Express authorization middleware

authorize.js

import { isEmpty } from 'lodash';

import {
  ForbiddenError,
  NotFoundError,
} from 'src/errors';

import models from 'src/models';

const defaultBlacklist = [];

export default (model, operation) => {
  // Ensure the model exists
  if (!models[model]) {
    throw new NotFoundError(`authorizeModel: Model not found: ${model}`);
  }

  // Ensure authorizers exist for this model
  let authorizer = models[model].authorizer;

  if (!authorizer) {
    throw new NotFoundError(`Missing authorizer for model: ${model}`);
  }

  // Ensure this authorizer operation exists
  authorizer = authorizer[operation];

  if (!authorizer) {
    throw new NotFoundError(`Missing authorizer: ${model}[${operation}]`);
  }

  return async (req, res, next) => {
    const isAuthorized = await authorizer(req.currentUser, req.instance);

    return isAuthorized
      ? next()
      : next(new ForbiddenError());
  };
};