JWT Auth for NodeJS and Auth0

0
votes

I am using Auth0 for user authentication on a MEAN app I am developing. The issue I am having is that I have separated the models, routes and controllers into separate files. I am following the Auth0 tutorial for direction on where to use the JWT token auth but I am not sure where it belongs in my setup.

Where does checkJwt belong?

https://auth0.com/docs/quickstart/backend/nodejs/01-authorization

Workout Router

module.exports = function(app) {
    var workouts = require('../controllers/workoutController');

    // workout Routes
    app.route('/api/workouts')
      .get(workouts.getAllWorkouts)
      .post(workouts.createWorkout);

    app.route('/api/workouts/benchmarks')
    .get(workouts.getBenchmarks);

    app.route('/api/workouts/:workoutId')
      .get(workouts.getWorkout)
      .put(workouts.updateWorkout)
      .delete(workouts.deleteWorkout);
  };

Corresponding Controller

var mongoose = require('mongoose'),
  Workout = mongoose.model('Workout');

exports.getAllWorkouts = function(req, res) {
  Workout.find({}, function(err, workouts) {
    if (err)
      res.send(err);
    res.json(workouts);
  });
};


exports.getBenchmarks = function(req, res) {
  Workout.find({
    "type":"Benchmark"
  }, function(err, workouts) {
    if (err)
      res.send(err);
    res.json(workouts);
  });
};

exports.createWorkout = function(req, res) {
  var newWorkout = new Workout(req.body);
  newWorkout.save(function(err, workout) {
    if (err)
      res.send(err);
        res.json(workout);
  });
};

exports.getWorkout = function(req, res) {
  Workout.findById(req.params.workoutId, function(err, workout) {
    if (err)
      res.send(err);
    res.json(workout);
  });
};


exports.updateWorkout = function(req, res) {
  Workout.findOneAndUpdate({_id: req.params.workoutId}, req.body, {new: true}, function(err, workout) {
    if (err)
      res.send(err);
    res.json(workout); 
  });
};

exports.deleteWorkout = function(req, res) {
  Workout.remove({
    _id: req.params.workoutId
  }, function(err, workout) {
    if (err)
      res.send(err);
    res.json({ message: 'Workout successfully deleted' });
  });
};

Workout Post()

exports.createWorkout = function(req, res) {
  var newWorkout = new Workout(req.body);
  newWorkout.save(function(err, workout) {
    if (err)
      res.send(err);
        res.json(workout);
  });
};
1
node.jsjwtauth0

1 Answers

1
votes

First, you should configure checkJwt (like in the docs) in a separate file and require it in your router files.

Let's see how you can protect the routes in your Workout Router:

module.exports = function(app) {
    var workouts = require('../controllers/workoutController');
    var checkJwt = require('./path/to/checkJwt');

    // workout Routes
    app.route('/api/workouts')
      .get(workouts.getAllWorkouts) // unprotected route
      .post(checkJwt, workouts.createWorkout); // protected route

    app.route('/api/workouts/benchmarks')
    .get(workouts.getBenchmarks);

    app.route('/api/workouts/:workoutId')
      .get(workouts.getWorkout)
      .put(workouts.updateWorkout)
      .delete(workouts.deleteWorkout);
};

The function checkJwt is a middleware that checks if the request is authenticated before reaching your controller logic.

checkJwt file:

var checkJwt = jwt({
  ...
})

module.exports = checkJwt