NodeJS + Express: How to secure a URL

Question

I am using latest versions of NodeJS and ExpressJS (for MVC).

I usually configure my rest paths like this, for example:

app.get('/archive', routes.archive);

Now i want my /admin/* set of URLs to be secured, I mean I need just simple authentication, it's just a draft.

When a user tries to access, for example, /admin/posts, before sending him the corresponding view and data, I check for a req.session.authenticated. If it's not defined, I redirect to the login page.

Login page has a simple validation form, and a sign-in controller method: if user does send "right user" and "right password" I set the session variable and he's authenticated.

What I find difficult, or I don't understand, is how to actually make the "filter" code, I mean, the auth check, before every /admin/* path call.

Does this have something to do with "middleware" express functions?

Thank you

score 83 · Accepted Answer · answered Sep 05 '12 at 07:05

83

Yep, middleware is exactly what you want. A middleware function is just a function that works just like any other Express route handler, expept it gets run before your actual route handler. You could, for example, do something like this:

function requireLogin(req, res, next) {
  if (req.session.loggedIn) {
    next(); // allow the next route to run
  } else {
    // require the user to log in
    res.redirect("/login"); // or render a form, etc.
  }
}

// Automatically apply the `requireLogin` middleware to all
// routes starting with `/admin`
app.all("/admin/*", requireLogin, function(req, res, next) {
  next(); // if the middleware allowed us to get here,
          // just move on to the next route handler
});

app.get("/admin/posts", function(req, res) {
  // if we got here, the `app.all` call above has already
  // ensured that the user is logged in
});

You could specify requireLogin as a middleware to each of the routes you want to be protected, instead of using the app.all call with /admin/*, but doing it the way I show here ensures that you can't accidentally forget to add it to any page that starts with /admin.

answered Sep 05 '12 at 07:05

Michelle Tilley

157,729
40
374
311

3

wow.... so StackOverflow DOES work, sometimes! :D ehehe Thank you, it's exactly the kind of answer I expected. I will try in the afternoon and accept your excellent answer if all works. THX again – Fabio B. Sep 05 '12 at 07:11
Glad to help! Let us know if you have any further questions on this issue! ^_^ – Michelle Tilley Sep 05 '12 at 07:12
What is the difference with using token ? – Alexis Feb 09 '17 at 09:03
To implement the `/login` route, possible solutions are [here](https://stackoverflow.com/a/8003291/812973). – gregn3 Feb 21 '20 at 19:49
Where do I put this to make it available to various routes? – joshlsullivan Mar 28 '20 at 22:11

David Gatti · Answer 2 · 2015-12-05T19:06:01.627

A even simpler approach would be to add the following code in the App.js file.

var auth = function(req, res, next) {

    if(isAdmin) {

        return next();

    } else {

        return res.status(400)

    }
};

app.use('/admin', auth, apiDecrement);

As you can see the middleware is being attached to the route. Before ExpressJS goes forward, it executes the function that you passed as the second parameter.

With this solution you can make different checks before displaying the site to the end user.

Best.

score 0 · Answer 3 · answered Sep 05 '12 at 08:58

0

Like brandon, but you can also go the connect route

app.use('/admin', requireLogin)
app.use(app.router)

app.get('/admin/posts', /* middleware */)

answered Sep 05 '12 at 08:58

Jonathan Ong

19,927
17
79
118

NodeJS + Express: How to secure a URL

3 Answers3

Linked