Gathering detailed insights and metrics for express-jwt-authz
Gathering detailed insights and metrics for express-jwt-authz
Gathering detailed insights and metrics for express-jwt-authz
Gathering detailed insights and metrics for express-jwt-authz
npm install express-jwt-authz
47.6
Supply Chain
90
Quality
81.4
Maintenance
100
Vulnerability
100
License
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
97 Stars
61 Commits
37 Forks
78 Watching
4 Branches
19 Contributors
Updated on 15 Aug 2024
Minified
Minified + Gzipped
JavaScript (100%)
Cumulative downloads
Total Downloads
Last day
-29.9%
4,131
Compared to previous day
Last week
-5.6%
28,986
Compared to previous week
Last month
-6.6%
128,507
Compared to previous month
Last year
-2.5%
2,012,611
Compared to previous year
2
5
Validate a JWTs scope
to authorize access to an endpoint.
$ npm install express-jwt-authz
express@^4.0.0
is a peer dependency. Make sure it is installed in your project.
Use together with express-jwt to both validate a JWT and make sure it has the correct permissions to call an endpoint.
:note: express-jwt
sets the decoded JWT payload on req.auth
since version 6.0.0
, so make sure to set customUserKey: 'auth'
in the options provided to express-jwt-authz
if you are using that version or newer.
1var jwt = require('express-jwt'); 2var jwtAuthz = require('express-jwt-authz'); 3 4var options = { customUserKey: 'auth' }; 5app.get('/users', 6 jwt({ secret: 'shared_secret' }), 7 jwtAuthz([ 'read:users' ], options), 8 function(req, res) { ... });
If multiple scopes are provided, the user must have at least one of the specified scopes.
1var options = { customUserKey: 'auth' }; 2app.post('/users', 3 jwt({ secret: 'shared_secret' }), 4 jwtAuthz([ 'read:users', 'write:users' ], options), 5 function(req, res) { ... }); 6 7// This user will be granted access 8var authorizedUser = { 9 scope: 'read:users' 10};
To check that the user has all the scopes provided, use the checkAllScopes: true
option:
1app.post('/users', 2 jwt({ secret: 'shared_secret' }), 3 jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true, customUserKey: 'auth' }), 4 function(req, res) { ... }); 5 6// This user will have access 7var authorizedUser = { 8 scope: 'read:users write:users' 9}; 10 11// This user will NOT have access 12var unauthorizedUser = { 13 scope: 'read:users' 14};
The JWT must have a scope
claim and it must either be a string of space-separated permissions or an array of strings. For example:
// String:
"write:users read:users"
// Array:
["write:users", "read:users"]
failWithError
: When set to true
, will forward errors to next
instead of ending the response directly. Defaults to false
.checkAllScopes
: When set to true
, all the expected scopes will be checked against the user's scopes. Defaults to false
.customUserKey
: The property name to check for the scope key. By default, permissions are checked against req.user
, but you can change it to be req.myCustomUserKey
with this option. Defaults to user
.customScopeKey
: The property name to check for the actual scope. By default, permissions are checked against user.scope
, but you can change it to be user.myCustomScopeKey
with this option. Defaults to scope
.If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
This project is licensed under the MIT license. See the LICENSE file for more info.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
Reason
security policy file detected
Details
Reason
Found 12/13 approved changesets -- score normalized to 9
Reason
branch protection is not maximal on development and all release branches
Details
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
10 existing vulnerabilities detected
Details
Score
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More