Reputation:
Verifying roles & authentication with Passport.js
So I'd like to make some routes in an API that will show different data based on the user role, defined in MongoDB. Here's a sampling of what I have right now, it works...
router.get('/test', passport.authenticate('bearer', {session: false}), function (req, res) {
if (req.user.role == "premium") {
return res.send('you can see this content');
}
else {
return res.send('you can not see this content');
}
})
However, the end goal is to present at least something to the user, even if they're not logged in or authenticated with the right kind of role.
router.get('/test', passport.authenticate('bearer', {session: false}), function (req, res) {
if (req.user.role == "premium") {
return res.send('this is premium content');
}
else {
// could be hit by another role, or no user at all
return res.send([some truncated version of the premium content]);
}
})
Which I would think I'd figure out how to work, but I don't know how to specify the same route which possibly could be hit without any Authorization header in the request.
Is this possible in Passport.js/Express?
Upvotes: 19
Views: 30290
Answers (3)
Reputation: 4903
I would suggest that you use HTTP status codes and an error object, this is a common API convention and it allows your API users to know what's happening and why:
app.get('/premium-resource', function(req, res, next) {
passport.authenticate('bearer', function(err, user) {
if (user){
if (user.role === 'premium'){
return res.send(200,{userContent:'you are a premium user'});
}else{
return res.send(403,{
'status': 403,
'code': 1, // custom code that makes sense for your application
'message': 'You are not a premium user',
'moreInfo': 'https://myawesomeapi.io/upgrade'
});
}
}else{
return res.send(401,{
'status': 401,
'code': 2, // custom code that makes sense for your application
'message': 'You are not authenticated.',
'moreInfo': 'https://myawesomeapi.io/docs'
});
}
})(req, res, next);
});
Disclaimer: I work at Stormpath and we put a lot of thought into API authentication and design, we have a really presentation on the topic:
https://stormpath.com/blog/designing-rest-json-apis/
Upvotes: 15
Reputation:
The solution I've found to my answer is to use an adaptation of the Passportjs.org documentation.
In the routes I need to return data, whether a user is logged in or not I can use something like:
// Test to check for authentication
app.get('/login', function(req, res, next) {
passport.authenticate('bearer', function(err, user, info) {
if (user)
// check user's role for premium or not
if (user.role == "premium")
return res.send('user is premium')
else
return res.send('user is not premium');
else
// return items even if no authentication is present, instead of 401 response
return res.send('not logged in');
})(req, res, next);
});
Upvotes: 3
Reputation: 1763
The solution is to limit the content in the view rather than the route.
router.get('/test', authenticationMiddleware, function(req, res){
var premiumFlag = req.user.role;
res.send('premiumontent', {role: premiumFlag});
});
premiumContent.jade
p This content is visible to all users
- if role === "premium"
p this content is only visible to premium users
Upvotes: 9
Related Questions
- Passport JS admin user verification
- How to implement role based authorization in Node.js using token based authentication?
- How to implement User roles in nodejs passportjs
- Using 'passport.isAuthenticated()' to check multiple user roles in Nodejs
- PassportJS authentication
- Setting admin role using connect-roles & Passport.JS
- Can this way auth user with role?
- Correct Authentication Pattern using Passport.js
- Verify access/group in Passport.js
- NodeJS Passport: Possible to authenticate roles?