In this blog, we will explain the implementation of Role-based API authorization in node.js. We will use an Express framework at the backend to implement a Role-based secure REST API. The flow of the Node Express REST API is very simple. Every REST API endpoint is restricted by Authentication and Authorization. Authentication finds the matching username and password from the User model, and Authorization sees the matching Role with permissions to the specific REST API endpoint. So, the relation of the User, Role, and Permission model will be:
So we can restrict some endpoints for specific user Roles and handle the multiple users in the application along with the reliability of endpoints and resources.
First, we must maintain a proper folder structure for Controllers, Services, Models, Repository and Middlewares for the node js project.
We can consider that we have two types of users in the application User and Admin. So there will be two Roles we have to declare with enums. Basic implementation of enums, we can define an object to encapsulate the enum type and assign a key for each enum value.
import { model, Schema } from 'mongoose'; import lodash from 'lodash'; export enum Roles { USER = "USER", ADMIN = "ADMIN", } const userSchema: Schema = new Schema( { firstName: { type: String, required: false }, lastName: { type: String, required: false }, email: { type: String, required: false }, avatar: { type: String, required: false }, provider:{ type: String, required: false }, providerId:{ type: String, required: false }, roles:{ type:[String], enum:Object.keys(Roles), default:Roles.USER } }, { collection: 'users', timestamps: true }, ); const User = model('User', userSchema); export default User;
As the client hits the API endpoint and gets routed to the controller of our express application, we need to add a middleware of user & user Role authorization. In the below snippet, you can see the code and how to pass arguments to your authorization middleware.
import express from "express"; import { Roles } from "../DB/Schemas/User"; const router = express.Router(); import userService from './user.service'; import authorize from "./middlewares/authorize" // routes router.post('/authenticate', authenticate); // public route router.get('/users', authorize([Roles.ADMIN]), getAll); // admin only can see all users router.get('/users/:id', authorize(), getById); // all authenticated users pass empty or pass [Roles.USER,Roles.ADMIN] module.exports = router; function authenticate(req, res, next) { userService.authenticate(req.body) .then(user => user ? res.json(user) : res.status(400).json({ message: 'Username or password is incorrect' })) .catch(err => next(err)); } function getAll(req, res, next) { userService.getAll() .then(users => res.json(users)) .catch(err => next(err)); } function getById(req, res, next) { const currentUser = req.user; const id = parseInt(req.params.id); userService.getById(id) .then(user => user ? res.json(user) : res.sendStatus(404)) .catch(err => next(err));
This is an important section that is the center point of this blog. This authorizes the Role middleware function to accept the argument, i.e., The array of Roles we passed from the controller route to this authorized middleware function.
We mainly extract that array in this middleware function and decode the JWT token passed from the front end into the authorization headers. Once we decode the JWT token, we find that particular user object and Role.
We use the express-jwt module, which automatically takes the token from the authorization header and verifies it, and attaches the user object to our request object.
jwt({ secret, algorithms: ['HS256'] })
After this line of code, we use the callback function in which we get the request object with the associated req.user object in it if the token is valid. In our user model, we have already defined the user’s Roles, an array of Roles associated with that user account.
So as an output from above function we get request object as follows
Request = { body:{...}, user: { …rest, roles:[ “ADMIN”] } }
import jwt from "express-jwt" export const authorize(roles = []) { // roles param can be a single role string (e.g. Role.User or 'User') // or an array of roles (e.g. [Role.Admin, Role.User] or ['Admin', 'User']) if (typeof roles === 'string') { roles = [roles]; } return [ // authenticate JWT token and attach user to request object (req.user) jwt({ secret:process.env.secret, algorithms: ['HS256'] }), // authorize based on user role (req, res, next) => { if (roles.length && !roles.includes(req.user.role)) { // user's role is not authorized return res.status(401).json({ message: 'Unauthorized' }); } // authentication and authorization successful next(); } ]; }
Next, we try to match the Role of the user we get from req.user object and the Role we get from the function argument to match. If Roles are matched, we call the nextFunction, so it executes the next function in the API route stack without any trouble. If Roles don’t get matched, then we thow a status 401 Unauthorized error saying that “This resource is not available for the current user.”
