1 | # Express JWT Permissions
|
2 |
|
3 | [![Node.js CI](https://github.com/MichielDeMey/express-jwt-permissions/workflows/Node.js%20CI/badge.svg)](https://github.com/MichielDeMey/express-jwt-permissions/actions?query=workflow%3A%22Node.js+CI%22)
|
4 | [![CodeQL](https://github.com/MichielDeMey/express-jwt-permissions/actions/workflows/codeql-analysis.yml/badge.svg?branch=master)](https://github.com/MichielDeMey/express-jwt-permissions/actions/workflows/codeql-analysis.yml)
|
5 | [![codecov](https://codecov.io/gh/MichielDeMey/express-jwt-permissions/branch/master/graph/badge.svg?token=UXWXehGp1x)](https://codecov.io/gh/MichielDeMey/express-jwt-permissions)
|
6 | [![npm](https://img.shields.io/npm/dm/express-jwt-permissions.svg?maxAge=2592000)](https://www.npmjs.com/package/express-jwt-permissions)
|
7 |
|
8 | [![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard)
|
9 |
|
10 | Middleware that checks JWT tokens for permissions, recommended to be used in conjunction with [express-jwt](https://github.com/auth0/express-jwt).
|
11 |
|
12 | ## Install
|
13 |
|
14 | ```
|
15 | npm install express-jwt-permissions --save
|
16 | ```
|
17 |
|
18 | ## Usage
|
19 |
|
20 | This middleware assumes you already have a JWT authentication middleware such as [express-jwt](https://github.com/auth0/express-jwt).
|
21 |
|
22 | The middleware will check a decoded JWT token to see if a token has permissions to make a certain request.
|
23 |
|
24 | Permissions should be described as an array of strings inside the JWT token, or as a space-delimited [OAuth 2.0 Access Token Scope](https://tools.ietf.org/html/rfc6749#section-3.3) string.
|
25 |
|
26 | ```json
|
27 | "permissions": [
|
28 | "status",
|
29 | "user:read",
|
30 | "user:write"
|
31 | ]
|
32 | ```
|
33 |
|
34 | ```json
|
35 | "scope": "status user:read user:write"
|
36 | ```
|
37 |
|
38 | If your JWT structure looks different you should map or reduce the results to produce a simple Array or String of permissions.
|
39 |
|
40 | ### Using permission Array
|
41 | To verify a permission for all routes using an array:
|
42 |
|
43 | ```javascript
|
44 | var guard = require('express-jwt-permissions')()
|
45 |
|
46 | app.use(guard.check('admin'))
|
47 | ```
|
48 |
|
49 | If you require different permissions per route, you can set the middleware per route.
|
50 |
|
51 | ```javascript
|
52 | var guard = require('express-jwt-permissions')()
|
53 |
|
54 | app.get('/status', guard.check('status'), function(req, res) { ... })
|
55 | app.get('/user', guard.check(['user:read']), function(req, res) { ... })
|
56 | ```
|
57 |
|
58 | Logical combinations of required permissions can be made using nested arrays.
|
59 |
|
60 | Single string
|
61 | ```js
|
62 | // Required: "admin"
|
63 | app.use(guard.check(
|
64 | 'admin'
|
65 | ))
|
66 | ```
|
67 |
|
68 | Array of strings
|
69 |
|
70 | ```javascript
|
71 | // Required: "read" AND "write"
|
72 | app.use(guard.check(
|
73 | ['read', 'write']
|
74 | ))
|
75 | ```
|
76 |
|
77 | Array of arrays of strings
|
78 |
|
79 | ```javascript
|
80 | // Required: "read" OR "write"
|
81 | app.use(guard.check([
|
82 | ['read'],
|
83 | ['write']
|
84 | ]))
|
85 |
|
86 | // Required: "admin" OR ("read" AND "write")
|
87 | app.use(guard.check([
|
88 | ['admin'],
|
89 | ['read', 'write']
|
90 | ]))
|
91 | ```
|
92 |
|
93 | ### Configuration
|
94 | To set where the module can find the user property (default `req.user`) you can set the `requestProperty` option.
|
95 |
|
96 | To set where the module can find the permissions property inside the `requestProperty` object (default `permissions`), set the `permissionsProperty` option.
|
97 |
|
98 | Example:
|
99 |
|
100 | Consider you've set your permissions as `scope` on `req.identity`, your JWT structure looks like:
|
101 |
|
102 | ```json
|
103 | "scope": "user:read user:write"
|
104 | ```
|
105 |
|
106 | You can pass the configuration into the module:
|
107 |
|
108 | ```javascript
|
109 | var guard = require('express-jwt-permissions')({
|
110 | requestProperty: 'identity',
|
111 | permissionsProperty: 'scope'
|
112 | })
|
113 |
|
114 | app.use(guard.check('user:read'))
|
115 | ```
|
116 |
|
117 | ## Error handling
|
118 |
|
119 | The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:
|
120 |
|
121 | ```javascript
|
122 | app.use(guard.check('admin'))
|
123 |
|
124 | app.use(function (err, req, res, next) {
|
125 | if (err.code === 'permission_denied') {
|
126 | res.status(403).send('Forbidden');
|
127 | }
|
128 | });
|
129 | ```
|
130 |
|
131 | **Note** that your error handling middleware should be defined after the jwt-permissions middleware.
|
132 |
|
133 | ## Excluding paths
|
134 |
|
135 | This library has integration with [express-unless](https://github.com/jfromaniello/express-unless) to allow excluding paths, please refer to their [usage](https://github.com/jfromaniello/express-unless#usage).
|
136 |
|
137 | ```javascript
|
138 | const checkForPermissions = guard
|
139 | .check(['admin'])
|
140 | .unless({ path: '/not-secret' })
|
141 |
|
142 | app.use(checkForPermissions)
|
143 | ```
|
144 |
|
145 | ## Tests
|
146 |
|
147 | ```
|
148 | $ npm install
|
149 | $ npm test
|
150 | ```
|
151 |
|
152 | ## License
|
153 |
|
154 | This project is licensed under the MIT license. See the [LICENSE](LICENSE.txt) file for more info.
|