Securing your node.js Express application with OneGraph JWTs ·

You can try this example in CodeSandbox or fork the GitHub repository

We can integrate OneGraph's JWTs in our express app with a single function thanks to the excellent express-jwt middleware available:

yarn add express-jwt express-jwt-permissions jwks-rsa

const jwt = require("express-jwt");
const jwksRsa = require("jwks-rsa");

const ONEGRAPH_APP_ID = process.env.ONEGRAPH_APP_ID;

const jwtMiddleware = options => {
  const { credentialsRequired, appId } = options;

  const secret =
    options.secret ||
    // By default, use the zero-config JWKs to verify
    jwksRsa.expressJwtSecret({
      cache: true,
      rateLimit: true,
      jwksRequestsPerMinute: 1,
      jwksUri: `https://serve.onegraph.com/app/${appId}/.well-known/jwks.json`
    });

  return jwt({
    secret: secret,
    issuer: "OneGraph",
    audience: `https://serve.onegraph.com/dashboard/app/${appId}`,
    userProperty: "jwt",
    credentialsRequired: credentialsRequired
  });
};

Now we make use of our middleware:

app.use(
  jwtMiddleware({
    appId: ONEGRAPH_APP_ID,
    credentialsRequired: false
  })
);

And guard any routes we want to protect:

const guard = require("express-jwt-permissions")({ requestProperty: "jwt" });
// Note that express-jwt-permissions expects a jwt with the minimum structure:
// {permissions: []}
// See https://github.com/MichielDeMey/express-jwt-permissions#error-handling for customization options
app.get("/restricted", guard.check(["admin"]), function(req, res) {
  const reqJson = JSON.stringify(req.jwt, null, 2);
  res.write(reqJson); //write a response to the client
  res.end(); //end the response
});

Note that for any unguarded route, req.jwt may be null (in other words, users may be unauthenticated):

app.get("/", function(req, res) {
  // Since this route is unguarded, `req.jwt` may be null
  const jwt = req.jwt || {};

  const reqJson = JSON.stringify(jwt, null, 2);
  res.write(reqJson); //write a response to the client
  res.end(); //end the response
});

AuthGuardian support

AuthGuardian has excellent support for express-jwt-permissions. For any rule, simply Add to list at path (with path set to permissions).

Consider this scenario:

I want to restrict access to a route in my express server so that only members of my GitHub organization can access them.

We can configured AuthGuardian with th following rule: AuthGuardian rules for node.js express

And simply add a guard check for the admin permission on our restricted route:

app.get("/restricted", guard.check(["admin"]), function(req, res) {
   // Only users who are logged in *and* members of the 'OneGraph' GitHub
   // organization can access this route
});

Check out the GitHub repository for the full code