UNPKG

express-jwt-permissions/README.md

Version:

4.57 kBMarkdownView Raw

1# Express JWT Permissions
2
3[![Node.js CI](https://github.com/MichielDeMey/express-jwt-permissions/workflows/Node.js%20CI/badge.svg)](https://github.com/MichielDeMey/express-jwt-permissions/actions?query=workflow%3A%22Node.js+CI%22)
4[![CodeQL](https://github.com/MichielDeMey/express-jwt-permissions/actions/workflows/codeql-analysis.yml/badge.svg?branch=master)](https://github.com/MichielDeMey/express-jwt-permissions/actions/workflows/codeql-analysis.yml)
5[![codecov](https://codecov.io/gh/MichielDeMey/express-jwt-permissions/branch/master/graph/badge.svg?token=UXWXehGp1x)](https://codecov.io/gh/MichielDeMey/express-jwt-permissions)
6[![npm](https://img.shields.io/npm/dm/express-jwt-permissions.svg?maxAge=2592000)](https://www.npmjs.com/package/express-jwt-permissions)
7
8[![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard)
9
10Middleware that checks JWT tokens for permissions, recommended to be used in conjunction with [express-jwt](https://github.com/auth0/express-jwt).
11
12## Install
13
14```
15npm install express-jwt-permissions --save
16```
17
18## Usage
19
20This middleware assumes you already have a JWT authentication middleware such as [express-jwt](https://github.com/auth0/express-jwt).
21
22The middleware will check a decoded JWT token to see if a token has permissions to make a certain request.
23
24Permissions should be described as an array of strings inside the JWT token, or as a space-delimited [OAuth 2.0 Access Token Scope](https://tools.ietf.org/html/rfc6749#section-3.3) string.
25
26```json
27"permissions": [
28  "status",
29  "user:read",
30  "user:write"
31]
32```
33
34```json
35"scope": "status user:read user:write"
36```
37
38If your JWT structure looks different you should map or reduce the results to produce a simple Array or String of permissions.
39
40### Using permission Array
41To verify a permission for all routes using an array:
42
43```javascript
44var guard = require('express-jwt-permissions')()
45
46app.use(guard.check('admin'))
47```
48
49If you require different permissions per route, you can set the middleware per route.
50
51```javascript
52var guard = require('express-jwt-permissions')()
53
54app.get('/status', guard.check('status'), function(req, res) { ... })
55app.get('/user', guard.check(['user:read']), function(req, res) { ... })
56```
57
58Logical combinations of required permissions can be made using nested arrays.
59
60Single string
61```js
62// Required: "admin"
63app.use(guard.check(
64  'admin'
65))
66```
67
68Array of strings
69
70```javascript
71// Required: "read" AND "write"
72app.use(guard.check(
73  ['read', 'write']
74))
75```
76
77Array of arrays of strings
78
79```javascript
80// Required: "read" OR "write"
81app.use(guard.check([
82  ['read'],
83  ['write']
84]))
85
86// Required: "admin" OR ("read" AND "write")
87app.use(guard.check([
88  ['admin'],
89  ['read', 'write']
90]))
91```
92
93### Configuration
94To set where the module can find the user property (default `req.user`) you can set the `requestProperty` option.
95
96To set where the module can find the permissions property inside the `requestProperty` object (default `permissions`), set the `permissionsProperty` option.
97
98Example:
99
100Consider you've set your permissions as `scope` on `req.identity`, your JWT structure looks like:
101
102```json
103"scope": "user:read user:write"
104```
105
106You can pass the configuration into the module:
107
108```javascript
109var guard = require('express-jwt-permissions')({
110  requestProperty: 'identity',
111  permissionsProperty: 'scope'
112})
113
114app.use(guard.check('user:read'))
115```
116
117## Error handling
118
119The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:
120
121```javascript
122app.use(guard.check('admin'))
123
124app.use(function (err, req, res, next) {
125  if (err.code === 'permission_denied') {
126    res.status(403).send('Forbidden');
127  }
128});
129```
130
131**Note** that your error handling middleware should be defined after the jwt-permissions middleware.
132
133## Excluding paths
134
135This library has integration with [express-unless](https://github.com/jfromaniello/express-unless) to allow excluding paths, please refer to their [usage](https://github.com/jfromaniello/express-unless#usage).
136
137```javascript
138const checkForPermissions = guard
139  .check(['admin'])
140  .unless({ path: '/not-secret' })
141
142app.use(checkForPermissions)
143```
144
145## Tests
146
147```
148$ npm install
149$ npm test
150```
151
152## License
153
154This project is licensed under the MIT license. See the [LICENSE](LICENSE.txt) file for more info.

