This tutorial demonstrates how to secure a Node.js web application built with the Express framework by implementing user authentication. You’ll enhance a starter Node.js project to practice the following security concepts:
- Add user login and logout.
- Retrieve user information.
- Protect application routes.
- Call protected endpoints from an API.
Read on
This seems a helpful guide. I’ve been using the auth0-passport interface, and this seems to get at what I want in a cleaner way. Also, it allows using hints for sign-up or log-in, which I like.
However, there’s one thing I figured out with auth0-passport I cannot figure out here. How does my node.js application see what permissions a user has? For example, I have created a role called “creator” and given it a permission called “components:create”. In the Passport scheme, I turned on RBAC in the dashboard, and then decoded the access token in the Passport callback to get at the user permissions; if the “components:create” permission existed in that list, I would allow that user to submit a new component to my database.
However, in this library, I can’t figure out how to get at those user permissions. There are good examples for retrieving user Roles, but not for getting at the actual fine-grained permissions. Swapping back to the Passport code, the permissions are still showing up, but I can’t get at them with this library
I’ve tried writing a Rule or Action to get at permissions and copy them to a custom claim, but I can’t figure out how to get them from within an Action.
Also: what does the session: option actually do? It’s not using an express-session store, although it seems like it’s configured like one. Should I be using it? If not, why not? If so, how do I store my own session state data?
Thanks for any help.