auth0 / express-jwt-authz Goto Github PK
View Code? Open in Web Editor NEWValidate the JWT scope to authorize access to an endpoint
License: MIT License
Validate the JWT scope to authorize access to an endpoint
License: MIT License
As per RFC6759, the 401/403 response MUST include the WWW-Authenticate
Response Header.
Currently, this header is missing from the response.
The documentation contains the following:
If multiple scopes are provided, the user must have any the required scopes.
app.post('/users',
jwt({ secret: 'shared_secret' }),
jwtAuthz([ 'read:users', 'write:users' ], {}),
function(req, res) { ... });
// This user will be denied access
var authorizedUser = {
scope: 'read:users'
};
I believe the inline comment is incorrect and should be changed to:
// This user will be granted access
Am I understanding how this module is intended to behave? Is this indeed an error in the documentation?
I couldn't find any types for this module, i.e., npm install @types/express-jtw-authz
.
This declaration code (index.d.ts
) works either side-by-side with lib/index.js
in the node_modules/express-jwt-authz
folder (v2.3.1), or manually placed in node_modules/@types/express-jwt-authz
.
index.d.ts
:
import { Request, Response, NextFunction } from 'express';
declare global {
namespace Express {
interface Request {
user: any;
}
}
}
export interface IAuthzOptions {
failWithError: boolean;
checkAllScopes: boolean;
customScopeKey: string;
}
export default function(expectedScopes: string[], options?: IAuthzOptions): (req: Request, res: Response, next: NextFunction) => void;
Does anyone know a clean way to handle typescript with this library. Not super versed in typescript and its nuances. Was wondering how I could cleanly implement a route with this library that I don't have to give my own custom type to the req param.
If I have:
router.get("/", checkJWT, jwtAuthz(...), (req, res) => {
console.log(req.user) //<--- here is where I normally get an issue because user doesn't exist on the req object.
})
I wouldn't need to clarify that the req object has a type. Again, not sure if this is possible for the library or if it NEEDS to be on my end
The current workaround I have is to just extend the express.request interface like so:
export interface AuthenticatedRequest extends Request {
user?: string;
}
Then in my endpoint I would :
router.get(
"/",
checkJWT,
jwtAuthz(...),
async (req: AuthenticatedRequest, res) => {
})
Again, if there is a way to implement this through the jwt library, that would be great.
Thanks
added typescript support added into repo but not published
add authz as a middleware
it throws error
node_modules/path-to-regexp/index.js:63 path = ('^' + path + (strict ? '' : path[path.length - 1] === '/' ? '?' : '/?')) ^ TypeError: Cannot read property 'length' of undefined
Please provide the following:
release new version that supports typescript
express-jwt-authz/lib/index.js
Line 14 in 78a1ed6
Is multiple scopes are defined, [email protected] returns a string array and not a space delimited string.
express-jwt allows us to customize the key for requestProperty. It would be nice to have the same functionality here
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
The field selection from jwtAuthz
function appear to be incorrect. I was running into the exact same issue as reported here. Except specifying a customScopeKey
did not solve the problem. Looking at the output of the request and the function itself, there is no field on the JWT token called user
but that is what the function is requesting. Revising the userKey
field to auth
corrects the behaviour.
The middleware I was using:
app.get('/userbased', checkJwt, jwtAuthz(['read:ssim']), (req, res) => { console.log('Request', req['auth']); res.send('Role based user authentication is working'); });
The edit I made to the jwtAuthz
function
let userKey = 'auth';
Please provide the following:
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Currently there is only one Error Message 'Insufficient scope' There should be an option for more.
Include an additional
AuthzOptions
likecustomErrorMessage
and use that if option is set.
No work-around right now.
This could be useful for external APIs to provide a meaningful error message.
Package on NPM is v2.3.1 and doesn't include the types
Package in this repo master is v2.3.0 but does include the types
Rolling back to v2.3.0 from npm doesn't contain types but is different package contents
๐ค what the heck is going on here?
Compare the published npm package with the code here on Github
n/a
The documentation on the website reads:
The checkJwt middleware shown above checks if the user's Access Token included in the request is valid. If the token is not valid, the user gets a 401 Authorization error when they try to access the endpoints.
