🔐 JSON Server Auth
JWT authentication middleware for JSON Server
Because you also need a fake authentication & authorization flow for your prototyping.
Getting started
Install both JSON Server and JSON Server Auth :
npm install -D json-server json-server-auth
yarn add -D json-server json-server-auth
Create a db.json
file with a users
collection :
{
"users": []
}
Start JSON server (with JSON server Auth as middleware) :
json-server db.json -m ./node_modules/json-server-auth
📢 but wait !
As a convenience, json-server-auth
CLI exposes json-server
bundled with its middlewares :
json-server-auth db.json
It exposes and works the same for all JSON Server flags.
Authentication flow 🔑
JSON Server Auth adds a simple JWT based authentication flow.
Register 👥
Any of the following routes registers a new user :
POST /register
POST /signup
POST /users
email
and password
are required in the request body :
POST /register
{
"email": "olivier@mail.com",
"password": "bestPassw0rd"
}
The password is encrypted by bcryptjs.
The response contains the JWT access token (expiration time of 1 hour) :
201 Created
{
"accessToken": "xxx.xxx.xxx"
}
Other properties
Any other property can be added to the request body without being validated :
POST /register
{
"email": "olivier@mail.com",
"password": "bestPassw0rd",
"firstname": "Olivier",
"lastname": "Monge",
"age": 32
}
Update
Any update to an existing user (via PATCH
or PUT
methods) will go through the same process for email
and password
.
Login 🛂
Any of the following routes logs an existing user in :
email
and password
are required, of course :
POST /login
{
"email": "olivier@mail.com",
"password": "bestPassw0rd"
}
The response contains the JWT access token (expiration time of 1 hour) :
200 OK
{
"accessToken": "xxx.xxx.xxx"
}
JWT payload 📇
The access token has the following claims :
sub
: the user id
(as per the JWT specs).email
: the user email
.
Authorization flow 🛡️
JSON Server Auth provides generic guards as route middlewares.
To handle common use cases, JSON Server Auth draws inspiration from Unix filesystem permissions, especialy the numeric notation.
- We add
4
for read permission. - We add
2
for write permission.
Of course CRUD is not a filesystem, so we don't add 1 for execute permission.
Similarly to Unix, we then have three digits to match each user type :
- First digit are the permissions for the resource owner.
- Second digit are the permissions for the logged-in users.
- Third digit are the permissions for the public users.
For example, 640
means that only the owner can write the resource, logged-in users can read the resource, and public users cannot access the resource at all.
The resource owner 🛀
A user is the owner of a resource if that resource has a userId
property that matches his id
property. Example:
{ id: 8, text: 'blabla', userId: 1 }
{ id: 1, email: 'olivier@mail.com' }
Private guarded routes will use the JWT sub
claim (which equals the user id
) to check if the user actually owns the requested resource, by comparing sub
with the userId
property.
Except for the actual users
collection, where the JWT sub
claim must match the id
property.
Guarded routes 🚥
Guarded routes exist at the root and can restrict access to any resource you put after them :
Route | Resource permissions |
---|
/664/* | User must be logged to write the resource. Everyone can read the resource. |
/660/* | User must be logged to write or read the resource. |
/644/* | User must own the resource to write the resource. Everyone can read the resource. |
/640/* | User must own the resource to write the resource. User must be logged to read the resource. |
/600/* | User must own the resource to write or read the resource. |
/444/* | No one can write the resource. Everyone can read the resource. |
/440/* | No one can write the resource. User must be logged to read the resource. |
/400/* | No one can write the resource. User must own the resource to read the resource. |
Examples
- Public user (not logged-in) does the following requests :
Request | Response |
---|
GET /664/posts | 200 OK |
POST /664/posts
{text: 'blabla'} | 401 UNAUTHORIZED |
- Logged-in user with
id: 1
does the following requests :
Request | Response |
---|
GET /600/users/1
Authorization: Bearer xxx.xxx.xxx | 200 OK |
GET /600/users/23
Authorization: Bearer xxx.xxx.xxx | 403 FORBIDDEN |
Setup permissions 💡
Of course, you don't want to directly use guarded routes in your requests.
We can take advantage of JSON Server custom routes feature to setup resource permissions ahead.
Create a routes.json
file :
{
"/users*": "/600/users$1",
"/messages*": "/640/messages$1"
}
Then :
json-server db.json -m ./node_modules/json-server-auth -r routes.json
📢 but wait !
As a convenience, json-server-auth
CLI allows you to define permissions in a more succinct way :
{
"users": 600,
"messages": 640
}
Then :
json-server-auth db.json -r routes.json
You can still add any other normal custom routes :
{
"users": 600,
"messages": 640,
"/posts/:category": "/posts?category=:category"
}
Module usage 🔩
If you go the programmatic way and use JSON Server as a module, there is an extra step to properly integrate JSON Server Auth :
⚠️ You must bind the router property db
to the created app, like the JSON Server CLI does, and you must apply the middlewares in a specific order.
const jsonServer = require('json-server')
const auth = require('json-server-auth')
const app = jsonServer.create()
const router = jsonServer.router('db.json')
app.db = router.db
app.use(auth)
app.use(router)
app.listen(3000)
Permisssions Rewriter
The custom rewriter is accessible via a subproperty :
const auth = require('json-server-auth')
const rules = auth.rewriter({
users: 600,
messages: 640,
'/posts/:category': '/posts?category=:category',
})
app.use(rules)
app.use(auth)
app.use(router)
TODO 📜