Secure REST API - Detect permissions & user making the call
import jwt = require('jsonwebtoken'); | |
const aadKey: string = // aad public key used to sign oauth access token | |
try { | |
const authorizationHeader: string = req.headers.authorization; | |
// decode the token using the AzureAD public signing key | |
const decodedToken = (jwt.verify(authorizationHeader.replace('Bearer ','')) as any), aadKey); | |
const scopes: string = (decodedToken.scp as string) | |
// check for read / write ops | |
hasMissionReadScope = (scopes.indexOf('Mission.Read') >= 0); | |
hasMissionWriteScope = (scopes.indexOf('Mission.Write') >= 0); | |
// check if it's specific user | |
isUser = (decodedToken.upn.indexOf('alias@foo.com') !== -1); | |
isValidRequest = true; | |
} catch (err) { | |
isValidRequest = false; | |
// <snip> .. throw error responses based on exception from "jsonwebtoken" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment