@667/express-jwt-authz 中文文档教程

发布于 4年前 浏览 20 项目主页 更新于 3年前

express-jwt-authz

这个 https://github.com/auth0/express-jwt-authz 的分支支持 restify 以及 express。

验证 JWTs scope 以授权访问端点。

Install

$ npm install express-jwt-authz

restify@^8.5.1 是对等依赖。 express@^4.0.0 是对等依赖。 确保其中之一已安装在您的项目中。

Usage

express-jwt 一起使用以验证 JWT 并确保它具有调用端点的正确权限。

var jwt = require('express-jwt');
var jwtAuthz = require('express-jwt-authz');

var options = {};
app.get('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users' ], options),
  function(req, res) { ... });

如果提供了多个范围,则用户必须至少一个指定的范围。

app.post('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users', 'write:users' ], {}),
  function(req, res) { ... });

// This user will be granted access
var authorizedUser = {
  scope: 'read:users'
};

要检查用户是否拥有 所有 提供的范围,请使用 checkAllScopes: true 选项:

app.post('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true }),
  function(req, res) { ... });

// This user will have access
var authorizedUser = {
  scope: 'read:users write:users'
};

// This user will NOT have access
var unauthorizedUser = {
  scope: 'read:users'
};

JWT 必须有一个 scope 声明,并且它必须要么可以是一串以空格分隔的权限或一个字符串数组。 例如:

// String:
"write:users read:users"

// Array:
["write:users", "read:users"]

Options

  • failWithError: When set to true, will forward errors to next instead of ending the response directly. Defaults to false.
  • checkAllScopes: When set to true, all the expected scopes will be checked against the user's scopes. Defaults to false.
  • customUserKey: The property name to check for the scope key. By default, permissions are checked against req.user, but you can change it to be req.myCustomUserKey with this option. Defaults to user.
  • customScopeKey: The property name to check for the actual scope. By default, permissions are checked against user.scope, but you can change it to be user.myCustomScopeKey with this option. Defaults to scope.

Issue Reporting

对于与 restify 支持直接相关的问题,请在此存储库问题部分报告它们。

如果您发现错误或有功能请求,请在 https://github.com/auth0/express-jwt-authz/issues 报告它们。 请不要在公共 GitHub 问题跟踪器上报告安全漏洞。 负责任的披露计划详细说明了披露安全问题的程序。

Author

June07

License

该项目已获得 MIT 许可。 有关详细信息,请参阅 LICENSE 文件。

express-jwt-authz

This fork of https://github.com/auth0/express-jwt-authz supports restify as well as express.

Validate a JWTs scope to authorize access to an endpoint.

Install

$ npm install express-jwt-authz

restify@^8.5.1 is a peer dependency. express@^4.0.0 is a peer dependency. Make sure one of them is installed in your project.

Usage

Use together with express-jwt to both validate a JWT and make sure it has the correct permissions to call an endpoint.

var jwt = require('express-jwt');
var jwtAuthz = require('express-jwt-authz');

var options = {};
app.get('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users' ], options),
  function(req, res) { ... });

If multiple scopes are provided, the user must have at least one of the specified scopes.

app.post('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users', 'write:users' ], {}),
  function(req, res) { ... });

// This user will be granted access
var authorizedUser = {
  scope: 'read:users'
};

To check that the user has all the scopes provided, use the checkAllScopes: true option:

app.post('/users',
  jwt({ secret: 'shared_secret' }),
  jwtAuthz([ 'read:users', 'write:users' ], { checkAllScopes: true }),
  function(req, res) { ... });

// This user will have access
var authorizedUser = {
  scope: 'read:users write:users'
};

// This user will NOT have access
var unauthorizedUser = {
  scope: 'read:users'
};

The JWT must have a scope claim and it must either be a string of space-separated permissions or an array of strings. For example:

// String:
"write:users read:users"

// Array:
["write:users", "read:users"]

Options

  • failWithError: When set to true, will forward errors to next instead of ending the response directly. Defaults to false.
  • checkAllScopes: When set to true, all the expected scopes will be checked against the user's scopes. Defaults to false.
  • customUserKey: The property name to check for the scope key. By default, permissions are checked against req.user, but you can change it to be req.myCustomUserKey with this option. Defaults to user.
  • customScopeKey: The property name to check for the actual scope. By default, permissions are checked against user.scope, but you can change it to be user.myCustomScopeKey with this option. Defaults to scope.

Issue Reporting

For issues directly related to restify support, please report them at this reposittory issues section.

If you have found a bug or if you have a feature request, please report them at https://github.com/auth0/express-jwt-authz/issues. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

June07

License

This project is licensed under the MIT license. See the LICENSE file for more info.

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文