Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Secure REST API - Detect permissions & user making the call
import jwt = require('jsonwebtoken');
const aadKey: string = // aad public key used to sign oauth access token
try {
const authorizationHeader: string = req.headers.authorization;
// decode the token using the AzureAD public signing key
const decodedToken = (jwt.verify(authorizationHeader.replace('Bearer ','')) as any), aadKey);
const scopes: string = (decodedToken.scp as string)
// check for read / write ops
hasMissionReadScope = (scopes.indexOf('Mission.Read') >= 0);
hasMissionWriteScope = (scopes.indexOf('Mission.Write') >= 0);
// check if it's specific user
isUser = (decodedToken.upn.indexOf('alias@foo.com') !== -1);
isValidRequest = true;
} catch (err) {
isValidRequest = false;
// <snip> .. throw error responses based on exception from "jsonwebtoken"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.