Authorize User Access

Assuming object types, users and warrants are defined for your system, you can add runtime checks to your application to authorize user access.

For example, you may want to check if the user identified by userId 5djfs6 can view the report with id avk2837. A warrant check for this condition will return a 200 OK if the request is successful. The response body will contain "result": "Authorized" if the user has access or "result": "Not Authorized" if the user does not have access.

POST /v2/authorize

Parameters

Parameter	Description	Type	Required
op	The logical operator to use when warrants contains more than one warrant. Valid values are allOf and anyOf. allOf will return “Authorized” only if all warrants are found, and anyOf will return “Authorized” if at least one of the warrants is found.	JSON body	no
warrants	Array of warrants that you want to check. Each warrant should be formatted as below in the Warrant Parameters table.	JSON body	yes

Warrant Parameters

Parameter	Description	Type	Required
objectType	The type of object. Must be one of your system's existing object types.	JSON body	yes
objectId	The id of the specific object.	JSON body	yes
relation	The relation to check for this object to subject association. The relation must be valid as per the object type definition.	JSON body	yes
subject	The specific subject for which access will be checked. Can be a specific object by id or an objectType, objectId and relation set.	JSON body	yes

Request

Curl

curl "https://api.warrant.dev/v2/authorize" \
    -X POST \
    -H "Authorization: ApiKey YOUR_KEY" \
    --data-raw \
    '{
        "warrants": [
            {
                "objectType": "report",
                "objectId": "avk2837",
                "relation": "viewer",
                "subject": {
                    "objectType": "user",
                    "objectId": "5djfs6"
                }
            }
        ]
    }'

Go

isAuthorized, err := client.IsAuthorized(warrant.WarrantCheckParams{
    Warrants: []warrant.Warrant{
        {
            ObjectType: "report",
            ObjectId:   "avk2837",
            Relation:   "viewer",
            Subject: warrant.Subject{
                ObjectType: "user",
                ObjectId: "5djfs6",
            },
        }
    }
})
if err != nil {
    // Handler error
}

Java

try {
    Subject warrantSubject = new Subject("user", "5djfs6");
    Warrant warrantToCheck = new Warrant("report", "avk2837", "viewer", warrantSubject);
    boolean isAuthorized = client.isAuthorized(new WarrantCheck(Arrays.asList(warrantToCheck)));
} catch (WarrantException e) {
    // Handle error
}

Node.js

client
    .isAuthorized({
        warrants: [{
            objectType: "report",
            objectId: "avk2837", 
            relation: "viewer", 
            subject: {
                objectType: "user",
                objectId: "5djfs6"
            }
        }]
    })
  .then((isAuthorized) => {
    if (isAuthorized) {
      // Proceed if authorized
    }
  })
  .catch((error) => console.log(error));

Python

warrants_to_check = [Warrant("report", "avk2837", "viewer", Subject("user", "5djfs6"))]
is_authorized = client.is_authorized(WarrantCheck(warrants_to_check, "allOf"))

Ruby

is_authorized = Warrant::WarrantClient.is_authorized?(
    warrants: [
        {
            object_type: "report", 
            object_id: "avk2837", 
            relation: "viewer", 
            subject: {
                object_type: "user",
                object_id: "5djfs6"
            }
        }
    ])

PHP

$warrants_to_check = [
    new \Warrant\Warrant(
                "report",
                "avk2837",
                "viewer",
                new \Warrant\Subject("user", "5djfs6")
            )
];
$is_authorized = $warrant->isAuthorized(new \Warrant\WarrantCheck(\Warrant\WarrantCheckOp::ALL_OF, $warrants_to_check));

CLI

warrant check user:5djfs6 viewer report:avk2837

Response

200 OK

{
    "code": 200,
    "result": "Authorized"
}