Rupesh
Reputation: 890
How to make roles based middleware to access the api's with proper rights in nodejs and mongoose?
I am trying to make websites which have the roles permission It will be as
SuperAdmin - will approve admins and will have all right which admin have
Admin - will approve articles and will have all the rights which loggedin user have
Loggedin User - can post articles and will have all the rights which guest user have.
Guest(Non Loggedin User) - can see articles.
I have an idea to make schema which have role key, I make all api's but don't know how to give permission so that particular apis was access by one who has right for that.
Can please someone help me in make this auth middleware?
Thanx in advance.
Upvotes: 1
Views: 643
Answers (1)
Gor Kotikyan
Reputation: 723
So, first of all, you should have a user's role in your req object. I assume you did it. Then you can specify aliases for your roles in Database. For instance
SuperAdmin - superadmin
Admin - admin
Loggedin User - user
Guest(Non Loggedin User) - you do not need to have a role for a guest, you just can check whether user authenticated or not
The example middleware will look like
// Authentication middleware
const isAuthenticated = (roles) => (req, res, next) => {
// `roles` argument is an array of roles
// We check whether user authenticated or not.
// If user authenticated, `req.user` will be object otherwise it will be `undefined`
if(req.user) { // `req.user` is a user object from Database
// Checking whether `req.user` has a corresponded role
if (roles.indexOf(req.user.role) !== -1) next(); // `req.user.role` is string and it may be "admin", "superadmin", or "user"
else res.status(403).send({message: "unauthorized"});
} else {
res.status(401).send({message: "unauthorized"});
}
};
And you can use this middleware on router
const express = require('express');
const router = express.Router();
// Example routes
// This route is for guests
router.get('/articles', (req, res) => {
res.send({'article': 'lorem ipsum'})
});
// This route is for authenticated user
router.get('/forOnlyAuthUser', isAuthenticated(['user']) (req, res) => {
res.send({user: req.user})
});
// This route is for admin
router.get('/forOnlyAdmin', isAuthenticated(['admin']) (req, res) => {
res.send({user: req.user})
});
// This route is for superadmin
router.get('/forOnlySuperadmin', isAuthenticated(['superadmin']) (req, res) => {
res.send({user: req.user})
});
// This route is for all authenticated users
router.get('/forOnlyAllAuthUsers', isAuthenticated(['user', 'admin', 'superadmin']) (req, res) => {
res.send({user: req.user})
});
You can customize isAuthenticated function as you want
Upvotes: 1
Related Questions
- What is the best way to implement roles and permission in Express REST Api
- Mongoose User, Roles & Permissions
- How can I implement user role permissions using node js, express and mongodb?
- how to implement role based authentification with nodejs?
- How to create user group security for REST API using middleware
- Express routes and middleware
- What is the right way to determine user roles and grant API access in Node.js Web-Server?
- Roles and locking down endpoints in node
- Express.js/Mongoose user roles and permissions
- How to manage permissions on RESTful APIs