Feathersjs administrator role (or feathers middleware with auth check)

Question

I have a stupid question with feathersjs auth hooks (or whatever). This is my code with comment:

  app.get('/admin', function (req, res) {

  // i'd like to check here if (req.connection.isAdmin) then render page

    res.render('admin/admin.html', {
      title: 'admin'
    })
  });

I can't find where i can implement user-auth hook to chek user for admin role. How can i do that?

Answer 1

You should be able to use the example that I posted in this other question: Feathers Js Restrict Access To Page on Server Side

In your case, you'll need to do some logic to see if the user is an administrator. By default, the JWT token that Feathers gives you will only contain the userId. You can retrieve the user record to check if the user is an administrator.

Here's an example of what you would put inside the jwt.verify block:

jwt.verify(token, secret, function(err, decoded) {
  if (err) {
    return res.status(401).send('You are not authorized to view that page.');
  }
  app.service('users')
    .get(decoded.id) // Or _id if you're using MongoDB
    .then(user => {
      if (user.isAdmin) {
        res.render('admin/admin.html', {
          title: 'admin'
        })
      } else {
        return res.status(401).send('You are not authorized to view that page.');
      }
    })
});

It will be possible in the next version of feathers-authentication to add values to the JWT on the server, so, for administrators, you could add an isAdmin property to the JWT payload. This will be fairly trivial to do once the pre-release version is published. Until then, the above is probably the best way to go.