UNPKG

express-jwt-permissions

Version:

Express middleware for JWT permissions

github.com/MichielDeMey/express-jwt-permissions

MichielDeMey/express-jwt-permissions

101 lines (66 loc) 3.15 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# Express JWT Permissions [![Build Status](https://travis-ci.org/MichielDeMey/express-jwt-permissions.svg?branch=master)](https://travis-ci.org/MichielDeMey/express-jwt-permissions) [![Coverage Status](https://coveralls.io/repos/MichielDeMey/express-jwt-permissions/badge.svg?branch=master&service=github)](https://coveralls.io/github/MichielDeMey/express-jwt-permissions?branch=master) [![npm](https://img.shields.io/npm/dm/express-jwt-permissions.svg?maxAge=2592000)](https://www.npmjs.com/package/express-jwt-permissions) [![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard) Middleware that checks JWT tokens for permissions, recommended to be used in conjunction with [express-jwt](https://github.com/auth0/express-jwt). ## Install ``` npm install express-jwt-permissions --save ``` ## Usage This middleware assumes you already have a JWT authentication middleware such as [express-jwt](https://github.com/auth0/express-jwt). The middleware will check a decoded JWT token to see if a token has permissions to make a certain request. Permissions should be described as an array of strings inside the JWT token. ```json "permissions": [ "status", "user:read", "user:write" ] ``` If your JWT structure looks different you should map or reduce the results to produce a simple Array of permissions. ### Using permission Array To verify a permission for all routes using an array: ```javascript var guard = require('express-jwt-permissions')() app.use(guard.check('admin')) ``` If you require different permissions per route, you can set the middleware per route. ```javascript var guard = require('express-jwt-permissions')() app.get('/status', guard.check('status'), function(req, res) { ... }) app.get('/user', guard.check(['user:read']), function(req, res) { ... }) ``` ### Configuration To set where the module can find the user property (default `req.user`) you can set the `requestProperty` option. To set where the module can find the permissions property inside the `requestProperty` object (default `permissions`), set the `permissionsProperty` option. Example: Consider you've set your permissions as `scopes` on `req.identity`, your JWT structure looks like: ```json "scopes": ["user:read", "user:write"] ``` You can pass the configuration into the module: ```javascript var guard = require('express-jwt-permissions')({ requestProperty: 'identity', permissionsProperty: 'scopes' }) app.use(guard.check('user:read')) ``` ## Error handling The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows: ```javascript app.use(guard.check('admin')) app.use(function (err, req, res, next) { if (err.code === 'permission_denied') { res.status(401).send('insufficient permissions'); } }); ``` **Note** that your error handling middleware should be defined after the jwt-permissions middleware. ## Tests $ npm install $ npm test ## License This project is licensed under the MIT license. See the [LICENSE](LICENSE.txt) file for more info.