But the code is sending a 403.
Edit 403 is correct. The docs are wrong.
Which one is the correct thing to send? I would think 401 with a WWW-Authenticate
header.
Curious why here:
https://github.com/auth0/express-jwt-authz/blob/master/lib/index.js#L15
and here:
https://github.com/auth0/express-jwt-authz/blob/master/lib/index.js#L20
you are not bubbling the error through next(...)
and allow Express to deal with the error.
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Provide a clear and concise description of the issue, including what you expected to happen.
The documentation on NPMJS still shows the old wrong doc for behavior when multiple scopes are provided.
Detail the steps taken to reproduce this error, what was expected, and whether this issue can be reproduced consistently or if it is intermittent.
Where applicable, please include:
- Code sample to reproduce the issue
- Log files (redact/remove sensitive information)
- Application settings (redact/remove sensitive information)
- Screenshots
https://www.npmjs.com/package/express-jwt-authz
This was fixed in 39d1c1e it just needs to be pushed to NPMJS.
Please provide the following:
Currently, there is no .d.ts file for this module, meaning it does not play well with typescript projects.
Add a .d.ts file to this module or create a @types/express-jwt-authz module to allow typescript projects to intelligently use this module
Currently, I am requiring the library as a plain JS module
Hi! Want to first thank the developers for making express-jwt-authz
and express-jwt
๐
I am trying to use jwtAuthz
within a Route Handler function, like such:
var jwt = require('express-jwt');
var jwtAuthz = require('express-jwt-authz');
var options = {};
app.get('/users',
jwt({ secret: 'shared_secret' }),
// jwtAuthz([ 'read:users' ], options),
function(req, res) {
jwtAuthz([ 'read:users' ], options) // not sure how to make this work here
}
);
I have the following routes:
app.get('/a',
jwtAuthz(['read:a']),
...
);
app.get('/b',
jwtAuthz(['read:b']),
...
);
app.get('/c',
jwtAuthz(['read:c']),
...
);
I want to try the following:
app.get('/:letter',
function(req, res) {
jwtAuthz([ `read:${req.params.letter}` ])
}
);
Hope this makes sense (I am also not sure if this is considered bad practice or not, as I am fairly new to Auth0)
If an endpoint requires multiple scopes (expectedScopes.length > 1), then it is possible to gain access if the user has only one of the required scopes.
This is because this piece of code only checks if some of the expected scopes match:
var allowed = expectedScopes.some(function(scope){ return scopes.indexOf(scope) !== -1; });
If a user has scopes ['read:something'] and expected scopes are ['read:something', 'write:something'], user will be able to access the endpoint.
If the user scopes are not sufficient to access the resource, the error
function uses
return res.send(401, 'Insufficient scope');
to complete the Express response.
However, this style is now deprecated; Express reports the following on the console:
express deprecated res.send(status, body): Use res.status(status).send(body) instead at node_modules\express-jwt-authz\lib\index.js:2:14
Suggest replacing the on-error
function with:
return res.status(401).send('Insufficient scope');
before this breaks.
I am using 'express-jwt-authz' to validate the scope of a jwt token, I implemented the flow like below. Here when I am calling 'checkScopes' function from my routes but it will never return the result, the callback of 'jwtAuthz' is not throwing any success or error condition. How to check error handling in 'express-jwt-authz' auth npm.
Middleware
validation.js
const jwt = require('express-jwt');
const jwtAuthz = require('express-jwt-authz');
const jwksRsa = require('jwks-rsa');
const config = require('../config/config');
module.exports.checkScopes = function(options) {
return function(req, res, next) {
jwtAuthz(options, {customScopeKey: 'http://user.com/scopes'}, function(error) {
if (error) {
console.log('error', error)
} else {
console.log('result never called')
next();
}
})
}
}
Routes
invitation.js
const express = require('express');
const router = express.Router();
const jwtValidation = require('../middleware/jwtValidation');
router.get('/', jwtValidation.checkScopes([ 'create:users' ]), invitation.getAllInvitation);
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.