Role base access control in NodeJs

Question

I'm a fresher and I got a task that In our project, we have 7 roles i.e

1. Admin
2. Insurer
3. Investor
4. Customer
5. Moderator
6. Lender
7. Agent

Admin can access all API but some of the API can access by Admin and moderator or Admin or Insurer or Admin or Investor and so on. There might be 30+ permutations and combinations. Is there any simple way to do that? Any dynamic way to do please help.

The code I wrote this is middleware

const isUser = (req, res, next) => {
   if (req.user && req.roles[0].toUpperCase == 'USER') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isInvestor = (req, res, next) => {
   if (req.user && req.roles[0].toUpperCase == 'INVESTOR') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isModerator = (req, res, next) => {
   if (req.user && req.roles[0].toUpperCase == 'MODERATOR') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isAdmin = (req, res, next) => {
   if (req.user && req.roles[0] == 'ADMIN') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isInsurer = (req, res, next) => {
   if (req.user && req.roles[0].toUpperCase == 'INSURER') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isNominee = (req, res, next) => {
   if (req.user && req.roles[0].toUpperCase == 'NOMINEE') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isAgent = (req, res, next) => {
   if (req.user && req.roles[0].toUpperCase == 'AGENT') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isLender = (req, res, next) => {
   if (req.user && req.roles[0].toUpperCase == 'LENDER') {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isAdminOrInvestor = (req, res, next) => {
   if (req.user && (req.roles[0].toUpperCase == 'INVESTOR'||req.roles[0].toUpperCase == 'ADMIN')) {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};
const isAdminOrInsurer = (req, res, next) => {
   if (req.user && (req.roles[0].toUpperCase == 'INSURER'||req.roles[0].toUpperCase == 'ADMIN')) {
      next();
   } else {
      return res.status(401).send({
         message: `You don't have correct access`,
      });
   }
};

Answer 1

I had to structure a similar thing last month, and we did not have enough time to get clearance for another external npm package. So I wrote something like

/*Roles.js*/


roles = {
        "admin" : ["route1","route2","route3","route4","route5"],
        "insurer" : ["route4","route5"],
        ...
        }

And then in my middleware, I would check with something like:

/*middleware.js*/

if(roles[getRoleFromUserId(req.user)].includes(getRoute(req.body.url)))
    next();
else
 {
  return res.status(401).send({
     message: `You don't have correct access`,
  });
}

The cool thing about this, is you can define roles later on. You can also take away access and give access pretty early.

Side note: when you're checking the user's role, always get the user's role from your database. Do not rely on the request unless you are using JWTs (which I highly recommend)