K
Kinde•4w ago
COACH

expressjs and protected routes with user roles

I am trying to find an example online of using express SDK and protecting routes for users with given roles. Is there anything out there?
2 Replies
Yoshify
Yoshify•4w ago
Hi Coach! I'll admit the Express SDK documentation doesn't quite document this use case well, so I'll flag it with the team. To start with, lets make sure you're getting roles included in your access token - to do this, you'll need to head to your Express app in the Kinde Dashboard, click Tokens and then click Customize under Access Token. Enable 'Roles (array)' and click save. Now in your Express app, I'll assume you've got it set up similar to how the starter kit has it set up - 
const config = {
  grantType: GrantType.AUTHORIZATION_CODE,
  clientId: process.env.KINDE_CLIENT_ID,
  issuerBaseUrl: process.env.KINDE_ISSUER_URL,
  siteUrl: process.env.KINDE_SITE_URL,
  secret: process.env.KINDE_CLIENT_SECRET,
  redirectUrl: process.env.KINDE_REDIRECT_URL,
  unAuthorisedUrl: process.env.KINDE_SITE_URL,
  postLogoutRedirectUrl: process.env.KINDE_POST_LOGOUT_REDIRECT_URL,
};

const client = setupKinde(config, app);
const config = {
  grantType: GrantType.AUTHORIZATION_CODE,
  clientId: process.env.KINDE_CLIENT_ID,
  issuerBaseUrl: process.env.KINDE_ISSUER_URL,
  siteUrl: process.env.KINDE_SITE_URL,
  secret: process.env.KINDE_CLIENT_SECRET,
  redirectUrl: process.env.KINDE_REDIRECT_URL,
  unAuthorisedUrl: process.env.KINDE_SITE_URL,
  postLogoutRedirectUrl: process.env.KINDE_POST_LOGOUT_REDIRECT_URL,
};

const client = setupKinde(config, app);
That client is the ticket we need to making this work! It'll allow us to use getClaim to retrieve the roles we've just added to the access token. We can also use it for getting permissions as well via client.getPermission and client.getPermissions if you're looking for that. Here's some example code for you: 
app.get("/admin", protectRoute, getUser, async (req, res) => {
  // The below code returns a shape that looks a bit like this:
  /*
    {
      name: 'roles',
      value: [
        {
          id: '<ROLE_ID>',
          key: 'test-role',
          name: 'Test Role'
        }
      ]
    }
  */
  const roles = await client.getClaim(req, "roles");

  // Do whatever we want with this information, like redirecting requests if the user doesn't have the right role
  const isAdmin = roles.value.some(role => role.key === "admin");

  if (!isAdmin) {
    res.redirect("/");
  }
  
  res.render("admin", {
    title: "Admin",
    user: req.user,
  });
});
app.get("/admin", protectRoute, getUser, async (req, res) => {
  // The below code returns a shape that looks a bit like this:
  /*
    {
      name: 'roles',
      value: [
        {
          id: '<ROLE_ID>',
          key: 'test-role',
          name: 'Test Role'
        }
      ]
    }
  */
  const roles = await client.getClaim(req, "roles");

  // Do whatever we want with this information, like redirecting requests if the user doesn't have the right role
  const isAdmin = roles.value.some(role => role.key === "admin");

  if (!isAdmin) {
    res.redirect("/");
  }
  
  res.render("admin", {
    title: "Admin",
    user: req.user,
  });
});
Please let me know if this helps you out 🙂
COACH
COACHOP•4w ago
Thanks! Will have a play with all this tomorrow.
Want results from more Discord servers?
Add your server