Node & express, secure and recommended way to apply user access control?

When doing role based access control/user access control on nodejs/expressjs web application do I just create a middleware and use the if statement in the middleware to check whether or not the user who is accessing the route has certain role?
Something like this:

const roleCheckMiddleware = (req, res, next) => {

  if(req.user.permission === 'user'){
    
    if(/*Check other things*/){
      /* next */
    }else{
      /* return unauthorized */
    }
    
  }else if(req.user.permission === 'admin'){
    
    if(/*Check other things*/){
      /* next */
    }else{
      /* return unauthorized */
    }
    
  }else if(req.user.permission === 'super admin') {
    /* next */     
  }else{
    /* return unauthorized */
  }
};

app.delete('/account/:acountId', roleCheckMiddleware,() => {
  /* Delete account */
});

Is this the secure/correct/recommended way to apply role based access control/user access control on nodejs/expressjs web application? Or am I doing it wrong?

I know I can use a role based access control/user access control nodejs library to do it but the main reason I don’t want to use a library is because I want to learn/understand how to apply this kind of functionality to my web application and also I only have three roles.

what is req here? The request coming from the front-end? You can’t trust whatever comes from the front-end, the user can send whatever data (s)he wants to

you need to check against your database if the user has the right permission.

it also feels very repetitive, you could clean up/refactor your code to have a function which checks the permission.

Hi stetim94, I am using JWT Token, the data from req.user is from the jwt token payload, after I decoded, I set:

const verfied = jwt.verify(token, process.env.TOKEN_SECRET);
req.user = verified;

So basically, other than I need to refactor my codes, the way I am doing it(middleware with if statement to check the role), is it secure and recommended/correct way to apply user access control to a web application?

Thanks and sorry english is not my first language.

Yes and no. Conditional is good, but your are checking against data coming from the front-end. Which the user can manipulate

Like I said in my original answer, you need to check the permission against the permission in your database. This still a conditional, but a difference comparison.

ok, so use middleware with if statement to check the role is the correct way to apply role based access control to a web application but rather than compare the role which I got from the front end, I need to compare the user role which was stored in the database.

so something like this:

const roleCheckMiddleware = (req, res, next) => {
  /* So use the account id which I received from the front end and use it 
     to CHECK and RETRIEVE data from database */
  const acountIdFromFrontEnd = req.params.acountId;
  const user = userDataRetrieveFromDB(acountIdFromFrontEnd);
 
  if(user.permission === 'user'){
    
    if(/*Check other things*/){
      /* next */
    }else{
      /* return unauthorized */
    }
    
  }else if(user.permission === 'admin'){
    
    if(/*Check other things*/){
      /* next */
    }else{
      /* return unauthorized */
    }
    
  }else if(user.permission === 'super admin') {
    /* next */     
  }else{
    /* return unauthorized */
  }
};

app.delete('/account/:acountId', roleCheckMiddleware,() => {
  /* Delete account */
});

What is most understand is to understand the why question. Why do you compare the permission against the database stored value? Why not from the front-end?

Unless you need the permission further, you could also execute an exists query.

Right, cause front end data can get manipulated by the user so that is why we need to check the data from the database, but I thought JWT Token payload can not get manipulated cause if it does, I thought the whole token will change.

sorry,what do you mean exists query??

This is true, still I would prefer comparing against the database. Feels safer. Furthermore, if you ever include functionality which enables (super)admins to change permissions of other users, if you then retrieve the permissions from the front-end request, people could still (temporary) be able to execute actions even though there permission has been revoked

if you merely need to check the permission, an exists query (which merely checks a record exists) is sufficient, you don’t actually need to retrieve data from the database

1 Like