i'm using express-jwt to restrict access to my API routes.
app.use(expressJWT(
{ secret: process.env.JWT_PASSPHRASE })
.unless({
path: [
'/login',
'/users',
{ url: '/', methods: ['POST'] }]
})
)
now the /login route is accessible without token as expected.
Now I would like to allow the /users routes too with but with POST method only ,
I've trying this according to the documentation but i'm pretty sure i'm doing it wrong because all the request methods targetting /users are open.
Second options that I've tested:
app.use(expressJWT(
{ secret: process.env.JWT_PASSPHRASE })
.unless({
path: [
'/login',
'/users',
{ url: '/users', methods: ['POST'] }]
})
)
Ok, after some research i've made a custom callback as follows:
app.use(expressJWT(
{ secret: process.env.JWT_PASSPHRASE })
.unless( req =>{
return(
req.originalUrl === '/login' ||
req.originalUrl === '/users' && req.method === 'POST'
)
})
)