Validate a JWTs scope
to authorize access to an endpoint.
$ npm install express-jwt-authz
express@^4.0.0
is a peer dependency. Make sure it is installed in your project.
Use together with express-jwt to both validate a JWT and make sure it has the correct permissions to call an endpoint.
:note: express-jwt
sets the decoded JWT payload on req.auth
since version 6.0.0
, so make sure to set customUserKey: 'auth'
in the options provided to express-jwt-authz
if you are using that version or newer.
var jwt = require('express-jwt');
var jwtAuthz = require('express-jwt-authz');
var options = { customUserKey: 'auth' };
app.get('/users',
jwt({ secret: 'shared_secret' }),
jwtAuthz([ 'read:users' ], options),
function(req, res) { ... });
If multiple scopes are provided, the user must have at least one of the specified scopes.
var options = { customUserKey: 'auth' };
app.post('/users',
jwt({ secret: 'shared_secret' }),
jwtAuthz([ 'read:users', 'write:users' ], options),
function(req, res) { ... });
// This user will be granted access
var authorizedUser = {
scope: 'read:users'
};
To check that the user has all the scopes provided, use the checkAllScopes: true
option:
app.post('/users',
jwt({ secret: 'shared_secret' }),
jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true, customUserKey: 'auth' }),
function(req, res) { ... });
// This user will have access
var authorizedUser = {
scope: 'read:users write:users'
};
// This user will NOT have access
var unauthorizedUser = {
scope: 'read:users'
};
The JWT must have a scope
claim and it must either be a string of space-separated permissions or an array of strings. For example:
// String:
"write:users read:users"
// Array:
["write:users", "read:users"]
failWithError
: When set totrue
, will forward errors tonext
instead of ending the response directly. Defaults tofalse
.checkAllScopes
: When set totrue
, all the expected scopes will be checked against the user's scopes. Defaults tofalse
.customUserKey
: The property name to check for the scope key. By default, permissions are checked againstreq.user
, but you can change it to bereq.myCustomUserKey
with this option. Defaults touser
.customScopeKey
: The property name to check for the actual scope. By default, permissions are checked againstuser.scope
, but you can change it to beuser.myCustomScopeKey
with this option. Defaults toscope
.
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
This project is licensed under the MIT license. See the LICENSE file for more info.