'express-oauth2-jwt-bearer' requiredScopes Express middleware and missing user assigned permissions within the scope

jzbg · November 28, 2023, 6:17pm

I have followed the boilerplate documentations for configuring a Vue SPA and also configuring the associated backend via Express using the provided middleware handlers exposed via the ‘express-oauth2-jwt-bearer’ package.

All of this works great!

However, I did run into one issue which I have found some prior topics that kinda hit upon the subject, but I wanted to re-post to try and get another response.

Long story short:

If you have an Express route that has for example the auth and the requiredScopes middleware handlers configured… I want to verify the incoming JWT but also then make sure the user has specific assigned permissions…

e.g:

import { Request, Response, NextFunction } from 'express'
import { auth, requiredScopes } from 'express-oauth2-jwt-bearer'

router.get(
  '/private-scoped',
  auth,
  requiredScopes(['read:users', 'write:users']),
  (_req: Request, res: Response) => {
    res.json({
      message: 'Hello from a private SCOPED endpoint!.',
    })
  },
)

When the middleware hits the requiredScopes, I was looking at the stack trace , it will check that the scope property on token payload has the permissions I have passed into the requiredScopes.

Long story short: How do I make the permissions I have assigned directly to the user via the Auth0 web interface get included within the scope of the token payload?

I was able to solve this by enabling on my Auth0 custom API identifier settings the “Enable RBAC” + “Add Permissions to Access Token”.

This then adds the “permissions” property with the array of permissions that the user has.
I then wrote my own middleware to check the “permissions”. This works great, but I just want to make sure I’m not missing something. I wanted to follow your “best practices” per your knowledge base / tutorials.

Here is my implementation of a requiredPermissions middleware

import { Request, Response, NextFunction } from 'express'

export const requiredPermissions =
  (permission: string | string[]) =>
  (req: Request, res: Response, next: NextFunction) => {
    const userPermissions = req.auth.payload.permissions as string[]
    if (!permission || !userPermissions) {
      return res.sendStatus(401)
    }
    if (typeof permission === 'string') {
      return userPermissions.includes(permission) ? next() : res.sendStatus(401)
    }
    if (Array.isArray(permission)) {
      return permission.every(p => userPermissions.includes(p))
        ? next()
        : res.sendStatus(401)
    }
  }

tyf · November 29, 2023, 1:19am

Hey there @jzbg welcome to the community!

This is great to hear!

Your requiredPermissions is fine to use, but the library does provide a claimIncludes function that can be used to check the permissions claim of access tokens - For example:

const checkJwt = auth();

app.get('/api/external/protected', checkJwt, claimIncludes('permissions', 'required_permission', 'required_permission' ), (req, res) => {
  res.json({ message: `Hello ${req.auth.payload.sub} - Permissions: ${req.auth.payload.permissions}` });
});

jzbg · November 29, 2023, 2:34am

@tyf

Thanks so much for your prompt reply.

Yes, that library method will work great. I prefer to utilize the library provided method instead of rolling my own.

For anyone who happens to stumble upon this post:

Here is an exported middleware Express handler that utilizes the underlying claimIncludes library method exposed in the express-oauth2-jwt-bearer package.

export const authRequiredPermissions = (permission: string | string[]) => {
  if (typeof permission === 'string') {
    permission = [permission]
  }
  return claimIncludes('permissions', ...permission)
}

Make sure to “Enable RBAC” + “Add Permissions to Access Token” on your API Identifier.

Finally, you can utilize the actual middleware like this…


router.get(
  '/private-scoped',
  authCheckJwt,
  authRequiredPermissions('read:users'), // For multiple permissions pass array of permissions.
  (_req: Request, res: Response) => {
    res.json({
      message: 'Hello from a private SCOPED endpoint!.',
    })
  },
)

tyf · November 30, 2023, 2:40am

No problem, happy to help! Great to know that will work for you and thanks a bunch for the additional details on your setup, always appreciated

system · December 14, 2023, 2:40am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem Insufficient scope with node Js and lib express-authz Help scopes , permissions	3	3009	June 12, 2023
Which backend library to use and should i use "permissions" or. "scope" field role/permission validation on our backend? Help permissions , node-auth0	0	2699	January 24, 2022
Insufficient Scope but my token contains required permissions JWT.io jwt , scope	11	13005	November 30, 2022
RBAC permissions for SPA app and API Help rbac	1	5424	September 12, 2019
Node (Express) API: Authorization using custom scopes/permissions Help	3	4668	August 26, 2019

'express-oauth2-jwt-bearer' requiredScopes Express middleware and missing user assigned permissions within the scope

Related topics