Securing your node.js Express application with OneGraph JWTs
You can try this example in CodeSandbox or fork the GitHub repository
We can integrate OneGraph's JWTs in our express app with a single function thanks to the excellent express-jwt
middleware available:
yarn add express-jwt express-jwt-permissions jwks-rsa
const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');
const ONEGRAPH_APP_ID = process.env.ONEGRAPH_APP_ID;
const jwtMiddleware = (options) => {
const {credentialsRequired, appId} = options;
const secret =
options.secret ||
// By default, use the zero-config JWKs to verify
jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 1,
jwksUri: `https://serve.onegraph.com/app/${appId}/.well-known/jwks.json`,
});
return jwt({
secret: secret,
issuer: 'OneGraph',
audience: `https://serve.onegraph.com/dashboard/app/${appId}`,
userProperty: 'jwt',
credentialsRequired: credentialsRequired,
});
};
Now we make use of our middleware:
app.use(
jwtMiddleware({
appId: ONEGRAPH_APP_ID,
credentialsRequired: false,
}),
);
And guard any routes we want to protect:
const guard = require('express-jwt-permissions')({requestProperty: 'jwt'});
// Note that express-jwt-permissions expects a jwt with the minimum structure:
// {permissions: []}
// See https://github.com/MichielDeMey/express-jwt-permissions#error-handling for customization options
app.get('/restricted', guard.check(['admin']), function (req, res) {
const reqJson = JSON.stringify(req.jwt, null, 2);
res.write(reqJson); //write a response to the client
res.end(); //end the response
});
Note that for any unguarded route, req.jwt
may be null (in other words, users may be unauthenticated):
app.get('/', function (req, res) {
// Since this route is unguarded, `req.jwt` may be null
const jwt = req.jwt || {};
const reqJson = JSON.stringify(jwt, null, 2);
res.write(reqJson); //write a response to the client
res.end(); //end the response
});
AuthGuardian support
AuthGuardian has excellent support for express-jwt-permissions
. For any rule, simply Add to list at path
(with path
set to permissions
).
Consider this scenario:
I want to restrict access to a route in my express server so that only members of my GitHub organization can access them.
We can configured AuthGuardian with th following rule:
And simply add a guard check for the admin
permission on our restricted route:
app.get('/restricted', guard.check(['admin']), function (req, res) {
// Only users who are logged in *and* members of the 'OneGraph' GitHub
// organization can access this route
});
Check out the GitHub repository for the full code