3

We are using express-gateway for our micro services. We have set up authentication using Jwt. We want to verify jwt and decode the payload and set it to req params

This is our gateway.config.yml file

http:
  port: 8080
admin:
  port: 9876
  host: localhost
apiEndpoints:
  user:
    host: localhost
    paths: "/v1/users"
  product:
    host: localhost
    paths: "/v1/products"
serviceEndpoints:
  user:
    url: http://localhost:3001
  product:
    url: http://localhost:3000
policies:
- basic-auth
- key-auth
- cors
- expression
- log
- oauth2
- proxy
- rate-limit
- jwt
pipelines:
- name: default-1
  apiEndpoints:
  - user
  policies:
  - jwt:
    - action:
        secretOrPublicKey: privatekey
        checkCredentialExistence: 'false'
  - proxy:
    - action:
        serviceEndpoint: user
- name: default-2
  apiEndpoints:
  - product
  policies:
  - jwt:
    - action:
        secretOrPublicKey: privatekey
        checkCredentialExistence: 'false'
  - proxy:
    - action:
        serviceEndpoint: product

My Jwt payload token looks like

{
  "org": "1234567890",
  "siteID": "343434343",
  "expiry": "600"
}

After decoding and verifying the jwt signature the gateway should set the payload information to the req as 

req.org = payload.org
req.siteId = payload.siteId

And this is passed to our underlying microservices. How to do this. Should I set any more parameter in the gateway.config.yml file. Please advice. Thank you

Sushant Kulkarni
  • 33
  • 4

2 Answers2

0

all you need to do this is grab these properties from req.user — that's where the decoded payload is stored.

Vincenzo
  • 1,549
  • 1
  • 9
  • 17
  • I'm sorry but this is not working for me, what do you think is the problem? the req.user id undefined when the request leaves express gateway – Vahid Jan 29 '20 at 22:28
0

I don't know why the answer didn't work for me and when the request hit the serviceEndpoint there was no req.user.

After hours of hair pulling, I found this link: https://www.express-gateway.io/docs/policies/request-transformer/

It seems the req.user is not added by default and it's required to use request-transformer and add it to body or header as you wish. I really don't know if this is mentioned somewhere in the docs or not (I mean in the part jwt section)

policies:
      -
        jwt:
          action:
            secretOrPublicKey: theKEY
            checkCredentialExistence: false
      -
        request-transformer:
          action:
            body:
              add:
                user: req.user

Edit: I'm using express-gateway 1.16.10

Vahid
  • 1,265
  • 10
  • 20
  • 1
    That is on purpose. Express Gateway will never modify your request payload. If you want, you need to effectively add it explicitly. – Vincenzo Jan 30 '20 at 11:42