Authentication Middleware (requireAuth)

The requireAuth middleware is used to protect API routes by validating JSON Web Tokens (JWT) and, optionally, enforcing permission-based access control. It ensures that only authenticated users — and, when required, users with specific permissions — can access protected endpoints.

Purpose

This middleware:

  • Verifies the presence and validity of an access token
  • Attaches the authenticated user context to the request
  • Optionally enforces permission checks on a per-route basis

It is implemented as a middleware factory, allowing each route to define its own permission requirements.

Usage
requireAuth()

Allows access to any authenticated user.

requireAuth(['permission-name'])

Restricts access to authenticated users who possess all specified permissions.

Authentication

The middleware extracts the access token from the incoming request and validates it using the configured JWT secret.

If the token is valid, the decoded payload is attached to the request as req.user for use in downstream handlers.

Permission Handling
  • If no permissions are specified, authentication alone is sufficient
  • If permissions are provided, the middleware checks the user’s permission list
  • Access is granted only if the user has all required permissions
Failure Responses
401 Unauthorized

Returned when the access token is missing, invalid, or cannot be verified.

{
    "data": "Unauthorized",
    "code": 401
}

Models used
Response Model

403 Forbidden

Returned when the authenticated user lacks the required permissions.

{
    "data": "Forbidden",
    "code": 403
}

Models used
Response Model

Notes
  • This middleware does not issue or refresh tokens; it only validates them
  • Permission checks assume the JWT payload contains a permission array
  • The attached req.user object should be treated as trusted only within protected routes
Previous API Docs Next CDN