Securing your node.js Express application with OneGraph JWTs ·

You can try this example in CodeSandbox or fork the GitHub repository

We can integrate OneGraph's JWTs in our express app with a single function thanks to the excellent express-jwt middleware available:

yarn add express-jwt express-jwt-permissions jwks-rsa

const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');

const ONEGRAPH_APP_ID = process.env.ONEGRAPH_APP_ID;

const jwtMiddleware = (options) => {
  const {credentialsRequired, appId} = options;

  const secret =
    options.secret ||
    // By default, use the zero-config JWKs to verify
    jwksRsa.expressJwtSecret({
      cache: true,
      rateLimit: true,
      jwksRequestsPerMinute: 1,
      jwksUri: `https://serve.onegraph.com/app/${appId}/.well-known/jwks.json`,
    });

  return jwt({
    secret: secret,
    issuer: 'OneGraph',
    audience: `https://serve.onegraph.com/dashboard/app/${appId}`,
    userProperty: 'jwt',
    credentialsRequired: credentialsRequired,
  });
};

Now we make use of our middleware:

app.use(
  jwtMiddleware({
    appId: ONEGRAPH_APP_ID,
    credentialsRequired: false,
  }),
);

And guard any routes we want to protect:

const guard = require('express-jwt-permissions')({requestProperty: 'jwt'});
// Note that express-jwt-permissions expects a jwt with the minimum structure:
// {permissions: []}
// See https://github.com/MichielDeMey/express-jwt-permissions#error-handling for customization options
app.get('/restricted', guard.check(['admin']), function (req, res) {
  const reqJson = JSON.stringify(req.jwt, null, 2);
  res.write(reqJson); //write a response to the client
  res.end(); //end the response
});

Note that for any unguarded route, req.jwt may be null (in other words, users may be unauthenticated):

app.get('/', function (req, res) {
  // Since this route is unguarded, `req.jwt` may be null
  const jwt = req.jwt || {};

  const reqJson = JSON.stringify(jwt, null, 2);
  res.write(reqJson); //write a response to the client
  res.end(); //end the response
});

AuthGuardian support

AuthGuardian has excellent support for express-jwt-permissions. For any rule, simply Add to list at path (with path set to permissions).

Consider this scenario:

I want to restrict access to a route in my express server so that only members of my GitHub organization can access them.

We can configured AuthGuardian with th following rule: AuthGuardian rules for node.js express

And simply add a guard check for the admin permission on our restricted route:

app.get('/restricted', guard.check(['admin']), function (req, res) {
  // Only users who are logged in *and* members of the 'OneGraph' GitHub
  // organization can access this route
});

Check out the GitHub repository for the full code