Would you like to TALK about it?

Pressing the big red button - Authorisation handling with Angular

September 15, 2020

Although you should never leave authorisation handling to be dealt with only by the Front-End, customers usually require us to hide or disable UI elements based on roles and/or permissions. This makes up for better user experience and can make the developer’s life a little monotone.

"Pressing the Big Red Button"

If you’d like to jump right into the code, you can check out my ng-reusables git repository. I hope you have fun!

Let’s just use dependency injection

I have had the chance to work with several enterprise application Front-Ends and when it came to authorisation, usually a role-based approach got implemented. The user’s roles were either provided in the JWT, which was then stored in localStorage, or sent back in the login response, and stored in indexedDb. For this blog post, it is not important how the user roles get to the Front-End, but let’s state that there is an AuthorisationService, which handles this upon application startup.

@Injectable({ providedIn: "root" })
export class AuthorisationService {
  private USER_ROLES: Set<string> = new Set()

  // ...

  setRoles(roles: string[]): void {
    this.USER_ROLES = new Set(roles)
  }

  hasReadAccess(role: string): boolean {
    return this.USER_ROLES.has(`${role}_READ`)
  }

  hasWriteAccess(role: string): boolean {
    return this.USER_ROLES.has(`${role}_WRITE`)
  }
}

We intentionally store the roles in a Set, because, as opposed to an array, it is more performant to check if the user has a given access right or not. In this particular case, the application differentiates between read and write access. Read access displays the UI element, write access allows the user to interact with it. Usually, one feature has one role, let’s have a feature for pressing the big red button. This feature would have two roles for the user: BIG_RED_BUTTON_READ and BIG_RED_BUTTON_WRITE. Let’s create a component for this feature.

<!-- big-red-button.component.html -->
<section *ngIf=authorisationService.hasReadAccess('BIG_RED_BUTTON')
         class="big-red-button-container">
  <button [disabled]="!authorisationService.hasWriteAccess('BIG_RED_BUTTON') || isButtonDisabled()"
          class="big-red-button">
    DO NOT PRESS
  </button>
</section>
@Component({
  selector: `big-red-button`,
  templateUrl: "./big-red-button.component.html",
  styles: [
    `
      /* styles */
    `,
  ],
})
export class BigRedButtonComponent {
  constructor(public authorisationService: AuthorisationService) {}

  isButtonDisabled(): boolean {
    let isButtonDisabled = false
    // Imagine complex boolean logic here.
    return isButtonDisabled
  }
}

Scaling problems

This approach works perfectly for such a small component, and let’s be fair if our whole application is one big red button we can call it a day. However, this method gets rather tedious and tiresome for a larger application. This approach is not scalable, because you have to inject the service into each and every one of your components. That means stubbing it in every component unit test, setting it up with mock data, and mocking the user rights as well. This also goes against the DRY (Don’t Repeat Yourself) principle. How can we move the necessary logic into our component templates? The answer lies in structural directives.

@Directive({ selector: "[authorisation]" })
export class AuthorisationDirective implements OnDestroy {
  private userSubscription: Subscription
  private role: string

  constructor(
    private userService: UserService,
    private authorisationService: AuthorisationService
  ) {
    this.userSubscription = this.userService.currentUser$.subscribe(
      this.updateView.bind(this)
    )
  }

  @Input()
  set authorisation(role: string) {
    this.role = role
    this.updateView()
  }

  ngOnDestroy(): void {
    this.userSubscription?.unsubscribe()
  }

  updateView(): void {
    // TODO view update logic based on access rights.
  }
}

This is our starting directive, which we are going to expand upon. I inject two services, the UserService handles the user data. When the current user changes, we need to update our views, that is why we subscribe to the user changes. Whenever a change occurs, every active directive instance will update their view. We implement the OnDestroy lifecycle hook because directives use those as well. We handle the teardown logic inside it. The authorisation setter gets decorated with the @Input decorator. This way we can use this structural directive on any HTML element in our templates as the following: <div *authorisation="BIG_RED_BUTTON"></div>.

