New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
create-express-auth-middleware
Advanced tools
create-express-auth-middleware - npm Package Compare versions
Comparing version 1.0.0 to 1.1.0
@@ -1,3 +0,1 @@ | ||
| /// <reference types="qs" /> | ||
| /// <reference types="express" /> | ||
| export declare const create_authn_middleware: (predicate: (req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>) => any, { errorJSON, errorMessage, errorHandler, }?: { | ||
@@ -4,0 +2,0 @@ errorJSON?: object; |
@@ -1,3 +0,1 @@ | ||
| /// <reference types="qs" /> | ||
| /// <reference types="express" /> | ||
| export declare const create_authz_middleware: (predicate: (req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>) => any, { errorJSON, errorMessage, errorHandler, }?: { | ||
@@ -4,0 +2,0 @@ errorJSON?: object; |
| { | ||
| "name": "create-express-auth-middleware", | ||
| "description": "Library to create Express JS authentication and authorization middlewares", | ||
| "version": "1.0.0", | ||
| "version": "1.1.0", | ||
| "main": "./dist/index.js", | ||
@@ -6,0 +6,0 @@ "types": "./dist", |
@@ -35,5 +35,12 @@ # create-express-auth-middleware | ||
| // Add authorization middleware to ensure users can only access their own data | ||
| // Uses an imaginary decodeJWT function | ||
| // Checks that the specified userID in the URL matches user's own userID value in their token. | ||
| create_authz_middleware((req) => decodeJWT(req.get("Authorization")).userID === req.params.userID), | ||
| // Uses an imaginary rate limiting function | ||
| // If the function fails, the error object is returned, | ||
| // The object can contain 'status' to override the error status code, | ||
| // and can have a 'error' string to override the default error message | ||
| create_authz_middleware((req) => isNotRateLimited(req) || { status: 429, error: "Too many requests" }), | ||
| // This request handler will only run if both predicate above returns true! | ||
@@ -46,6 +53,3 @@ (req, res) => res.status(200).json({ data: "Protected user data" }) | ||
| ```json | ||
| { | ||
| "ok": false, | ||
| "error": "Authentication Failed" | ||
| } | ||
| { "ok": false, "error": "Authentication Failed" } | ||
| ``` | ||
@@ -55,35 +59,8 @@ | ||
| ```json | ||
| { | ||
| "ok": false, | ||
| "error": "Authorization Failed" | ||
| } | ||
| { "ok": false, "error": "Authorization Failed" } | ||
| ``` | ||
| The only difference between authentication middlewares and authorization middlewares is their error HTTP status codes and their default error responses as shown above. | ||
| ## Notes | ||
| ### Attaching decoded token to a custom key on Request object | ||
| Since authentication middleware allows you to choose which key to attach the decoded token to using the `attachUserTo` variable during setup, if you would like to use authorization middleware too, then you MUST ensure that they both use the same key to reference the token. | ||
| ```js | ||
| // If you set attachUserTo for the authentication middleware | ||
| app.use(authMiddleWare.authn(firebaseAuth, { attachUserTo: "userToken" })); | ||
| app.get( | ||
| "/data/:userID", | ||
| // You need to set the same value for the authorization middleware to ensure the middleware can find the token | ||
| authMiddleWare.authz((token, req) => token.org === req.params.userID, { attachUserTo: "userToken" }), | ||
| (req, res) => { | ||
| console.log("Decoded token: ", req.authenticatedUser); | ||
| res.status(200).end(); | ||
| } | ||
| ); | ||
| ``` | ||
| ### Why are there 2 middlewares? Why can't it just be one? | ||
| The reason why authn and authz are 2 separate middlewares is because, if combined then the parsing auth header code will be repeated every single route, when in practice (most of the time) all if not most routes are authentication protected, with every route using a different function to check if user is authorised. | ||
| So it is easier to have them as 2 seperate middlewares, to apply authentication middleware over all routes, while using specific authorization middlewares for individual route. | ||
| ## Using with Auth providers | ||
@@ -90,0 +67,0 @@ Instead of building your own authentication and authorization backend, you can use auth providers like Firebase Auth, Okta, Auth0 to provide auth services and just use this library to create authentication and authorization middlewares built on top of their API. |
No alert changes
Worsened metrics
- Total package byte prevSize
- decreased by-9.78%
9187
- Lines of code
- decreased by-5.06%
75
- Number of lines in readme file
- decreased by-24.47%
71
No dependency changes