Reputation: 39
Best way to manage user permissions in a REST API using JWT (Node.js + mongoose)
I'm new with mongoose and mongoDB and I want to know which is the best way to avoid users from modifying other users information once they are logged in.
I implemented the auth system with JWT, thus the routes are protected but any user can edit/delete information from other users.
Please tell me if you need more details. Thanks in advance.
Upvotes: 1
Views: 442
Answers (1)
Reputation: 9283
The authorization server that issues the JWT token can put the user entitlements / authorizatìons / permissions in the "aud" claim of the JWT. Your APIs can then access the "aud" claim to find out the user accesses and based on that send out appropriate responses. Based on the API response, the UI can enable or disable, hide or unhide appropriate UI components.
Refer to the details of "aud" claim of JWT in RFC 7519.
Upvotes: 1
Related Questions
- what is best practice to store user permissions in JWT token?
- What are best practices for authorizing and sharing API resources across accounts?
- Opinion on a particular strategy for JWT authorization?
- Best practice to check user permission in RESTful API
- How to do rights management in REST based applications?
- Securing Node.js RESTful APIs
- How to deal with roles on a MVC nodejs service (jsonwebtoken,mongoose)
- Implementation of user permissions
- Role based jwt authorization
- What is the right way to determine user roles and grant API access in Node.js Web-Server?