With this setup, we can start implementing the view handling logic. We are going to need two important Angular template handler tools, the ViewContainerRef and the TemplateRef. Let’s inject these to our constructor and implement the display/hide logic for read access rights and provide a solution for disabling UI elements when the user does not have write access right.

interface AuthorisationContext {
  $implicit: (b: boolean) => boolean
}

@Directive({ selector: "[authorisation]" })
export class AuthorisationDirective implements OnDestroy {
  // ...
  private viewRef: EmbeddedViewRef<AuthorisationContext> = null

  constructor(
    private userService: UserService,
    private authorisationService: AuthorisationService,
    @Inject(ViewContainerRef) private viewContainer: ViewContainerRef,
    @Inject(TemplateRef) private templateRef: TemplateRef<AuthorisationContext>
  ) {
    //..
  }

  // ..

  private updateView(): void {
    const hasReadRight = this.authService.hasReadAccess(this.role)
    if (hasReadRight) {
      const hasWriteRight = this.authService.hasWriteAccess(this.role)
      this.viewContainer.clear()
      this.viewRef = this.viewContainer.createEmbeddedView(
        this.templateRef,
        this.createContext(hasWriteRight)
      )
    } else {
      this.viewContainer.clear()
      this.viewRef = null
    }
  }

  private createContext(hasWriteRight: boolean): AuthorisationContext {
    return {
      $implicit: (booleanValue: boolean) => !hasWriteRight || booleanValue,
    }
  }
}

First, we declare the AuthorisationContext interface. It has an $implicit property, which comes in handy when we want to use it as a template variable. We also prepare the viewRef member property, which stores our EmbeddedViewRef or null if the user does not have read access. Then, we call the clear() method on our ViewContainerRef instance. When the user has read access, we call clear() again. This comes in handy when the authorisation setter gets called with a different role for which we need to update the previous view. After that, we create our EmbeddedViewRef using the template reference that we inject into our constructor, and we create our context. Now let’s update our component, so it uses our directive.

<!-- big-red-button.component.html -->
<section
  *authorisation="'BIG_RED_BUTTON'; let checkWriteAccess"
  class="big-red-button-container"
>
  <button
    [disabled]="checkWriteAccess(isButtonDisabled())"
    class="big-red-button"
  >
    DO NOT PRESS
  </button>
</section>
@Component({
  selector: `big-red-button`,
  templateUrl: "./big-red-button.component.html",
  styles: [
    `
      /* styles */
    `,
  ],
})
export class BigRedButtonComponent {
  constructor() {}

  isButtonDisabled(): boolean {
    let isButtonDisabled = false
    // IMAGINE COMPLEX BOOLEAN LOGIC HERE
    return isButtonDisabled
  }
}

Our directive deals with the DOM, it manipulates it. This is the reason why we use the asterisk(*) prefix. It means that this directive is a structural directive and as such, Angular internally translates the *authorisation attribute into an <ng-template> element, wrapped around the host element. Finally, our rendered <section> element looks like the following:

<!--bindings={
  "ng-reflect-authorisation": "BIG_RED_BUTTON"
}-->
<section _ngcontent-c0 class="big-red-button-container">
  <!-- ommited -->
</section>

With this solution, we successfully reduced the complexity of our component, and we created a scalable and reusable solution. It is important to mention, that the directive should be declared on the application root level, and it needs to be exported. I suggest putting this into a shared module. Also, it is important to emphasize, that this is only a Front-End solution, this does not protect your API endpoints from unauthorised access.

What about reactive forms?

An excellent question! While binding checkWriteAccess to the [disabled] attribute works well on buttons, and on template-driven forms, it can cause problems with reactive form inputs. Namely, binding to the [disabled] attribute can cause ‘changed after checked’ errors. Angular itself warns about this, and recommends using the .disable() and .enable() methods on form controls. Luckily, we can enhance our directive with the capability to store a FormControl if passed, and disable it when updateView is called.

@Directive({ selector: "[authorisation]" })
export class AuthorisationDirective implements OnDestroy {
  private formControl: AbstractControl = null

  // ...

