Multi-Level Auth

[gabrielghost]

I'm performing multi-level auth in my controllers at the moment, but hoping there is a neater way.

The type of user is contained in the JWT token. That gets decoded and auth will be approved or rejected accordingly.

const requireAuth = passport.authenticate('jwt', { session: false }) app.post('/newcase', requireAuth, Case.newCase)

See above - I'd like to have only a certain level of user access /newcase.

Possible?

[mikenicholson]

When you say multi-level, do you mean users with different roles? I.e. an admin user vs a read-only user vs some other use level that might have read-write access to specific aspects of the application but not everything?

[gabrielghost]

Yes. What I have done since writing this is:

• I'm using Passport to authenticate that a JWT is valid
• Decode JWT
• do a search in the DB if a user is there of that 'level', if not, reject the auth

It works fine just wondering if there is a way of doing it inline with passport/jwt.

thanks :-)

[mikenicholson]

This is the difference between authentication and authorizaiton. Authentications means validating that a client is who they claim to be. Authorization means validating that they have the appropriate access level to do something.

To my knowledge, passport does not provide any mechanism for authorization. Other packages exist to help with handling this but you can implement your own solutions as it sounds you have done or you can use something like node acl (https://github.com/OptimalBits/node_acl). Note that I am not endorsing this package and have never used it personally.

[mikenicholson]

Does this answer the question? I'm open to suggestions, feature requests, or PR's but I don't think passport or passport-jwt in particular are going to handle the entirety of the problem you're solving, just the authentication piece.

[gabrielghost]

Ace yes thanks a lot.