0

I am creating routes in node js . I am creating routes for dashboard.

  1. User login and get the JWT token.
  2. By sending Token,User can access some route related to user(edit,delete,logout route etc).
  3. But For admin, I want to create the routes which can see the list of users,edit or remove users,check the logout time of users.I have also set the flag in table to identify the person is user or Admin.

How will be authenticate routes for Admins on backend side?

Denzil Soans
  • 667
  • 1
  • 7
  • 27
Sharad kumar
  • 187
  • 2
  • 14

2 Answers2

4

You can be inspired by this logic, And no further explanation can be given here. follow steps (It may help):

First) define role field into DB mongoDB or Mysql (for example):

enum: ['user', 'admin']

Second) create a function checkRole(role) for check role after signin and verify jwt, then get user

Third) create separate route for admin panel (for example):

router.route('/admin-panel').use(authController.checkRole('admin'))
Mohammad Oftadeh
  • 1,410
  • 1
  • 4
  • 11
  • but what is stopping `user` from becoming `admin` ?? a normal user can also choose themself to become as a admin. – rickster Dec 06 '21 at 14:02
1

You can put your authorization flag in your JWT. When a user logs in, your server generates corresponding JWT, in which included authentication info(i.e. userId). You can put additional authorization info in the token(i.e. auth).

Based on the auth field, your server can identify whether the request is sent by a general user or an admin. Of course, securing the JWT from hijacking is an another story.

cadenzah
  • 928
  • 3
  • 10
  • 23
  • You mean to say implement the Basic Auth. Send the header with the request.Send (Authname and password) from the front end. Is it secure? – Sharad kumar May 12 '20 at 03:31
  • For storing jwt .I am using http cookie. Is it safe? – Sharad kumar May 12 '20 at 03:32
  • 1
    @Sharadkumar These posts - [1](https://stackoverflow.com/q/27067251/2873538), [2](https://stackoverflow.com/q/34817617/2873538) discuss safe storage of JWT / Auth tokens. – Ajeet Shah May 13 '20 at 05:18
  • @Sharadkumar Speaking of sending password in plain text, you should do it via HTTPS connection. – cadenzah May 14 '20 at 05:13