There are at least a dozen well written, permissibly-licensed router packages out there (alloy, aura, solar, symphony, etc), but I have yet to come across one that includes some form of fine-grained (ie, resource or finer) access control.
Important features:
- Solar style routes
- Loose couplining to authentication mechanisms (this should only handle authorization)
- Groups as well as users
- Scoping capability (ie, you can access resources you have some kind of relationship with, but not ones of the same type that you don't)
I would be more than willing to contribute to a project that wanted to do this, but would rather not reinvent the wheel if someone is already working on this.
Specifically, given a route and some form of authentication, I want have the access controller decide to:
- Give the user that resource
- Give that user a redacted version of that resource
- Suggest authenticating/re-authenticating with different credentials
- In the absence of authentication, not confirm or deny the existence of the resource
As a bonus, having a way to request the full resource from the redacted one would be great; eg, you pull up a person resource, and their SSN/DOB are redacted. When you hit a "show" button, it logs it and then gives you the resource with those in it.
Edit: This does not actually have to be the router itself, but it seems like it would make sense to use the same kind of addressing to control access. It's possible that this could be implemented as a standalone tool that is executed post-routing, pre-dispatch.