express-restricted
express-restricted is a simple Node.js package for Express.js middleware to restrict access to API endpoints with the use of JSON Web Tokens.
Installation
Installation is done through npm:
$ npm i express-restricted
or if you use yarn:
$ yarn add express-restricted
Options
-
config
- Configuration object contains properties used to target where in thereq
object should the middleware look for data.reqProp
- REQUIRED,String
- first child ofreq
object (body
,headers
, ...)childProp
- OPTIONAL,String
- child ofreqProp
(Authorization
, ...)identifier
- REQUIRED,String
- A property of JWT payload used to identify access rights to the endpoint.jwtKey
- REQUIRED,String
- containing the secret for HMAC algorithms. Used to generate the JSON Web Token. The decoded payload of the token is added to the request object asdecoded
property.
Example:
const config =reqProp: 'headers'childProp: 'authorization'identifier: 'user_type'jwtKey: 'ThereIsNoSecret'; -
allow
- REQUIRED,String
orArray
ofStrings
or an emptyArray
- Used to listidentifier
values, which are allowed to access the endpoint. An empty array will make the endpoint accessible to any identifier value. The JWT verification still has to pass.Example:
const allow = 'admin' 'maintainer';
Usage
Restrict access to an endpoint
const express = ;const restricted = ; const router = express; const config = reqProp: 'headers' childProp: 'authorization' identifier: 'user_type' jwtKey: 'ThereIsNoSecret'; const allow = all: // any identifier value has access staff: 'receptionist' admins: 'super admin' 'admin'; router; router; router; server;
Restrict access to all endpoints in a route
const express = ;const restricted = ; const router = express; const config = reqProp: 'headers' childProp: 'authorization' identifier: 'user_type' jwtKey: 'ThereIsNoSecret'; const admins: 'super admin' 'admin'; // Restricts all router endpoints to admins onlyrouter; router; router; router; server;