- vừa được xem lúc

Blog#206: 🔐Implementing Role-Based Access Control (RBAC) in Node.js Express

0 0 8

Người đăng: NGUYỄN ANH TUẤN

Theo Viblo Asia

206

Hi, I'm Tuan, a Full-stack Web Developer from Tokyo 😊. Follow my blog to not miss out on useful and interesting articles in the future.

Role-based access control (RBAC) is an essential security feature in modern web applications. It ensures that different users have varying levels of access, depending on their roles, to protect sensitive data and functionality. In this article, we will delve into how to implement RBAC in Node.js Express applications.

Introduction to RBAC

RBAC is a security model that restricts access to resources and actions based on a user's role. It separates the management of user permissions from individual users, making it easier to maintain and scale your application. By assigning roles to users, you can control who can access specific resources and perform certain actions in your application.

Setting up the Project

Before diving into RBAC implementation, let's set up a new Node.js Express project:

$ mkdir rbac-node-express
$ cd rbac-node-express
$ npm init -y
$ npm install express body-parser mongoose
$ npm install --save-dev nodemon

Create a .env file to store environment variables, and include the following content:

PORT=3000
MONGODB_URI=mongodb://localhost:27017/rbac-node-express

Update the package.json file to include the following script:

{ ... "scripts": { "start": "nodemon index.js" }, ...
}

Now, create an index.js file with the following code:

const express = require('express');
const bodyParser = require('body-parser');
const mongoose = require('mongoose');
const dotenv = require('dotenv');
dotenv.config(); const app = express();
app.use(bodyParser.json()); mongoose.connect(process.env.MONGODB_URI, { useNewUrlParser: true, useUnifiedTopology: true,
}).then(() => console.log('Connected to MongoDB')); app.listen(process.env.PORT, () => { console.log(`Server running at http://localhost:${process.env.PORT}`);
});

Creating Roles and Permissions

First, define the roles and permissions for your application. Create a roles.js file and include the following content:

const roles = { admin: { can: [ 'read', 'write', 'delete', ], }, editor: { can: [ 'read', 'write', ], }, viewer: { can: [ 'read', ], },
}; module.exports = roles;

Here, we've defined three roles: admin, editor, and viewer, each with different permissions.

Defining Middleware for Role-Based Authorization

Now, create a middleware function to check if the user has the required role to access a specific route. Create a new file called roleMiddleware.js and add the following code:

const roles = require('./roles'); const checkRole = (requiredRole) => (req, res, next) => { const userRole = req.user.role; if (!roles[userRole].can.includes(requiredRole)) { return res.status(403).send('Forbidden'); } next();
}; module.exports = checkRole;

In this code, we import the roles defined earlier and create a checkRole function that takes the required role as an argument. The middleware function checks if the user's role includes the required permission; if not, it returns a 403 Forbidden status. Otherwise, it proceeds to the next middleware or route handler.

Implementing RBAC in Routes

Now that we have the middleware function in place, we can start implementing RBAC in our application routes. First, create a user.js file to define a sample user object:

const user = { name: 'John Doe', role: 'admin', // Change this value to test different roles
}; module.exports = user;

Next, update your index.js file to include the following code:

const express = require('express');
const bodyParser = require('body-parser');
const mongoose = require('mongoose');
const dotenv = require('dotenv');
const checkRole = require('./roleMiddleware');
const user = require('./user'); dotenv.config(); const app = express();
app.use(bodyParser.json()); // Simulate user authentication by adding the user object to the request
app.use((req, res, next) => { req.user = user; next();
}); mongoose.connect(process.env.MONGODB_URI, { useNewUrlParser: true, useUnifiedTopology: true,
}).then(() => console.log('Connected to MongoDB')); // Define routes with RBAC middleware
app.get('/dashboard', checkRole('read'), (req, res) => { res.send('Welcome to the dashboard');
}); app.post('/create-post', checkRole('write'), (req, res) => { res.send('Post created');
}); app.delete('/delete-post', checkRole('delete'), (req, res) => { res.send('Post deleted');
}); app.listen(process.env.PORT, () => { console.log(`Server running at http://localhost:${process.env.PORT}`);
});

Here, we've added a middleware that simulates user authentication by adding the user object to the request. We've also defined three routes (/dashboard, /create-post, and /delete-post) with different permissions, using the checkRole middleware.

Testing Your Implementation

You can now test your RBAC implementation using a tool like Postman or curl. Send requests to the different routes and observe the responses. If the user's role includes the required permission, you should receive a success message; otherwise, you should receive a 403 Forbidden status.

For example, you can test the /dashboard route using curl:

$ curl -X GET http://localhost:3000/dashboard

Conclusion

In this article, we've demonstrated how to implement role-based access control (RBAC) in a Node.js Express application. We've defined roles and permissions, created a middleware function to enforce role-based authorization, and applied it to our application routes. This implementation ensures that users can only access resources and perform actions based on their assigned roles, enhancing the security of your web application.

And Finally

As always, I hope you enjoyed this article and got something new. Thank you and see you in the next articles!

If you liked this article, please give me a like and subscribe to support me. Thank you. 😊

Ref

Bình luận

Bài viết tương tự

- vừa được xem lúc

Cách mình "hack" được vào hẹ thống của SMAS để xem điểm.

Cách mà mình "hack" được vào hệ thống của SMAS. Thật ra dùng từ hack cũng không đúng lắm, chỉ là một vài trick để lừa hệ thống mà thôi.

0 0 145

- vừa được xem lúc

[NodeJs] Tạo QR Code trong nodeJs với qrcode

Tạo mã QR Code trong nodejs với qrcode. QR Code là gì. Tạo QR code với qrcode. Cài đặt thư viện qrcode.

0 0 34

- vừa được xem lúc

Áp dụng kiến trúc 3 Layer Architecture vào project NodeJS

The problem encountered. Các framework nodejs phổ biết như Express cho phép chúng ta dễ dàng tạo ra Resful API xử lí các request từ phía client một cách nhanh chóng và linh hoạt.

0 0 80

- vừa được xem lúc

Router, Controller trong Express

Mở đầu. Xin chào các bạn mình đã quay trở lại rồi đây, tiếp tục với series Nodejs cơ bản thì hôm nay mình sẽ giới thiệu đến các bạn Express Router và Controller.

0 0 40

- vừa được xem lúc

Xây dựng CRUD RESTful API sử dụng Node, Express, MongoDB.

Introduction. Trong phạm vi bài viết này chúng ta sẽ cùng tìm hiểu về cách tạo restful api với Node, Express và MongoDB. . Xử lý các hoạt động crud.

0 0 225

- vừa được xem lúc

Rate time limit trong NodeJS

Chào các bạn, lại là mình đây. Hôm nay mình xin giới thiệu tới các bạn một kỹ thuật rất hay ho và hữu ích đó là Rate Limiting. 1. Rate Limiting là gì.

0 0 62