Search code examples
javascriptnode.jsjwtexpress-jwt

Node Js pass the role as a string to the JWT verification function


the JWT verification function accepts the req, res and next as its params. I need to pass an additional string 'Admin' so that only admin users may access this API

My jwtVerification.js code:

module.exports = async function (req, res, next) { //I need to be able to add role to this call
    try {       
        const token = req.header("Authorization");

        if (!token) return res.status(401).send('Invalid access token.');

        const _token = token.substring(7, token.length);

        const decoded = jwt.verify(_token, process.env.JWT_PRIVATE_KEY)

        const user = await prisma.user.findFirst({ where: { id: decoded.id } });

        if (!user) return res.status(401).send('Invalid access token.');
     
        //I need to be able to read the role so that I can do the following verifications
        //if(!role) next();
        //else{
        //   if(user.role !== role || decode.role !== role) return res.status(403).send('Forbidden!')
        //   else next();
        //}
        next();

    } catch (error) {
        res.status(401).send(error.message);
    }
};

finally, the API call itself: //use verifyJWT('Admin') for example

router.post('/test', verifyJWT, async (req, res) => {
    res.send('hi');
})

Solution

  • You cat use some thing like this:

    module.exports = function (myParam) => {
        
             return async function (req, res, next) { 
                //use myParam here
                try {       
                    const token = req.header("Authorization");
    
                    if (!token) return res.status(401).send('Invalid access token.');
    
                    const _token = token.substring(7, token.length);
    
                    const decoded = jwt.verify(_token, process.env.JWT_PRIVATE_KEY)
    
                    const user = await prisma.user.findFirst({ where: { id: decoded.id } });
    
                    if (!user) return res.status(401).send('Invalid access token.');
                 
                    //I need to be able to read the role so that I can do the following verifications
                    //if(!role) next();
                    //else{
                    //   if(user.role !== role || decode.role !== role) return res.status(403).send('Forbidden!')
                    //}
                    next();
    
                } catch (error) {
                    res.status(401).send(error.message);
                }
        }
    };
    

    And after that use the middleware this way:

    router.post('/test', verifyJWT(someParam), async (req, res) => {
        res.send('hi');
    })