Problem: Multiple users in a system, allowed to do specific actions.
Solution: There are multiple user role management packages in npm, but I want something easier, quicker. So I started solving it myself.
Example: A blog with users - U, authors - A, admin - M
- Create users with a field user_type.
Users.create({
name: 'User',
user_type: 'U'
})
Users.create({
name: 'Author',
user_type: 'A'
})
Users.create({
name: 'Author',
user_type: 'M'
})
- Assuming user logins managed using a jwt token. And sign the token including user_type, add a middleware to decode and save user data to req.user
const decoded = await jwt.verify(token, process.env.JWT_SECRET);
req.user = {
name: decoded.name,
user_type: decoded.user_type
};
- Write another middleware to authenticate role.
const authenticateRole = (roleArray) => (req, res, next) => {
if(!req.user) {
return res.status(401).json({
success: false,
message: 'Session expired',
code: 'SESSION_EXPIRED'
});
}
const authorized = false;
//if user has a role that is required to access any API
rolesArray.forEach(role => {
authorized = req.user.user_type === role;
})
if(authorized) {
return next();
}
return res.status(401).json({
success: false,
message: 'Unauthorized',
})
}
- Finally use the authenticateRole middleware in the API access.
//This is accessed by only Admin user
route.get('/users', authenticateRole(['M']), handler)
//This is accessed by anyone
route.get('/posts', authenticateRole(['M','U','A']))
I am trying to enhance this idea as my needs.
Top comments (0)