Nietzsche's Preposterous Moustache
    Have ideas to improve npm?Join in the discussion! »

    @667/express-jwt-authz
    TypeScript icon, indicating that this package has built-in type declarations

    2.4.1-1 • Public • Published

    express-jwt-authz

    This fork of https://github.com/auth0/express-jwt-authz supports restify as well as express.

    Validate a JWTs scope to authorize access to an endpoint.

    Install

    $ npm install express-jwt-authz
    

    restify@^8.5.1 is a peer dependency. express@^4.0.0 is a peer dependency. Make sure one of them is installed in your project.

    Usage

    Use together with express-jwt to both validate a JWT and make sure it has the correct permissions to call an endpoint.

    var jwt = require('express-jwt');
    var jwtAuthz = require('express-jwt-authz');
    
    var options = {};
    app.get('/users',
      jwt({ secret: 'shared_secret' }),
      jwtAuthz([ 'read:users' ], options),
      function(req, res) { ... });

    If multiple scopes are provided, the user must have at least one of the specified scopes.

    app.post('/users',
      jwt({ secret: 'shared_secret' }),
      jwtAuthz([ 'read:users', 'write:users' ], {}),
      function(req, res) { ... });
    
    // This user will be granted access
    var authorizedUser = {
      scope: 'read:users'
    };

    To check that the user has all the scopes provided, use the checkAllScopes: true option:

    app.post('/users',
      jwt({ secret: 'shared_secret' }),
      jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true }),
      function(req, res) { ... });
    
    // This user will have access
    var authorizedUser = {
      scope: 'read:users write:users'
    };
    
    // This user will NOT have access
    var unauthorizedUser = {
      scope: 'read:users'
    };

    The JWT must have a scope claim and it must either be a string of space-separated permissions or an array of strings. For example:

    // String:
    "write:users read:users"
    
    // Array:
    ["write:users", "read:users"]
    

    Options

    • failWithError: When set to true, will forward errors to next instead of ending the response directly. Defaults to false.
    • checkAllScopes: When set to true, all the expected scopes will be checked against the user's scopes. Defaults to false.
    • customUserKey: The property name to check for the scope key. By default, permissions are checked against req.user, but you can change it to be req.myCustomUserKey with this option. Defaults to user.
    • customScopeKey: The property name to check for the actual scope. By default, permissions are checked against user.scope, but you can change it to be user.myCustomScopeKey with this option. Defaults to scope.

    Issue Reporting

    For issues directly related to restify support, please report them at this reposittory issues section.

    If you have found a bug or if you have a feature request, please report them at https://github.com/auth0/express-jwt-authz/issues. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

    Author

    June07

    License

    This project is licensed under the MIT license. See the LICENSE file for more info.

    Install

    npm i @667/express-jwt-authz

    DownloadsWeekly Downloads

    19

    Version

    2.4.1-1

    License

    MIT

    Unpacked Size

    8.51 kB

    Total Files

    6

    Last publish

    Collaborators

    • avatar