/secure-rest-api.ts
Last active Feb 18, 2019
Secure REST API - Detect permissions & user making the call
| import jwt = require('jsonwebtoken'); | |
| const aadKey: string = // aad public key used to sign oauth access token | |
| try { | |
| const authorizationHeader: string = req.headers.authorization; | |
| // decode the token using the AzureAD public signing key | |
| const decodedToken = (jwt.verify(authorizationHeader.replace('Bearer ','')) as any), aadKey); | |
| const scopes: string = (decodedToken.scp as string) | |
| // check for read / write ops | |
| hasMissionReadScope = (scopes.indexOf('Mission.Read') >= 0); | |
| hasMissionWriteScope = (scopes.indexOf('Mission.Write') >= 0); | |
| // check if it's specific user | |
| isUser = (decodedToken.upn.indexOf('alias@foo.com') !== -1); | |
| isValidRequest = true; | |
| } catch (err) { | |
| isValidRequest = false; | |
| // <snip> .. throw error responses based on exception from "jsonwebtoken" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment