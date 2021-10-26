Express JWT Permissions

Middleware that checks JWT tokens for permissions, recommended to be used in conjunction with express-jwt.

Install

npm install express-jwt-permissions --save

Usage

This middleware assumes you already have a JWT authentication middleware such as express-jwt.

The middleware will check a decoded JWT token to see if a token has permissions to make a certain request.

Permissions should be described as an array of strings inside the JWT token, or as a space-delimited OAuth 2.0 Access Token Scope string.

"permissions" : [ "status" , "user:read" , "user:write" ]

"scope" : "status user:read user:write"

If your JWT structure looks different you should map or reduce the results to produce a simple Array or String of permissions.

Using permission Array

To verify a permission for all routes using an array:

var guard = require ( 'express-jwt-permissions' )() app.use(guard.check( 'admin' ))

If you require different permissions per route, you can set the middleware per route.

var guard = require ( 'express-jwt-permissions' )() app.get( '/status' , guard.check( 'status' ), function ( req, res ) { ... }) app.get( '/user' , guard.check([ 'user:read' ]), function ( req, res ) { ... })

Logical combinations of required permissions can be made using nested arrays.

Single string

app.use(guard.check( 'admin' ))

Array of strings

app.use(guard.check( [ 'read' , 'write' ] ))

Array of arrays of strings

app.use(guard.check([ [ 'read' ], [ 'write' ] ])) app.use(guard.check([ [ 'admin' ], [ 'read' , 'write' ] ]))

Configuration

To set where the module can find the user property (default req.user ) you can set the requestProperty option.

To set where the module can find the permissions property inside the requestProperty object (default permissions ), set the permissionsProperty option.

Example:

Consider you've set your permissions as scope on req.identity , your JWT structure looks like:

"scope" : "user:read user:write"

You can pass the configuration into the module:

var guard = require ( 'express-jwt-permissions' )({ requestProperty : 'identity' , permissionsProperty : 'scope' }) app.use(guard.check( 'user:read' ))

Error handling

The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:

app.use(guard.check( 'admin' )) app.use( function ( err, req, res, next ) { if (err.code === 'permission_denied' ) { res.status( 403 ).send( 'Forbidden' ); } });

Note that your error handling middleware should be defined after the jwt-permissions middleware.

Excluding paths

This library has integration with express-unless to allow excluding paths, please refer to their usage.

const checkForPermissions = guard .check([ 'admin' ]) .unless({ path : '/not-secret' }) app.use(checkForPermissions)

Tests

npm install npm test

License

This project is licensed under the MIT license. See the LICENSE file for more info.