express-jwt-authz
Advanced tools
Validate a JWTs scope to authorize access to an endpoint.
$ npm install express-jwt-authz
express@^4.0.0is a peer dependency. Make sure it is installed in your project.
Use together with express-jwt to both validate a JWT and make sure it has the correct permissions to call an endpoint.
var jwt = require('express-jwt');
var jwtAuthz = require('express-jwt-authz');
var options = {};
app.get('/users',
jwt({ secret: 'shared_secret' }),
jwtAuthz([ 'read:users' ], options),
function(req, res) { ... });
If multiple scopes are provided, the user must have at least one of the specified scopes.
app.post('/users',
jwt({ secret: 'shared_secret' }),
jwtAuthz([ 'read:users', 'write:users' ], {}),
function(req, res) { ... });
// This user will be granted access
var authorizedUser = {
scope: 'read:users'
};
To check that the user has all the scopes provided, use the checkAllScopes: true option:
app.post('/users',
jwt({ secret: 'shared_secret' }),
jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true }),
function(req, res) { ... });
// This user will have access
var authorizedUser = {
scope: 'read:users write:users'
};
// This user will NOT have access
var unauthorizedUser = {
scope: 'read:users'
};
The JWT must have a scope claim and it must either be a string of space-separated permissions or an array of strings. For example:
// String:
"write:users read:users"
// Array:
["write:users", "read:users"]
failWithError: When set to true, will forward errors to next instead of ending the response directly. Defaults to false.checkAllScopes: When set to true, all the expected scopes will be checked against the user's scopes. Defaults to false.customUserKey: The property name to check for the scope key. By default, permissions are checked against req.user, but you can change it to be req.myCustomUserKey with this option. Defaults to user.customScopeKey: The property name to check for the actual scope. By default, permissions are checked against user.scope, but you can change it to be user.myCustomScopeKey with this option. Defaults to scope.If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
This project is licensed under the MIT license. See the LICENSE file for more info.
FAQs
Validate a JWTs scope to authorize access to an endpoint
The npm package express-jwt-authz receives a total of 23,673 weekly downloads. As such, express-jwt-authz popularity was classified as popular.
We found that express-jwt-authz demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 38 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.
Security News
NIST's new password guidelines remove periodic changes and special character requirements, focusing on longer, more secure passwords for better authentication practices.