This project demonstrates how to implement Role-Based Access Control (RBAC) and JWT Authentication in an Express.js application. It includes roles such as Admin, Editor, and Viewer, each with different levels of access to resources. The project uses JWT for secure authentication, and RBAC to control access based on user roles.
- Prerequisites
- Installation
- Running the Application
- API Endpoints
- Testing the Application with Postman
- Scripts in package.json
- Conclusion
Before you begin, ensure you have the following installed:
- Node.js (Recommended LTS version)
- Yarn (Package Manager)
You can install these by following the links below:
To get started, follow these steps:
-
Clone this repository to your local machine:
git clone https://github.com/programmerShinobi/express-rbac-jwt-auth.git
-
Navigate into the project directory:
cd express-rbac-jwt-auth -
Install the project dependencies:
yarn install
To start the application in development mode, use:
yarn devThis will run the application on http://localhost:5000 using nodemon, which will automatically restart the server on file changes.
For production mode, use:
yarn startThis runs the app without automatic restarts (uses node instead of nodemon).
Here’s a list of available API endpoints and their expected behavior:
-
POST
/auth/register
Register a new user (Admin, Editor, or Viewer). -
POST
/auth/login
Login to get a JWT token.
-
GET
/resource
Get all resources (accessible by Admin, Editor, Viewer). -
POST
/resource
Create a new resource (accessible by Admin and Editor). -
PUT
/resource/:id
Update a resource (accessible by Admin and Editor). -
DELETE
/resource/:id
Delete a resource (accessible by Admin).
To log in and obtain a JWT token:
- Method:
POST - URL:
/auth/login - Body (JSON):
{ "username": "admin", "password": "adminpassword" }
Expected Response:
{
"token": "your_jwt_token_here"
}Once you have the JWT token, you can access protected routes by including it in the Authorization header.
For example, to GET all resources:
- Method:
GET - URL:
/resource/ - Headers:
Authorization: Bearer your_jwt_token_here
Expected Response:
{
"message": "Resource available",
"resources": [
{ "id": 1, "name": "Resource 1" },
{ "id": 2, "name": "Resource 2" }
]
}To create a new resource:
- Method:
POST - URL:
/resource/ - Headers:
Authorization: Bearer your_jwt_token_here
- Body (form-data):
name: New Resource
Expected Response:
{
"message": "Resource created",
"resource": { "id": 3, "name": "New Resource" }
}To update a resource:
- Method:
PUT - URL:
/resource/1 - Headers:
Authorization: Bearer your_jwt_token_here
- Body (form-data):
name: Updated Resource
Expected Response:
{
"message": "Resource updated",
"resource": { "id": 1, "name": "Updated Resource" }
}To delete a resource:
- Method:
DELETE - URL:
/resource/1 - Headers:
Authorization: Bearer your_jwt_token_here
Expected Response:
{
"message": "Resource deleted"
}- Admin: Full access to all routes (Get, Post, Put, Delete).
- Editor: Can access Get, Post, and Put routes, but not Delete.
- Viewer: Can only access the Get route.
To start the application, run:
yarn devThis will start the server with nodemon for automatic restarts during development.
This project demonstrates how to implement Role-Based Access Control (RBAC) and JWT Authentication in an Express.js application. The RBAC system provides different levels of access to resources, and JWT ensures secure authentication.