Node.js + Express.js User Permission Security Model


We have an application that has two types of users. Depending on how the user logs in, we want them to have access to different parts of the application.

How do we implement a security model for preventing users from seeing things they do not have access to?

Do we make security part of each routes implementation? The problem being that we will have some duplicate logic across requests. We could move this into helper functions, but we'd still need to remember to call it.

Do we make security part of a global app.all() route handler? The problem being that we have to inspect each route and do different logic based on a multitude of rules. At least all the code is in one place, but then... all the code is in one place.

3/7/2012 9:26:54 PM

Accepted Answer

Having it per-route usually works for me. This is what I typically do:

function requireRole (role) {
    return function (req, res, next) {
        if (req.session.user && req.session.user.role === role) {
        } else {

app.get("/foo", foo.index);
app.get("/foo/:id", requireRole("user"),;"/foo", requireRole("admin"), foo.create);

// All bars are protected
app.all("/foo/bar", requireRole("admin"));

// All paths starting with "/foo/bar/" are protected
app.all("/foo/bar/*", requireRole("user"));
6/19/2017 11:16:42 AM

You can use ability-js with everyauth, which is quite similar to CanCan for Rails

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow