Comments (13)
Normally the express-jwt
package sets the user
object on the req
.
Can you show how you've configured express-jwt
?
from express-jwt-permissions.
Yes, but how is express-jwt
currently configured?
To configure it, check https://github.com/auth0/express-jwt
Example from their documentation:
jwt({ secret: 'shhhhhhared-secret',
audience: 'http://myapi/protected',
issuer: 'http://issuer' })
from express-jwt-permissions.
Can you show me the complete setup of the middleware?
express-jwt
must be configured before express-jwt-permissions
.
e.g.
app.use(jwt({secret: process.env.JWT_SECRET}))
app.get('/protected', guard.check('user'), (req, res) => {})
from express-jwt-permissions.
Thanks for the quick response. I am using MongoDB and so I am retrieving a User back from the database.
from express-jwt-permissions.
just calling:
jwt({secret: process.env.JWT_SECRET})
from express-jwt-permissions.
OK, changing things as I try to fix, I currently have the following:
I can't seem to get 'unless' to play nicely and it's still blocking. (Can't even start to understand setting that up from their instructions - I receive compilation errors when I copy&paste their setup :/). Happy to take baby steps though and I wonder if everything else makes sense? Here is my JWT which can be inspected in https://jwt.io/
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwZXJtaXNzaW9ucyI6WyJ1c2VyIl0sIl9pZCI6IjVjZjUyZjc1NDA4MTk0YWI1MGZlMWNkNiIsIm5hbWUiOiJHYXJ5IFBhbHVrIiwiZW1haWwiOiJnYXJ5QHRlc3RpbmcuY29tIiwidXNlcm5hbWUiOiJnYXJ5IiwicGFzc3dvcmQiOiIkMmEkMTAkS3VTU1RBejB3UzE1Tm1GNFVCNlBvZUxMLlhrWmFmRzlKb3FWRVFadllwcWRMU2tleWJNTWUiLCJ1cGRhdGVkQXQiOiIyMDE5LTA2LTAzVDE0OjMyOjIxLjMwOVoiLCJjcmVhdGVkQXQiOiIyMDE5LTA2LTAzVDE0OjMyOjIxLjMwOVoiLCJfX3YiOjAsImlhdCI6MTU1OTY1NjczNywiZXhwIjoxNTU5NjYwMzM3fQ.MWz_sa9qkhvSyF9MJgwcuaY4HuSXyNXlQb0ZU5rN1GA
from express-jwt-permissions.
@pluginio Can you try setting up express-unless
as instructed in the README? We've adding support for it to this library.
from express-jwt-permissions.
From what I can tell, you are using a separate Express Router.
When using server.use
you actually don't share the middleware with the Router instance.
From the Express documentation:
Use the express.Router class to create modular, mountable route handlers. A Router instance is a complete middleware and routing system; for this reason, it is often referred to as a “mini-app”.
from express-jwt-permissions.
Yeh, I'm new to all of these concepts (Only working with JS for 2 weeks), and knowing that something is a mini-app is not yet meaningful lol. There seems to be a few things that I'm missing and practical examples are really useful but lacking in terms of 'overall picture':
As you can see, I bring the 'unless' library and example in. Zero account for types etc anyway, I renamed the following from:
But I still have no idea how I would practically use that and so it's currently meaningless and still blocks. I just put a placeholder in to illustrate my poor assumptions:
server.use(jwt({secret: process.env.JWT_SECRET}).unless({path: ['/api/auth']}))
As for the express.Router
, again, I had built the app without making any reference to this and therefore I don't know where / why I would have to make use of that.
Thanks
from express-jwt-permissions.
I'm really being left to guess about where/when I am also supposed to bring in the middleware for jwt().. etc.
from express-jwt-permissions.
As long as the jwt()
middleware is defined (use
d) before the guard
check it should work.
Looking at your latest piece of code, that is the correct way of setting it up.
Unless down the middleware in your require
, you have a new Router
instance set up which will create a new middleware stack on which the jwt
middleware is not defined unless you define it there but then you'll have separate jwt
middleware instances per route which makes no sense.
I would really not recommend create separate Router instances, it's rarely used unless you have a specific use-case for it.
I've never really used Express to serve static files, but it's possible you'll have to unless
the static route as well to prevent Express from returning an unauthorized response on static files.
from express-jwt-permissions.
OK, I think I understand now. For example, if I do this....
Then that's a problem? And if so, is it just a case of having a static reference to a single router instance? Cheers
from express-jwt-permissions.
Hi Gary, indeed that would be one option.
I suggest you familiarize yourself a bit more with how Express and its middleware works for a better understanding on how to use this package.
Taking into consideration that this is not actually a bug in the package, but rather intended behaviour of Express routing I will close this issue.
If you have any more questions, StackOverflow is better suited to help you out.
from express-jwt-permissions.
Related Issues (20)
- Permission denied when using PUT method HOT 4
- Add option to disable logs HOT 1
- Consider adding "native support"/integration for express-unless HOT 2
- UnauthorizedError: Could not find permissions for user. Bad configuration? HOT 1
- Exception UnauthorizedError sending HTTP code 403 HOT 1
- Cannot change `requestProperty` object. HOT 6
- Node Testing How to stub middleware using express-jwt-permissions guard HOT 4
- Cannot use if token is passed as Authorization header HOT 2
- Use native Object.assign instead of xtend HOT 1
- Is typings available for this module? HOT 4
- [Question] Purpose of this library HOT 2
- Is it possible to check multiple permissionsProperty HOT 1
- Support different delimiter for the permissions property HOT 1
- user object "user" was not found. Check your configuration. HOT 1
- 'ErrorCode' and '"permission_denied"' have no overlap HOT 3
- Error on Typescript compilation HOT 1
- express-jwt 7.x switched from req.user to req.auth HOT 1
- Suggestion: Documentation enhancement
- Access missing permission in error object
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from express-jwt-permissions.