Comments (3)
adamjmcgrath
commented on July 20, 2024
1
Hi @aMahanna, thanks for raising this.
Your example is nearly right, you just need to execute the middleware with the request context jwtAuthz((...])(req, res, next).
However, I don't think this is a good idea, mainly from a security point of view. For example if multiple scopes are provided, the user only needs one of the specified scopes to access to route. If I had scope a and not b - I might be able to trick your route handler into giving me access to a by providing both a and b eg. /a%20b. I know in your current configuration this wouldn't be possible, but you can imagine some fairly innocent changes to the SDK or your code that might trigger a vulnerability.
It's always better to rely on server configuration rather than user input to configure security features on your server.
There's also usually a performance penalty to initialising a new instance of middleware on every request, since lots of middleware will likely cache work in memory to use across requests.
If you want to shorten your code you could maybe try something like:
for (const route of ['a', 'b', 'c']):
app.get('/' + route,
jwtAuthz(['read:' + route]),
...
);from express-jwt-authz.
aMahanna
commented on July 20, 2024
1
@adamjmcgrath thank you! and no worries on the delay
from express-jwt-authz.
adamjmcgrath
commented on July 20, 2024
(also apologies for the long delay in replying)
from express-jwt-authz.
Related Issues (18)
- Possible security vulnerability when multiple values passed in expectedScopes HOT 5
- req.user.scope can be an array HOT 2
- res.send args are deprecated HOT 2
- Option to bubble error instead of returning the response directly HOT 12
- WWW-Authenticate Response Header Field Missing HOT 1
- the req.user key is hardcoded HOT 2
- No types for express-jwt-authz HOT 1
- Misleading/incorrect documentation HOT 2
- Add Typescript Support HOT 5
- Error handling in express routes HOT 1
- Need to push to NPMJS
- Version on NPM doesn't match Github repo contents
- added typescript support added into repo but not published on npm
- 403 or 401? HOT 1
- Customizable error messages HOT 2
- Make Typescript Play Nicely with JWT-Authz HOT 4
- Insufficient scope error caused by undefined field in jwtAuthz HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from express-jwt-authz.