npm
Sign UpSign In

jwt-guard

1.0.1 • Public • Published

jwt-guard

Provides Express middleware for guarding resources based on JWT roles and claims. Supports chaining with and/or.

Works great with Auth0 or other JWT implementations.

app.get('/user/:id', function (req, res) {
    req.token.require
        .role('admin')
        .or.claim('user_id', req.params.id)
        .guard()    
 
    res.send('You are allowed to access this user!')
})

Installation

npm install jwt-guard

Include the Express middleware as early as possible. It validates and decodes the JWT from the Authorization: Bearer header using jsonwebtoken.

import express from 'express'
import jwtGuard from 'jwt-guard'
 
const app = express()
 
app.use(jwtGuard('secret_key_shhhhh'))

Usage

.token is added to every request object. This can be used to guard access by requiring roles and/or claims.

Guard

Guarding throws an HTTP error on failure.

Using roles

Roles come from the roles: claim in the JWT.

app.get('/admin-area', function (req, res) {
    req.token.require.role('admin').guard()
    
    res.send('Welcome to the secret area')
})

Using claims

Claims come from the payload of the JWT. Often this is used to hold things like user_id.

app.post('/user', function (req, res) {
    const userId = req.body.user_id
 
    req.token.require.claim('user_id', user_id)
        .guard('Sorry you can only update your own account.')
 
    // passed, update logic here
})

Chaining roles and claims

You can require multiple roles and claims by chaining with or and and.

app.post('/blog', function (req, res) {
    req.token.require
        .role('blog:post')
        .or.role('blog:admin')
        .or.role('god')
        .guard()
    
    // passed, post the blog
})
app.delete('/blog/:id', function (req, res) {
    const blogPost = '...'
 
    req.token.require
        .role('admin')
        .or.claim('user_id', blogPost.ownerUserId)
        .and.role('blog:delete')
        .guard()
    
    // passed, delete the blog
})

Check

Works like .guard() but returns true/false instead of throwing an error. Supports chaining as well.

app.get('/admin-area', function (req, res) {
    const isAdmin = req.token.require.role('admin').check
    
    if(isAdmin) {
        res.send('Welcome to the secret area')
    } else{
        res.redirect('/')
    }
})

Getting a claim

Retrieving the value of a claim is easy

app.get('/', function (req, res) {
    const name = req.token.claims.name
    
    res.send(`Hello ${name}`)
})

Readme

Keywords

Package Sidebar

Install

npm i jwt-guard

Repository

github.com/justinkalland/jwt-guard

Homepage

github.com/justinkalland/jwt-guard#readme

Weekly Downloads

2

Version

1.0.1

License

MIT

Unpacked Size

18.3 kB

Total Files

11

Last publish

Collaborators

  • justinkalland
Try on RunKit
Report malware