What is Permission middleware in Express?

Expressframework~5 mins

Permission middleware in Express

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Permission middleware helps control who can access certain parts of a web app. It checks if a user has the right permissions before allowing them to continue.

When you want to restrict access to admin-only pages.

When users should only see their own data, not others'.

When certain actions like deleting or editing need special rights.

When you want to protect sensitive routes from unauthorized users.

Syntax

Express

function permissionMiddleware(requiredPermission) {
  return function (req, res, next) {
    const userPermissions = req.user?.permissions || [];
    if (userPermissions.includes(requiredPermission)) {
      next();
    } else {
      res.status(403).send('Access denied');
    }
  };
}

The middleware is a function that returns another function to use in routes.

It checks if the user's permissions include the required one, then calls next() to continue.

Examples

This route only allows users with 'admin' permission to access the admin page.

Express

app.get('/admin', permissionMiddleware('admin'), (req, res) => {
  res.send('Welcome Admin');
});

This route allows users with 'edit' permission to submit changes.

Express

app.post('/edit', permissionMiddleware('edit'), (req, res) => {
  res.send('Edit allowed');
});

Sample Program

This example sets up a simple Express server. It adds a mock user with 'read' and 'edit' permissions. The permission middleware checks if the user can access each route. The '/delete' route will deny access because the user lacks 'delete' permission.

Express

import express from 'express';

const app = express();

// Mock user data middleware
app.use((req, res, next) => {
  req.user = { permissions: ['read', 'edit'] };
  next();
});

function permissionMiddleware(requiredPermission) {
  return (req, res, next) => {
    const userPermissions = req.user?.permissions || [];
    if (userPermissions.includes(requiredPermission)) {
      next();
    } else {
      res.status(403).send('Access denied');
    }
  };
}

app.get('/read', permissionMiddleware('read'), (req, res) => {
  res.send('Reading content');
});

app.post('/edit', permissionMiddleware('edit'), (req, res) => {
  res.send('Editing content');
});

app.delete('/delete', permissionMiddleware('delete'), (req, res) => {
  res.status(403).send('Access denied');
});

// Start server
app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

OutputSuccess

Important Notes

Always attach user info to req.user before using permission middleware.

Return a 403 status code for forbidden access to follow web standards.

Middleware can be reused for different permissions by passing different strings.

Summary

Permission middleware controls access based on user rights.

It checks user permissions before allowing route handlers to run.

Use it to protect sensitive or restricted parts of your app.