It is essential to verify that the user who is logged in has permission to access their own data.
To ensure this, you can cross-check the user information stored in the token with the requested page. To achieve this, encode the user ID within the JWT token. This measure guarantees that the parameter hasn't been tampered with as jwt.verify will fail if any unauthorized modifications are detected in the JWT token without possessing the secret key.
Include the necessary data in the JWT token when you sign it:
jwt.sign({
userId: 'username'
}, 'secret', { expiresIn: '1h' });
If you store the same data as the serializeUser\deserializeUser function result, it should function correctly (the use of 'username' is just a suggestion).
You can utilize the callback from jwt.verify to extract the decoded token and access the required data
const jwt = require('jsonwebtoken');
module.exports = (req, res, next) => {
try {
const token = req.headers.authorization.split(' ')[1];
jwt.verify(token, 'app_secret_token', (err, decoded) => {
if (err) { throw err; }
const currentUsername = decoded.userId; // <-- make sure this aligns with the encoded data in the jwt token
// If the user making the request differs from the user in the token,
// reject the request due to authentication failure
if (req.originalUrl.includes('/currentUser/') &&
!req.originalUrl.includes(`/currentUser/${currentUsername}`)) {
throw new Error('access to other user data denied');
}
next();
});
} catch (error) {
res.status(401).json({
message: 'Authentication failed!'
});
}
};
Although combining this into two separate middlewares might be a feasible approach :-)
PS - as @anand-undavia mentioned, it might be more secure to ascertain the user's request based on the JWT token itself rather than solely relying on the 'url'. This way, each user would have exclusive access to their designated data, thereby eliminating potential issues entirely.
In essence, the user's details can be obtained using the aforementioned method (extracting it from the token), or through a req.user attribute if there is middleware in place that automatically adds it.