Modifying the rule for the Create Game endpoint
Now that we have defined a policy that permits or denies the ability to create a game based on the email address of the person creating the game, we will modify the rule so that any user can create a game, but only those with real email addresses can create games with invitees. This section demonstrates how a policy can take an action based on data in the request body.
About this task
To review, the Meme Game API offers a game creation endpoint that looks like this:
POST /api/v1/games { "data": { "type": "game", "attributes": { "invitees": ["friend@example.com"] } } }
The requester specifies one or more invitees using the data.attributes.invitees
field. We will update our policy with a second rule that disallows a new game if anybody else is invited to it.
Steps
-
Define a Trust Framework attribute to represent the
data.attributes.invitees
field.-
In the Policy Editor, go to Trust Framework and click Attributes.
-
From the menu, select Add new Attribute.
-
For the name, replace Untitled with
Meme Game invitees
. -
Verify that in the Parent field, no parent is selected.
To remove a parent, click the delete icon to the right of the Parent field.
-
Click the next to Resolvers and click Add Resolver.
-
Set Resolver type to Attribute.
-
Select the attribute HttpRequest.RequestBody.
-
Click the next to Value Processors and click Add Processor.
-
Set Processor to JSON Path.
-
Set the value to
$.data.attributes.invitees
. -
Set Value type to Collection.
-
For Value Settings, select Default value and specify square brackets (
[]
) to indicate an empty collection. -
Set Type to Collection.
-
Click Save changes.
The following image shows the new attribute.
+ This Trust Framework attribute introduces resolvers and value processors, which are two important components. To better understand these components, see For further consideration: Resolvers and value processors.
-
-
Modify a rule to use the Meme Game invitees attribute we just created.
-
In the Policy Editor, go to Policies.
-
Select the Users starting a new game policy.
-
Rename the Deny if token subject ends with @example.com rule to
Deny if token subject ends with @example.com AND request contains invitees
. -
Expand the rule by clicking its icon.
-
For Effect, select Deny.
-
Specify a second comparison.
-
Click Comparison.
-
From the Select an Attribute list, select Meme Game invitees.
-
In the second field, select Does Not Equal.
-
In the third field, type
[]
.
-
-
Click Save changes.
The following image shows the rule.
-
-
Test the policy.
As before, you can test your policy by sending an HTTP request or using the Policy Editor test interface. Try testing using the following combinations of inputs:
-
An access token with the subject
user.0@example.com
and with invitees.This should be denied.
-
An access token with the subject
user.0@my-company.com
and with invitees.This should be permitted.
-
An access token with the subject
user.0@example.com
and no invitee list.This should be permitted.
-
An access token with the subject
user.0@my-company.com
and no invitee list.This should be permitted.
-