Open viztastic opened 9 years ago
I'm fighting this myself and debating what direction I want to take my project. I'm about 1/2 ACL and 1/2 middleware - but have to support JWT. I've tried working a passport.authenticate
call into my main 'isAllowed' call, but with no luck ...
Did you figure anything out?
Hi, I'm just beginning to use node_acl and facing the same requirement.
I guess the right way to go would be to implement a JWT backend to get the info from the token, to be used instead of one of the existing backends (redis, mongo, memory). The main difference would be that we won't be able to modify the user permissions without issuing a new token (as they would be immutably set and signed in the JWT payload by the authentication provider at creation time). It's not a big problem: it's just the same kind of issue that forces you to logout/login into a linux session when you change your user groups. And with some token renewal mechanism it can be fully transparent to the user.
I'll try to share anything I can come up with on that topic.
/Yoann
Did any of you end up solving this? Did you do it with node_acl
or another library?
Hi there. Short answer: no. I ended up going back to Java/Springboot for that project, and I've had no time to play with nodejs since then... Good luck with it!
I am using meanjs.org in some of my projects and have implemented JWT on top of it.
After passport authenticates using jwt, the user is set in req.user.
You can then use acl.middleware() to get the user info from req.user and check for your permissions.
@vigneshnrfs That will not work very-well with stateless api's which is exactly JWT's good for.
For instance express-jwt
Currently I re-wrote the middleware myself to read roles from JWT's, it treats sub as userId and role as a role claim from JWT.
Hi there,
I notice that the user details is taken out of session store, is there a recommended way to handle this for the case where I intend to use a stateless authentication technology (such as JWT) ?
A solution that comes to mind is to simply have my JWT authentication middleware populate the session.id object before passing it on to ACL?
Thanks!