API route permissions using an express-jwt-permissions guard on node.js about express-jwt-permissions HOT 13 CLOSED

Normally the express-jwt package sets the user object on the req.
Can you show how you've configured express-jwt?

from express-jwt-permissions.

Yes, but how is express-jwt currently configured?
To configure it, check https://github.com/auth0/express-jwt

Example from their documentation:

jwt({ secret: 'shhhhhhared-secret',
  audience: 'http://myapi/protected',
  issuer: 'http://issuer' })

from express-jwt-permissions.

Can you show me the complete setup of the middleware?
express-jwt must be configured before express-jwt-permissions.

e.g.

app.use(jwt({secret: process.env.JWT_SECRET}))

app.get('/protected', guard.check('user'), (req, res) => {})

from express-jwt-permissions.

Hi @MichielDeMey

Thanks for the quick response. I am using MongoDB and so I am retrieving a User back from the database.

from express-jwt-permissions.

just calling:

jwt({secret: process.env.JWT_SECRET})

from express-jwt-permissions.

OK, changing things as I try to fix, I currently have the following:

api/v1/registry.ts

/server.ts

I can't seem to get 'unless' to play nicely and it's still blocking. (Can't even start to understand setting that up from their instructions - I receive compilation errors when I copy&paste their setup :/). Happy to take baby steps though and I wonder if everything else makes sense? Here is my JWT which can be inspected in https://jwt.io/

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwZXJtaXNzaW9ucyI6WyJ1c2VyIl0sIl9pZCI6IjVjZjUyZjc1NDA4MTk0YWI1MGZlMWNkNiIsIm5hbWUiOiJHYXJ5IFBhbHVrIiwiZW1haWwiOiJnYXJ5QHRlc3RpbmcuY29tIiwidXNlcm5hbWUiOiJnYXJ5IiwicGFzc3dvcmQiOiIkMmEkMTAkS3VTU1RBejB3UzE1Tm1GNFVCNlBvZUxMLlhrWmFmRzlKb3FWRVFadllwcWRMU2tleWJNTWUiLCJ1cGRhdGVkQXQiOiIyMDE5LTA2LTAzVDE0OjMyOjIxLjMwOVoiLCJjcmVhdGVkQXQiOiIyMDE5LTA2LTAzVDE0OjMyOjIxLjMwOVoiLCJfX3YiOjAsImlhdCI6MTU1OTY1NjczNywiZXhwIjoxNTU5NjYwMzM3fQ.MWz_sa9qkhvSyF9MJgwcuaY4HuSXyNXlQb0ZU5rN1GA

from express-jwt-permissions.

@pluginio Can you try setting up express-unless as instructed in the README? We've adding support for it to this library.

from express-jwt-permissions.

From what I can tell, you are using a separate Express Router.
When using server.use you actually don't share the middleware with the Router instance.

From the Express documentation:

Use the express.Router class to create modular, mountable route handlers. A Router instance is a complete middleware and routing system; for this reason, it is often referred to as a “mini-app”.

from express-jwt-permissions.

Yeh, I'm new to all of these concepts (Only working with JS for 2 weeks), and knowing that something is a mini-app is not yet meaningful lol. There seems to be a few things that I'm missing and practical examples are really useful but lacking in terms of 'overall picture':

As you can see, I bring the 'unless' library and example in. Zero account for types etc anyway, I renamed the following from:

to:

But I still have no idea how I would practically use that and so it's currently meaningless and still blocks. I just put a placeholder in to illustrate my poor assumptions:

server.use(jwt({secret: process.env.JWT_SECRET}).unless({path: ['/api/auth']}))

As for the express.Router, again, I had built the app without making any reference to this and therefore I don't know where / why I would have to make use of that.

Thanks

from express-jwt-permissions.

I'm really being left to guess about where/when I am also supposed to bring in the middleware for jwt().. etc.

from express-jwt-permissions.

As long as the jwt() middleware is defined (used) before the guard check it should work.
Looking at your latest piece of code, that is the correct way of setting it up.

Unless down the middleware in your require, you have a new Router instance set up which will create a new middleware stack on which the jwt middleware is not defined unless you define it there but then you'll have separate jwt middleware instances per route which makes no sense.

I would really not recommend create separate Router instances, it's rarely used unless you have a specific use-case for it.

I've never really used Express to serve static files, but it's possible you'll have to unless the static route as well to prevent Express from returning an unauthorized response on static files.

from express-jwt-permissions.

OK, I think I understand now. For example, if I do this....

Then that's a problem? And if so, is it just a case of having a static reference to a single router instance? Cheers

from express-jwt-permissions.

Hi Gary, indeed that would be one option.

I suggest you familiarize yourself a bit more with how Express and its middleware works for a better understanding on how to use this package.

Taking into consideration that this is not actually a bug in the package, but rather intended behaviour of Express routing I will close this issue.

If you have any more questions, StackOverflow is better suited to help you out.

from express-jwt-permissions.