How can I secure my express backend routes such that only certain users can access them?
My idea is that each backend route requires a user token, passed as a URL param, to access. I then use auth0 on the backend to figure out who this user is, and I then check the MongoDB database to see the user’s permissions. If the user’s permissions allow them to access this server route, I complete the task for that route.
These routes include accessing MongoDB.
How would I go about implementing this? Is there a better option?
I am now attempting to set up scopes, roles, and permissions for users accessing routes.
For reference, here is the example quickstart code:
// server.js
const { requiredScopes } = require('express-oauth2-jwt-bearer');
const checkScopes = requiredScopes('read:messages');
app.get('/api/private-scoped', checkJwt, checkScopes, function(req, res) {
res.json({
message: 'Hello from a private endpoint! You need to be authenticated and have a scope of read:messages to see this.'
});
});
How can I access the user’s information inside of the route?
Two people might have the scope of “all:email” in their role, but depending on who that user is, the people they have access to email will vary.