Skip to content

Instantly share code, notes, and snippets.

Last active March 4, 2024 00:01
Show Gist options
  • Save joshnuss/37ebaf958fe65a18d4ff to your computer and use it in GitHub Desktop.
Save joshnuss/37ebaf958fe65a18d4ff to your computer and use it in GitHub Desktop.
Express.js role-based permissions middleware
// the main app file
import express from "express";
import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
import authenticate from "./authentication"; // middleware for doing authentication
import permit from "./authorization"; // middleware for checking if user's role is permitted to make request
const app = express(),
api = express.Router();
// first middleware will setup db connection
// authenticate each request
// will set `request.user`
// setup permission middleware,
// check `request.user.role` and decide if ok to continue
app.use("/api/private", permit("admin"));
app.use(["/api/foo", "/api/bar"], permit("manager", "employee"));
// setup requests handlers
api.get("/private/whatever", (req, res) => res.json({whatever: true}));
api.get("/foo", (req, res) => res.json({currentUser: req.user}));
api.get("/bar", (req, res) => res.json({currentUser: req.user}));
// setup permissions based on HTTP Method
// account creation is public"/account", (req, res) => res.json({message: "created"}));
// account update & delete (PATCH & DELETE) are only available to managers
api.patch("/account", permit('manager'), (req, res) => res.json({message: "updated"}));
api.delete("/account", permit('manager'), (req, res) => res.json({message: "deleted"}));
// viewing account "GET" available to manager and employee
api.get("/account", permit('manager', 'employee'), (req, res) => res.json({currentUser: req.user}));
// mount api router
app.use("/api", api);
// start 'er up
app.listen(process.env.PORT || 3000);
// middleware for authentication
export default async function authorize(request, _response, next) {
const apiToken = request.headers['x-api-token'];
// set user on-success
request.user = await request.db.users.findByApiKey(apiToken);
// always continue to next middleware
// middleware for doing role-based permissions
export default function permit(...permittedRoles) {
// return a middleware
return (request, response, next) => {
const { user } = request
if (user && permittedRoles.includes(user.role)) {
next(); // role is allowed, so continue on the next middleware
} else {
response.status(403).json({message: "Forbidden"}); // user is forbidden
// dummy middleware for db (set's request.db)
export default function loadDb(request, _response, next) {
// dummy db
request.db = {
users: {
findByApiKey: async token => {
switch {
case (token == '1234') {
return {role: 'manager', id: 1234};
case (token == '5678') {
return {role: 'employee', id: 5678};
return null; // no user
Copy link

pedrovinicius commented Jan 25, 2019

It's exactly what I was looking for! Thank you so much!

Copy link

Extremely helpful .. saved my 4-5 working hours

Copy link

Extremely helpful, thank you so much

Copy link

Thanks you so much

Copy link

Thanks.. it's simple but powerful! 👍

Copy link

...allowed can you explain this to me i am new at this

Copy link

joshnuss commented Aug 1, 2019

@HamzaKazmi43 f(...args) is called "rest parameters". It allows the function to consume the parameters as if it was an array.
For more info, see:

Copy link

very useful, thank you!

Copy link

Thank you @joshnuss, this is brilliant!

Copy link

staminna commented Sep 28, 2019

Can I see some example usage of this code?
I also tried to replace 'api' with app and I get some unexpected circular error of some kind. I am not using router directly. I am only using app=express();

Copy link

Thanks man, this just saved me hours of work today!

Copy link

Ditto on this being very helpful. And I learned about rest parameters so that was a big bonus for me.

Thanks for sharing.

Copy link

Thank you for sharing.

Copy link

Thank you! This was extremely helpful for me.

Copy link

thanks! save me"

Copy link

zartre commented Jul 3, 2020

This is helpful. I have adapted mine based on your work. Thanks!

Copy link


Copy link

jalakpatoliya commented Jul 30, 2020

Just here to Thank... awsome buddy thanks 👊️😎️

Copy link

Pipoupi commented Jul 31, 2020

Here to thank you too ! :)

Copy link

This is great, was looking for something similar.

Thanks man

Copy link

I looked at other implementations but this is the most simple and useful one so far

Copy link

Copy link

Extremely Useful. Works like a charm.

Copy link

Nice, Thank you

Copy link

By using 'owner' role I would expect the user who created(own) the doc is trying to access, otherwise it is confusing and misleading.
I would suggest to rename 'owner' role to something else, because 'owner' in this pattern is not what you expect.

Copy link

skang commented Apr 1, 2021

Excellent design - simple, beautiful and powerful. Thank you very much for sharing!

Copy link

@sergey-shpak yeh me too, I think it's just an unfortunately named role?

Copy link

Very helpful. Thanks for sharing.

Copy link

This is perfect, thank you a ton.

Copy link

thank you bro..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment