User Role Management in NodeJS, Express, MongoDB #role access #api access
Problem: Multiple users in a system, allowed to do specific actions.
Solution: There are multiple user role management packages in npm, but I want something easier, quicker. So I started solving it myself.
Example: A blog with users - U, authors - A, admin - M
- Create users with a field user_type.
Users.create({
name: 'User',
user_type: 'U'
})
Users.create({
name: 'Author',
user_type: 'A'
})
Users.create({
name: 'Author',
user_type: 'M'
})
- Assuming user logins managed using a jwt token. And sign the token including user_type, add a middleware to decode and save user data to
req.user
const decoded = await jwt.verify(token, process.env.JWT_SECRET);
req.user = {
name: decoded.name,
user_type: decoded.user_type
};
- Write another middleware to authenticate role.
const authenticateRole = (roleArray) => (req, res, next) => {
if(!req.user) {
return res.status(401).json({
success: false,
message: 'Session expired',
code: 'SESSION_EXPIRED'
});
}
const authorized = false;
//if user has a role that is required to access any API
rolesArray.forEach(role => {
authorized = req.user.user_type === role;
})
if(authorized) {
return next();
}
return res.status(401).json({
success: false,
message: 'Unauthorized',
})
}
- Finally use the
authenticateRole
middleware in the API access.//This is accessed by only Admin user route.get('/users', authenticateRole(['M']), handler) //This is accessed by anyone route.get('/posts', authenticateRole(['M','U','A']))
My first blog, will improve my writings, also I am trying to enhance this idea as my needs.