Express JWT Permissions
Middleware that checks JWT tokens for permissions, recommended to be used in conjunction with express-jwt.
Install
npm install express-jwt-permissions --save
Usage
This middleware assumes you already have a JWT authentication middleware such as express-jwt.
The middleware will check a decoded JWT token to see if a token has permissions to make a certain request.
Permissions should be described as an array of strings inside the JWT token, or as a space-delimited OAuth 2.0 Access Token Scope string.
"permissions": [
"status",
"user:read",
"user:write"
]
"scope": "status user:read user:write"
If your JWT structure looks different you should map or reduce the results to produce a simple Array or String of permissions.
Using permission Array
To verify a permission for all routes using an array:
var guard = require('express-jwt-permissions')()
app.use(guard.check('admin'))
If you require different permissions per route, you can set the middleware per route.
var guard = require('express-jwt-permissions')()
app.get('/status', guard.check('status'), function(req, res) { ... })
app.get('/user', guard.check(['user:read']), function(req, res) { ... })
Logical combinations of required permissions can be made using nested arrays.
Single string
// Required: "admin"
app.use(guard.check(
'admin'
))
Array of strings
// Required: "read" AND "write"
app.use(guard.check(
['read', 'write']
))
Array of arrays of strings
// Required: "read" OR "write"
app.use(guard.check([
['read'],
['write']
]))
// Required: "admin" OR ("read" AND "write")
app.use(guard.check([
['admin'],
['read', 'write']
]))
Configuration
To set where the module can find the user property (default req.user) you can set the requestProperty option.
To set where the module can find the permissions property inside the requestProperty object (default permissions), set the permissionsProperty option.
Example:
Consider you've set your permissions as scope on req.identity, your JWT structure looks like:
"scope": "user:read user:write"
You can pass the configuration into the module:
var guard = require('express-jwt-permissions')({
requestProperty: 'identity',
permissionsProperty: 'scope'
})
app.use(guard.check('user:read'))
Error handling
The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:
app.use(guard.check('admin'))
app.use(function (err, req, res, next) {
if (err.code === 'permission_denied') {
res.status(403).send('Forbidden');
}
});
Note that your error handling middleware should be defined after the jwt-permissions middleware.
Excluding paths
This library has integration with express-unless to allow excluding paths, please refer to their usage.
const checkForPermissions = guard
.check(['admin'])
.unless({ path: '/not-secret' })
app.use(checkForPermissions)
Tests
$ npm install
$ npm test
License
This project is licensed under the MIT license. See the LICENSE file for more info.
-
导语:由于http是无状态的,请求响应过程中不存储记录用户身份信息,所以就出现了很多用户识别存储用户身份的方法,比如cookie,session,jwt。我最近做的一个接口服务使用了jwt来存储管理用户信息,相较于本地cookie存储,服务器端session存储,jwt就变得比较安全和节省方便,本文就jwt在node服务中的使用方法做一个简单的总结。 目录 jwt简介 安装配置 封装方法 实战练习
-
Django Session 登录,登出演示 前端 vue3 <template> <div> <button v-if="loggedIn" @click="logout">退出</button> <div v-else> <input type="text" v-model="username" placeholder="用户名" /> <input
-
laravel 验证jwt From personal experience, no JWT (JSON Web Token) library incorporates a feature for role-based authentication, at least for my core languages which are Node, PHP, C# and Java. In as muc
-
本教程主要详细讲解SpringBoot Security整合JWT授权RestAPI。 基础环境 技术 版本 Java 1.8+ SpringBoot 2.x.x Security 5.x JWT 0.9.0 创建项目 初始化项目 mvn archetype:generate -DgroupId=com.edurt.sli.slisj -DartifactId=spring-learn-integ
-
React Application with JWT Authentication Overview This is an example application that serves an ExpressJS JSON api to a React client application. The React application is configured for a basic JWT a
-
Express Mongo JWT Boilerplate Installation Install NodeJS, MongoDB Install npm or yarn Rename .env.example to .env Fulfill .env data Start MongoDB Run yarn run dev or npm run dev Check http://localhos
-
ngx-permissions Permission and roles based access control for your angular(angular 2,4,5,6,7,8+) applications(AOT, lazy modules compatible) Documentation and examples Documentation here is outdated pl
-
In addition to labeling roles, Flarum's group system is a way for permissions to be applied to segments of users. Flarum has several "reserved groups": The administrator group has ID 1. Users in this
-
Shiro定义了一个许可声明,定义了一个明确的行为或行动。 这是一个原始功能的声明在一个应用程序而已。 权限是最低级别构造安全策略,他们只明确定义应用程序可以做“什么”。 他们不描述"谁"能够执行的操作。 一些权限的例子: 打开一个文件 浏览'/user/list' 网页 打印文件 删除用户‘jsmith’ 规定“谁”(用户)允许做“什么”(权限)在某种程度上是分配用权限的一种习惯做法。这始终是通
-
我有两个应用程序:App1和App2 在App1中指定的权限如下所示 java.lang.SecurityException:权限拒绝:从PID=5550,UID=10919读取com.commonname.providers.app1 uri内容://com.commonname.providers.app1.read_login_token或ranturiPermission()(位于Andr