This repo demonstrates how to use JWT token to protect service actions. It contains a ServiceGuard middleware and a guard service which implement this feature.
-
Generate JWT token for every service. Use the
call guard.generate --service myServicecommand in REPL to generate a JWT for a service. The received token put intoauthTokenproperty in service schema:module.exports = { name: "users", authToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXJ2aWNlIjoidXNlcnMiLCJpYXQiOjE1NDE4NTU0ODl9.td1P27_xpFv1P5_j0HLtMwyz-aRF9xQqjLHYIIHcKPE", ... }
In production you had better place it into environment variables like
USERS_AUTH_TOKENand useauthToken: process.env.USERS_AUTH_TOKENin schema -
Define restriction in action definition. If
restrictedproperty isnullor not defined it means the action can be called from every service.actions: { create: { // It can be called by "api" service restricted: [ "api" ], handler(ctx) {} }, list: { // It can be called by everyone. restricted: null, handler(ctx) {} }, posts: { // It can be called by "api" & "posts" service. restricted: [ "api", "posts" ], handler(ctx) {} } },
-
Add
ServiceGuardmiddleware tomoleculer.config.jsmodule.exports = { logger: true, logLevel: "info", middlewares: [ ServiceGuard ] };
Try the following command in REPL:
-
call users.create- throw error because it is called directly, not from theapiservice -
call users.list- returns "OK" because it is not restricted -
call users.posts- throw error because it is called directly, not fromapiorpostsservice -
call posts.createUser- throw error because it is called frompostsservice and not fromapiservice -
call posts.userPosts- returns "OK" because it is called frompostsservice. -
open http://localhost:3000/api/users/create in the browser - returns "OK" because it is called from the
apiservice.
# Install dependencies
npm install
# Start with REPL
npm run dev