Skip to content

bveenema/express-jwt-permissions

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
test
test
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
error.js
error.js
 
 
index.js
index.js
 
 
package.json
package.json
 
 

Repository files navigation

Express JWT Permissions

Build Status Coverage Status npm

js-standard-style

Middleware that checks JWT tokens for permissions, recommended to be used in conjunction with express-jwt.

Install

npm install express-jwt-permissions --save

Usage

This middleware assumes you already have a JWT authentication middleware such as express-jwt.

The middleware will check a decoded JWT token to see if a token has permissions to make a certain request.

Permissions should be described as an array of strings inside the JWT token.

"permissions": [
  "status",
  "user:read",
  "user:write"
]

If your JWT structure looks different you should map or reduce the results to produce a simple Array of permissions.

Using permission Array

To verify a permission for all routes using an array:

var guard = require('express-jwt-permissions')()

app.use(guard.check('admin'))

If you require different permissions per route, you can set the middleware per route.

var guard = require('express-jwt-permissions')()

app.get('/status', guard.check('status'), function(req, res) { ... })
app.get('/user', guard.check(['user:read']), function(req, res) { ... })

Configuration

To set where the module can find the user property (default req.user) you can set the requestProperty option.

To set where the module can find the permissions property inside the requestProperty object (default permissions), set the permissionsProperty option.

Example:

Consider you've set your permissions as scopes on req.identity, your JWT structure looks like:

"scopes": ["user:read", "user:write"]

You can pass the configuration into the module:

var guard = require('express-jwt-permissions')({
  requestProperty: 'identity',
  permissionsProperty: 'scopes'
})

app.use(guard.check('user:read'))

Error handling

The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:

app.use(guard.check('admin'))

app.use(function (err, req, res, next) {
  if (err.code === 'permission_denied') {
    res.status(401).send('insufficient permissions');
  }
});

Note that your error handling middleware should be defined after the jwt-permissions middleware.

Tests

$ npm install
$ npm test

License

This project is licensed under the MIT license. See the LICENSE file for more info.

About

🚦 Express middleware for JWT permissions

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages

  • JavaScript 100.0%