In this way, we can protect out routes in case to manage the multiple user Roles in the application along with API endpoint access control for different user Roles.
In this article, we learned about Implementing Role-based API authorization in Node.js using Express, Express-jwt and authentication middlewares. Furthermore, we learned how we could restrict API endpoints in Express applications based on user Roles and secure the APIs.
Launch Faster with Low Cost: Master GTM with Pre-built Solutions in Our Webinar!
Register Today!
Mindbowser and team are professional, talented and very responsive. They got us through a challenging situation with our IOT product successfully. They will be our go to dev team going forward.
Founder, Cascada
Amazing team to work with. Very responsive and very skilled in both front and backend engineering. Looking forward to our next project together.
Co-Founder, Emerge
The team is great to work with. Very professional, on task, and efficient.
Founder, PeriopMD
I can not express enough how pleased we are with the whole team. From the first call and meeting, they took our vision and ran with it. Communication was easy and everyone was flexible to our schedule. I’m excited to...
Founder, Seeke
Mindbowser has truly been foundational in my journey from concept to design and onto that final launch phase.
CEO, KickSnap
We had very close go live timeline and MindBowser team got us live a month before.
CEO, BuyNow WorldWide
If you want a team of great developers, I recommend them for the next project.
Founder, Teach Reach
Mindbowser built both iOS and Android apps for Mindworks, that have stood the test of time. 5 years later they still function quite beautifully. Their team always met their objectives and I'm very happy with the end result. Thank you!
Founder, Mindworks
Our CISO was extremely impressed by Mindbowser’s work. It is pretty rare to see this kind of clean security report so early in the company’s journey. Huge Thank you for the disciplined approach here.
Founder, TrestleIQ
Mindbowser has delivered a much better quality product than our previous tech vendors. Our product is stable and passed Well Architected Framework Review from AWS.
CEO, PurpleAnt
The flexibility and capacity of the Mindbower staff has been impressive.
CEO, ProofPilot
I am happy to share that we got USD 10k in cloud credits courtesy of our friends at Mindbowser. Thank you Pravin and Ayush, this means a lot to us.
CTO, Shortlist
Mindbowser is one of the reasons that our app is successful. These guys have been a great team.
Founder & CEO, MangoMirror
Kudos for all your hard work and diligence on the Telehealth platform project. You made it possible.
CEO, ThriveHealth
Mindbowser helped us build an awesome iOS app to bring balance to people’s lives.
CEO, SMILINGMIND
They were a very responsive team! Extremely easy to communicate and work with!
Founder & CEO, TotTech
We’ve had very little-to-no hiccups at all—it’s been a really pleasurable experience.
Co-Founder, TEAM8s
Mindbowser was very helpful with explaining the development process and started quickly on the project.
Executive Director of Product Development, Innovation Lab
The greatest benefit we got from Mindbowser is the expertise. Their team has developed apps in all different industries with all types of social proofs.
Co-Founder, Vesica
Mindbowser is professional, efficient and thorough.
Consultant, XPRIZE
Very committed, they create beautiful apps and are very benevolent. They have brilliant Ideas.
Founder, S.T.A.R.S of Wellness
MindBowser was great; they listened to us a lot and helped us hone in on the actual idea of the app. They had put together fantastic wireframes for us.
Co-Founder, Flat Earth
Ayush was responsive and paired me with the best team member possible, to complete my complex vision and project. Could not be happier.
Founder, Child Life On Call
As a founder of a budding start-up, it has been a great experience working with Mindbower Inc under Ayush's leadership for our online digital platform design and development activity.
Founder, Courtyardly
The team from Mindbowser stayed on task, asked the right questions, and completed the required tasks in a timely fashion! Strong work team!
CEO, SDOH2Health LLC
Mindbowser was easy to work with and hit the ground running, immediately feeling like part of our team.
CEO, Stealth Startup
Mindbowser was an excellent partner in developing my fitness app. They were patient, attentive, & understood my business needs. The end product exceeded my expectations. Thrilled to share it globally.
Owner, Phalanx
Mindbowser's expertise in tech, process & mobile development made them our choice for our app. The team was dedicated to the process & delivered high-quality features on time. They also gave valuable industry advice. Highly recommend them for app development...
Co-Founder, Fox&Fork
