By Syed Rizwan

implementing-role-based-access-control-with-oauth-20-in-a-nodejs-application.html

Implementing Role-Based Access Control with OAuth 2.0 in a Node.js Application

In today's digital landscape, security is paramount. One of the most effective ways to manage user access is through Role-Based Access Control (RBAC) combined with OAuth 2.0. This article will guide you through implementing RBAC using OAuth 2.0 in a Node.js application, providing clear code examples, step-by-step instructions, and actionable insights.

What is Role-Based Access Control (RBAC)?

Role-Based Access Control (RBAC) is a security paradigm that restricts system access to authorized users based on their role within an organization. By defining roles and assigning permissions, RBAC simplifies access management while enhancing security.

Key Concepts of RBAC

  • Roles: Defined sets of permissions that correspond to job functions.
  • Permissions: Authorizations to perform specific operations (e.g., read, write, delete).
  • Users: Individuals assigned to roles, granting them the permissions associated with those roles.

What is OAuth 2.0?

OAuth 2.0 is an industry-standard protocol for authorizing access to resources without sharing user credentials. It allows third-party applications to access user data without exposing passwords, improving security and user experience.

Key Components of OAuth 2.0

  • Authorization Server: Issues access tokens to clients after successful authentication.
  • Resource Server: Hosts the protected resources and validates access tokens.
  • Client: The application requesting access on behalf of the user.
  • Resource Owner: The user who owns the data being accessed.

Use Cases for RBAC with OAuth 2.0

  • Enterprise Applications: Manage varying levels of access for employees based on their roles.
  • SaaS Platforms: Allow different access levels for admins, users, and guests.
  • APIs: Secure APIs by controlling access based on user roles.

Setting Up Your Node.js Application

Prerequisites

  • Node.js installed on your machine.
  • Basic knowledge of JavaScript and Express.js.
  • A MongoDB database (for storing user roles and permissions).

Project Initialization

  1. Create a New Node.js Project

bash mkdir rbac-oauth-node cd rbac-oauth-node npm init -y

  1. Install Required Packages

bash npm install express mongoose jsonwebtoken bcryptjs dotenv

Basic Application Structure

Create the following file structure:

rbac-oauth-node/
│
├── .env
├── app.js
├── models/
│   ├── User.js
│   └── Role.js
└── routes/
    └── auth.js

Configuring Environment Variables

Create a .env file for sensitive data:

JWT_SECRET=your_jwt_secret
MONGODB_URI=your_mongodb_uri

Defining Models

User Model (models/User.js)

const mongoose = require('mongoose');

const userSchema = new mongoose.Schema({
    username: { type: String, required: true, unique: true },
    password: { type: String, required: true },
    roles: [{ type: mongoose.Schema.Types.ObjectId, ref: 'Role' }]
});

module.exports = mongoose.model('User', userSchema);

Role Model (models/Role.js)

const mongoose = require('mongoose');

const roleSchema = new mongoose.Schema({
    name: { type: String, required: true, unique: true },
    permissions: [{ type: String }]
});

module.exports = mongoose.model('Role', roleSchema);

Setting Up JWT Authentication

Creating the Authentication Route (routes/auth.js)

const express = require('express');
const bcrypt = require('bcryptjs');
const jwt = require('jsonwebtoken');
const User = require('../models/User');
const Role = require('../models/Role');
const router = express.Router();

// Register a new user
router.post('/register', async (req, res) => {
    const { username, password, roles } = req.body;
    const hashedPassword = await bcrypt.hash(password, 10);
    const user = new User({ username, password: hashedPassword, roles });
    await user.save();
    res.status(201).send('User created');
});

// Login and issue a JWT token
router.post('/login', async (req, res) => {
    const { username, password } = req.body;
    const user = await User.findOne({ username });

    if (!user || !await bcrypt.compare(password, user.password)) {
        return res.status(401).send('Invalid credentials');
    }

    const token = jwt.sign({ id: user._id, roles: user.roles }, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.json({ token });
});

module.exports = router;

Middleware for Role-Based Access Control

Create a middleware function to check user roles:

const jwt = require('jsonwebtoken');

function authorize(roles = []) {
    return (req, res, next) => {
        const token = req.headers['authorization']?.split(' ')[1];
        if (!token) return res.sendStatus(403);

        jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
            if (err) return res.sendStatus(403);
            req.user = user;

            // Check if the user's roles match the authorized roles
            if (roles.length && !roles.some(role => user.roles.includes(role))) {
                return res.sendStatus(403);
            }

            next();
        });
    };
}

Integrating Everything in app.js

const express = require('express');
const mongoose = require('mongoose');
const authRoutes = require('./routes/auth');
require('dotenv').config();

const app = express();
app.use(express.json());

mongoose.connect(process.env.MONGODB_URI, { useNewUrlParser: true, useUnifiedTopology: true });

app.use('/auth', authRoutes);

app.get('/admin', authorize(['admin']), (req, res) => {
    res.send('Hello Admin');
});

app.listen(3000, () => {
    console.log('Server is running on http://localhost:3000');
});

Testing Your Implementation

  1. Start Your Application

bash node app.js

  1. Register a New User

Use a tool like Postman to send a POST request to http://localhost:3000/auth/register with a JSON body:

json { "username": "testuser", "password": "password123", "roles": ["admin"] }

  1. Login to Obtain a Token

Send a POST request to http://localhost:3000/auth/login with the following JSON body:

json { "username": "testuser", "password": "password123" }

You should receive a JWT token in response.

  1. Access the Protected Route

Use the obtained token to access the /admin route by sending a GET request with the token in the Authorization header:

Authorization: Bearer <your_token>

Conclusion

Implementing Role-Based Access Control with OAuth 2.0 in a Node.js application provides a robust security framework. By following the steps outlined in this guide, you can enhance your application's security while managing user access efficiently. With the right roles and permissions in place, you can ensure that users have the appropriate level of access, thereby protecting your sensitive data and resources.

By incorporating best practices for coding, optimizing security, and leveraging tools like JWT and Express, you can create a secure and scalable application ready for production. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.