im facing a problem while implementing authorization in my first nodejs application which uses expressjs, sequelize and jsonwebtoken for authentication. Within I want to forbid/allow routes for different user and i dont want to use another package like oauth2 or something which handles authorization for me.
At the moment i have created a jsonwebtoken which has permission roles included within the payload:
{
"userid": 1,
"name": "John Doe",
"permissions" : ["user_get", "user_post", "user_put"]
"iat": 1505142542,
"exp": 1505146142
}
No i want to check within a call like "GET /user" if the authenticated user is allowed to call it.
My question is: Is it safe to use this approach or shouldnt I include the permissions within the jwt? Another alternative is to ask the database and retrieve the permission instead of checking the payload.
Additionally the token will be checked if it is still validated in case the server invalidates the user.