  @Input()
  set authorisationControl(ctrl: AbstractControl) {
    this.formControl = ctrl
    this.updateView()
  }

  // ...

  private updateView(): void {
    const hasReadRight = this.authService.hasReadAccess(this.role)
    if (hasReadRight) {
      const hasWriteRight = this.authService.hasWriteAccess(this.role)
      this.viewContainer.clear()
      this.viewRef = this.viewContainer.createEmbeddedView(
        this.templateRef,
        this.createContext(hasWriteRight)
      )
      if (!hasWriteRight) {
        this.formControl?.disable()
      }
    } else {
      this.viewContainer.clear()
      this.viewRef = null
    }
  }
}

We have added a new @Input() property to our directive. This allows us to pass any control that implements the AbstractControl, such as FormControl, FormGroup and FormArray. We can leverage this using the following directive binding:

<!-- launch-codes.component.html -->
<form
  *authorisation="'LAUNCH_CODE_INPUTS'; control launchCodesForm"
  [formGroup]="launchCodesForm"
>
  <label for="primary-high-ranking-officer">First officer access code:</label>
  <input
    id="primary-high-ranking-officer"
    formControlName="firstOfficerAccessCode"
  />

  <label for="secondary-high-ranking-officer"
    >Second officer access code:</label
  >
  <input
    id="secondary-high-ranking-officer"
    formControlName="secondOfficerAccessCode"
  />
</form>
@Component({
  selector: "launch-codes",
  templateUrl: "./launch-codes.component.html",
})
export class LaunchCodesComponent {
  readonly launchCodesForm: FormGroup = this.fb.group({
    firstOfficerAccessCode: ["", Validators.required],
    secondOfficerAccessCode: ["", Validators.required],
  })

  constructor(private fb: FormBuilder) {}
}

This way when the launchCodesForm is disabled if the user does not have write access.

We need more fancy

So the authorisation logic works, the button gets disabled when the user does not have write right, however, our customer wants something extra. The goal is to make read-only components differ from full-access components. For the sake of simplicity, in this example we are going to add some opacity to these elements, so they can still be read, but they differ visibly. Let’s create the CSS class first.

/* styles.css file */
.app-unauthorised {
  opacity: 0.5 !important;
}

Now, we could easily add [class.app-unauthorised]="checkWriteAccess(false) to our template, but then again, we would need to do this to every element, which has our directive on it. We don’t want that, it would not be DRY… Instead, we could use a little DOM manipulation with the help of the ElementRef. Since we want to manipulate the DOM, we inject the Renderer2 as well. Let’s update our directive.

@Directive({ selector: "[authorisation]" })
export class AuthorisationDirective implements OnDestroy {
  // ...

  constructor(
    private userService: UserService,
    private authorisationService: AuthorisationService,
    @Inject(ViewContainerRef) private viewContainer: ViewContainerRef,
    @Inject(TemplateRef) private templateRef: TemplateRef<AuthorisationContext>,
    @Inject(ElementRef) private el: ElementRef,
    private renderer: Renderer2
  ) {
    //..
  }

  // ..

  private updateView(): void {
    const hasReadRight = this.authService.hasReadAccess(this.role)
    if (hasReadRight) {
      const hasWriteRight = this.authService.hasWriteAccess(this.role)
      this.viewContainer.clear()
      this.viewRef = this.viewContainer.createEmbeddedView(
        this.templateRef,
        this.createContext(hasWriteRight)
      )
      if (!hasWriteRight) {
        this.formControl?.disable()
        this.setUnauthorised()
      }
    } else {
      this.viewContainer.clear()
      this.viewRef = null
    }
  }

  // ...

  private setUnauthorised(): void {
    this.renderer.addClass(
      this.el.nativeElement.previousSibling,
      "app-unauthorised"
    )
  }
}

First, we inject the ElementRef into our directive. When the user has only read rights, the app-unauthorised class gets added to our nativeElement’s previousSibling. The reason for this is that this kind of directive binding gets converted into an HTML comment in the template as mentioned before. The previous sibling is the element that you apply the structural directive to. Note, that if you use structural directives, like *ngIf, you can see <!----> in production built Angular applications. This is the reason why we cannot bind more than one structural directive to an element, therefore, if we’d like to use this authorisation directive with an *ngIf structural directive as well, we should wrap the element inside an <ng-container> and apply one of the structural directives onto that container element.

Conclusion

Authorisation handling on the UI can be a tedious job, especially when it is one of the last things to implement in an application. I hope this article has shed some light on how you can use the power of directives in your app to make your job easier.


Written by Balázs Tápai.
I believe in quality software development. I make software to make people's lives better. A well written and well tested codebase helps you and the developers that come after you.
You can follow me on Twitter or Github.