1	`# Express JWT Permissions`
2
3	`[![Node.js CI](https://github.com/MichielDeMey/express-jwt-permissions/workflows/Node.js%20CI/badge.svg)](https://github.com/MichielDeMey/express-jwt-permissions/actions?query=workflow%3A%22Node.js+CI%22)`
4	`[![CodeQL](https://github.com/MichielDeMey/express-jwt-permissions/actions/workflows/codeql-analysis.yml/badge.svg?branch=master)](https://github.com/MichielDeMey/express-jwt-permissions/actions/workflows/codeql-analysis.yml)`
5	`[![codecov](https://codecov.io/gh/MichielDeMey/express-jwt-permissions/branch/master/graph/badge.svg?token=UXWXehGp1x)](https://codecov.io/gh/MichielDeMey/express-jwt-permissions)`
6	`[![npm](https://img.shields.io/npm/dm/express-jwt-permissions.svg?maxAge=2592000)](https://www.npmjs.com/package/express-jwt-permissions)`
7
8	`[![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard)`
9
10	`Middleware that checks JWT tokens for permissions, recommended to be used in conjunction with [express-jwt](https://github.com/auth0/express-jwt).`
11
12	`## Install`
13
14	```
15	`npm install express-jwt-permissions --save`
16	```
17
18	`## Usage`
19
20	`This middleware assumes you already have a JWT authentication middleware such as [express-jwt](https://github.com/auth0/express-jwt).`
21
22	`The middleware will check a decoded JWT token to see if a token has permissions to make a certain request.`
23
24	`Permissions should be described as an array of strings inside the JWT token, or as a space-delimited [OAuth 2.0 Access Token Scope](https://tools.ietf.org/html/rfc6749#section-3.3) string.`
25
26	```json
27	`"permissions": [`
28	`"status",`
29	`"user:read",`
30	`"user:write"`
31	`]`
32	```
33
34	```json
35	`"scope": "status user:read user:write"`
36	```
37
38	`If your JWT structure looks different you should map or reduce the results to produce a simple Array or String of permissions.`
39
40	`### Using permission Array`
41	`To verify a permission for all routes using an array:`
42
43	```javascript
44	`var guard = require('express-jwt-permissions')()`
45
46	`app.use(guard.check('admin'))`
47	```
48
49	`If you require different permissions per route, you can set the middleware per route.`
50
51	```javascript
52	`var guard = require('express-jwt-permissions')()`
53
54	`app.get('/status', guard.check('status'), function(req, res) { ... })`
55	`app.get('/user', guard.check(['user:read']), function(req, res) { ... })`
56	```
57
58	`Logical combinations of required permissions can be made using nested arrays.`
59
60	`Single string`
61	```js
62	`// Required: "admin"`
63	`app.use(guard.check(`
64	`'admin'`
65	`))`
66	```
67
68	`Array of strings`
69
70	```javascript
71	`// Required: "read" AND "write"`
72	`app.use(guard.check(`
73	`['read', 'write']`
74	`))`
75	```
76
77	`Array of arrays of strings`
78
79	```javascript
80	`// Required: "read" OR "write"`
81	`app.use(guard.check([`
82	`['read'],`
83	`['write']`
84	`]))`
85
86	`// Required: "admin" OR ("read" AND "write")`
87	`app.use(guard.check([`
88	`['admin'],`
89	`['read', 'write']`
90	`]))`
91	```
92
93	`### Configuration`
94	To set where the module can find the user property (default `req.user`) you can set the `requestProperty` option.
95
96	To set where the module can find the permissions property inside the `requestProperty` object (default `permissions`), set the `permissionsProperty` option.
97
98	`Example:`
99
100	Consider you've set your permissions as `scope` on `req.identity`, your JWT structure looks like:
101
102	```json
103	`"scope": "user:read user:write"`
104	```
105
106	`You can pass the configuration into the module:`
107
108	```javascript
109	`var guard = require('express-jwt-permissions')({`
110	`requestProperty: 'identity',`
111	`permissionsProperty: 'scope'`
112	`})`
113
114	`app.use(guard.check('user:read'))`
115	```
116
117	`## Error handling`
118
119	`The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:`
120
121	```javascript
122	`app.use(guard.check('admin'))`
123
124	`app.use(function (err, req, res, next) {`
125	`if (err.code === 'permission_denied') {`
126	`res.status(403).send('Forbidden');`
127	`}`
128	`});`
129	```
130
131	`Note that your error handling middleware should be defined after the jwt-permissions middleware.`
132
133	`## Excluding paths`
134
135	`This library has integration with [express-unless](https://github.com/jfromaniello/express-unless) to allow excluding paths, please refer to their [usage](https://github.com/jfromaniello/express-unless#usage).`
136
137	```javascript
138	`const checkForPermissions = guard`
139	`.check(['admin'])`
140	`.unless({ path: '/not-secret' })`
141
142	`app.use(checkForPermissions)`
143	```
144
145	`## Tests`
146
147	```
148	`$ npm install`
149	`$ npm test`
150	```
151
152	`## License`
153
154	`This project is licensed under the MIT license. See the [LICENSE](LICENSE.txt) file for more info.`