1.1.0 • Published 4 years ago
route-access-control v1.1.0
Role Based Access Control
This module is used to implement role based access to API endpoints.
Create Role
Create a new role
const { Role } = require('./route-access-control)
const admin = new Role('admin');
const student = new Role('student');
const roleName = new Role('role-name');
Check Role
There are two ways to authorize roles 1. Authorizing in the Middleware 2. Authorizing inside route handler function
1. Middleware: checkRole
The middleware expects the claimed role to be inside req.role
Extract the requester role from the JWT token and store it in req.role
Use the Middleware
checkRole(admin)
- You can check for any number of roles:
checkRole(admin, student, teacher)
- The Middleware sends 401 Error if the role is not authorized
Example
The below route will only allow users with role admin
router.post('/protected', [checkJwt, checkRole(admin)], async (req, res, next) => {
try {
res.json('This is a protected route');
} catch (error) {
next(error);
}
});
The below route will allow users with role admin or teacher
router.post('/protected', [checkJwt, checkRole(admin, teacher)], async (req, res, next) => {
try {
res.json('This is a protected route');
} catch (error) {
next(error);
}
});
2. Function :isRoleAuthorized()
Use this inside your route handler
Returns a boolean
isRoleAuthorized(requesterRole, arrayOfAllowedRoles)
Example
router.post('/protected', checkJwt, async (req, res, next) => {
try {
const claimedRole = req.role;
const allowedRoles = [admin];
const isAuthorized = await isRoleAuthorized(claimedRole, allowedRoles);
if (isAuthorized) {
res.json('This is private route');
} else {
const message = 'User not authorized';
res.status(401).json({ message });
}
} catch (error) {
next(error);
}
});