Find Similar Packages for express-jwt-authz
Search packages..
1 Year
express-jwt-authzSimilar Packages:
Package Weekly Downloads Trend
Stat Detail
Package
Downloads
Stars
Size
Issues
Publish
License
express-jwt-authz33,073977.75 kB2-MIT
Similar Npm Packages to express-jwt-authz

express-jwt-authz is a middleware for Express.js that simplifies the process of authorizing requests based on JSON Web Tokens (JWT). It allows developers to enforce access control by checking user permissions against the claims present in the JWT. This package is particularly useful for building secure APIs where user roles and permissions are essential for determining access to various resources.

While express-jwt-authz provides a robust solution for JWT-based authorization, there are several alternatives that can also be used for managing authentication and authorization in Express applications. Here are a few notable options:

  • express-jwt is a middleware that helps protect routes by validating JWTs. It ensures that incoming requests contain a valid token and can automatically handle token expiration. While express-jwt focuses on authentication, it does not handle authorization directly, making it a good companion to express-jwt-authz for complete security solutions.
  • express-jwt-permissions is an extension of express-jwt that provides a more granular approach to permissions management. It allows developers to define specific permissions for different routes and resources, making it easier to implement role-based access control (RBAC) in applications. This package can be used alongside express-jwt to create a comprehensive authentication and authorization strategy.
  • jsonwebtoken is a library for creating and verifying JSON Web Tokens. While it does not provide middleware for Express directly, it is often used in conjunction with other packages like express-jwt to handle token creation and verification. Developers can use jsonwebtoken to generate tokens that include user claims and roles, which can then be validated by express-jwt or express-jwt-authz.
  • passport-jwt is a Passport.js strategy for authenticating with JWTs. It integrates seamlessly with the Passport authentication middleware, allowing developers to use JWTs alongside other authentication strategies. This package is particularly useful for applications that require a flexible authentication system with multiple strategies, as it can be combined with other Passport strategies for comprehensive user authentication.

To see how these packages compare, check out the comparison: Comparing express-jwt vs express-jwt-authz vs express-jwt-permissions vs jsonwebtoken vs passport-jwt.

README for express-jwt-authz

express-jwt-authz

Validate a JWTs scope to authorize access to an endpoint.

Install

$ npm install express-jwt-authz

express@^4.0.0 is a peer dependency. Make sure it is installed in your project.

Usage

Use together with express-jwt to both validate a JWT and make sure it has the correct permissions to call an endpoint.

var jwt = require('express-jwt');
var jwtAuthz = require('express-jwt-authz');

var options = {};
app.get('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users' ], options),
  function(req, res) { ... });

If multiple scopes are provided, the user must have at least one of the specified scopes.

app.post('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users', 'write:users' ], {}),
  function(req, res) { ... });

// This user will be granted access
var authorizedUser = {
  scope: 'read:users'
};

To check that the user has all the scopes provided, use the checkAllScopes: true option:

app.post('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true }),
  function(req, res) { ... });

// This user will have access
var authorizedUser = {
  scope: 'read:users write:users'
};

// This user will NOT have access
var unauthorizedUser = {
  scope: 'read:users'
};

The JWT must have a scope claim and it must either be a string of space-separated permissions or an array of strings. For example:

// String:
"write:users read:users"

// Array:
["write:users", "read:users"]

Options

  • failWithError: When set to true, will forward errors to next instead of ending the response directly. Defaults to false.
  • checkAllScopes: When set to true, all the expected scopes will be checked against the user's scopes. Defaults to false.
  • customUserKey: The property name to check for the scope key. By default, permissions are checked against req.user, but you can change it to be req.myCustomUserKey with this option. Defaults to user.
  • customScopeKey: The property name to check for the actual scope. By default, permissions are checked against user.scope, but you can change it to be user.myCustomScopeKey with this option. Defaults to scope.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc or npmjs.com, the official website for the npm registry. Please note that npm is a registered trademark of npm, Inc. For more details, please refer to our Terms & Privacy.