secure-express-setup
Version:
Military-grade one-command security setup for Express.js applications
29 lines (24 loc) • 965 B
JavaScript
// lib/rbac.js
function requireRole(required = []) {
if (!Array.isArray(required)) required = [required];
return function (req, res, next) {
try {
const user = req.user || {};
const apiKey = req.apiKey || {};
// If API key supports scopes, allow if any required scope present
if (apiKey.scopes && Array.isArray(apiKey.scopes)) {
const ok = required.some(r => apiKey.scopes.includes(r));
if (ok) return next();
}
// If user object has role(s)
const roles = Array.isArray(user.role) ? user.role : (user.role ? [user.role] : []);
const allowed = required.length === 0 || required.some(r => roles.includes(r));
if (!allowed) return res.status(403).json({ error: 'Forbidden' });
next();
} catch (err) {
console.error('RBAC error', err);
return res.status(500).json({ error: 'Internal error' });
}
};
}
module.exports = requireRole;