create-express-auth-middleware

create-express-auth-middleware

Library to easily create Express JS authentication and authorization middlewares using predicate functions.

Installation

npm install create-express-auth-middleware

Example

View samples folder for more specific examples

1. Make a API call from client, and include an Authorization header, e.g.

   Authorization: Bearer <your-client-token>
   

2. If an API call is made with a valid token, you can access the decoded token object from request

   const app = require("express")();
   const { create_authn_middleware, create_authz_middleware } = require("create-express-auth-middleware");
   
   // Make all routes in this express app to be authentication protected.
   // Meaning all routes defined later can only be called if a valid JWT is provided.
   // This DOES NOT mean that routes are fully protected yet,
   // as you need to ensure users have sufficient permission to access APIs using authorization middleware.
   app.use(create_authn_middleware((req) => req.get("Authorization") === "some_JWT_Value"));
   
   // The actual route that requires both authentication and authorization to run.
   app.get(
       "/data/:userID",
   
       // Add authorization middleware to ensure users can only access their own data
       // Checks that the specified userID in the URL matches user's own userID value in their token.
       create_authz_middleware((req) => decodeJWT(req.get("Authorization")).userID === req.params.userID),
   
       // This request handler will only run if both predicate above returns true!
       (req, res) => res.status(200).json({ data: "Protected user data" })
   );
   

3. If authentication failed, you get a 401 code with the following response by default

   {
       "ok": false,
       "error": "Authentication Failed"
   }
   

4. If authorization failed, you get a 403 code with the following response by default

   {
       "ok": false,
       "error": "Authorization Failed"
   }
   

Notes

Attaching decoded token to a custom key on Request object

Since authentication middleware allows you to choose which key to attach the decoded token to using the attachUserTo variable during setup, if you would like to use authorization middleware too, then you MUST ensure that they both use the same key to reference the token.

// If you set attachUserTo for the authentication middleware
app.use(authMiddleWare.authn(firebaseAuth, { attachUserTo: "userToken" }));

app.get(
    "/data/:userID",

    // You need to set the same value for the authorization middleware to ensure the middleware can find the token
    authMiddleWare.authz((token, req) => token.org === req.params.userID, { attachUserTo: "userToken" }),

    (req, res) => {
        console.log("Decoded token: ", req.authenticatedUser);
        res.status(200).end();
    }
);

Why are there 2 middlewares? Why can't it just be one?

The reason why authn and authz are 2 separate middlewares is because, if combined then the parsing auth header code will be repeated every single route, when in practice (most of the time) all if not most routes are authentication protected, with every route using a different function to check if user is authorised.
So it is easier to have them as 2 seperate middlewares, to apply authentication middleware over all routes, while using specific authorization middlewares for individual route.

Using with Auth providers

Instead of building your own authentication and authorization backend, you can use auth providers like Firebase Auth, Okta, Auth0 to provide auth services and just use this library to create authentication and authorization middlewares built on top of their API.

Integrations available

• Firebase Auth

License and Author

This project is made available under MIT LICENSE and written by JJ