npmpackage.info

Gathering detailed insights and metrics for express-jwt-authz

Other packages similar to express-jwt-authz

jwt-decode

4.0.0

Decode JWT tokens, mostly useful for browser applications.

express-jwt

8.4.1

JWT authentication middleware.

express-oauth2-jwt-bearer

1.6.0

Authentication middleware for Express.js that validates JWT bearer access tokens.

@okta/jwt-verifier

4.0.1

Easily validate Okta access tokens

Gathering detailed insights and metrics for express-jwt-authz

express-jwt-authz

Validate the JWT scope to authorize access to an endpoint

2.4.1

MIT

JavaScript

8,595,629 4.7

Installations

npm install express-jwt-authz

Pull Requests

Open

0

Total

34

Closed

13

Merged

21

Issues

Open

2

Total

18

Closed

16

Releases

v2.4.1

Published on 21 Jul 2020

v2.4.0

Published on 12 Jun 2020

View all 2 releases

Developer

auth0

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

>=6

Typescript Support

Yes

Node Version

13.10.1

NPM Version

6.13.7 Statistics

97 Stars

61 Commits

37 Forks

78 Watching

4 Branches

19 Contributors

Updated on 15 Aug 2024

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

8,595,629

Last day

-14.6%

6,157

Compared to previous day

Last week

2.9%

29,612

Compared to previous week

Last month

2.5%

130,103

Compared to previous month

Last year

-1.5%

2,023,678

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Peer Dependencies

express @types/express

Dev Dependencies

chai husky mocha prettier pretty-quick

Versions

express-jwt-authz

Validate a JWTs scope to authorize access to an endpoint.

Install

$ npm install express-jwt-authz

express@^4.0.0 is a peer dependency. Make sure it is installed in your project.

Usage

Use together with express-jwt to both validate a JWT and make sure it has the correct permissions to call an endpoint.

:note: express-jwt sets the decoded JWT payload on req.auth since version 6.0.0, so make sure to set customUserKey: 'auth' in the options provided to express-jwt-authz if you are using that version or newer.

1var jwt = require('express-jwt');
2var jwtAuthz = require('express-jwt-authz');
3
4var options = { customUserKey: 'auth' };
5app.get('/users',
6  jwt({ secret: 'shared_secret' }),
7  jwtAuthz([ 'read:users' ], options),
8  function(req, res) { ... });

If multiple scopes are provided, the user must have at least one of the specified scopes.

1var options = { customUserKey: 'auth' };
2app.post('/users',
3  jwt({ secret: 'shared_secret' }),
4  jwtAuthz([ 'read:users', 'write:users' ], options),
5  function(req, res) { ... });
6
7// This user will be granted access
8var authorizedUser = {
9  scope: 'read:users'
10};

To check that the user has all the scopes provided, use the checkAllScopes: true option:

1app.post('/users',
2  jwt({ secret: 'shared_secret' }),
3  jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true, customUserKey: 'auth' }),
4  function(req, res) { ... });
5
6// This user will have access
7var authorizedUser = {
8  scope: 'read:users write:users'
9};
10
11// This user will NOT have access
12var unauthorizedUser = {
13  scope: 'read:users'
14};

The JWT must have a scope claim and it must either be a string of space-separated permissions or an array of strings. For example:

// String:
"write:users read:users"

// Array:
["write:users", "read:users"]

Options

failWithError: When set to true, will forward errors to next instead of ending the response directly. Defaults to false.
checkAllScopes: When set to true, all the expected scopes will be checked against the user's scopes. Defaults to false.
customUserKey: The property name to check for the scope key. By default, permissions are checked against req.user, but you can change it to be req.myCustomUserKey with this option. Defaults to user.
customScopeKey: The property name to check for the actual scope. By default, permissions are checked against user.scope, but you can change it to be user.myCustomScopeKey with this option. Defaults to scope.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

10

Security-Policy

Determines if the project has published a security policy.

9

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

6

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

2

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

0

Maintained

Determines if the project is "actively maintained".

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Score

4.7

/10

Last Scanned on 2024-11-25

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More