thanks thanks thanks mann ahhhhhhhh!!!

saved me a really big time 😆

[ewchow]

In case anyone is interested in knowing why |s get stripped from middleware arguments (at least up to v5):
In @adonisjs/http-server, a package called @poppinss/haye supplies a parsing function called Pipe that parses named middleware. It looks for delimiters like : to get the middleware args. Here is where it matches for |s, and I'm guessing the intention is that middleware can be supplied as "auth:web|is:admin" or something like that.