Node.js with TSOA and Authentication - (Part 1) The objective
This article kicks off a series on securing my endpoints with TSOA in Node.js. In this first article, I define the objective and the fundamental principles.
We want to secure a Node.js Express application with TSOA so that only the user groups we define can access the corresponding endpoints. I would like to ensure my endpoint is declared in a single line.
For example, this would look like this:
@Security('jwt', ['ADMIN'])
To make it clearer, here is a code snippet of a controller with a secure endpoint for administrators only:
@Route('securedRoute')
export class SomeController extends Controller {
@Post()
@Security('jwt', ['ADMIN'])
public async post(@Request() req: AuthenticatedRequest): Promise<void> {
// Only "Scope.ADMIN" can access this endpoint
}
}The Approach
To achieve the stated goal, we need to take some precautions. To keep track of everything, I'll summarise the key points:
- We build secure communication with interface users based on the standard RFC 7519 – JSON Web Token.
- We issue and sign the JWTs ourselves, ensuring they are genuine and untampered with.
- Authentication grants us access to the authenticated user within the application code, allowing us to process this information further – for example, by creating a changelog that details who changed what and when.
- We ensure easy testability of the security measures. This means using a Vitest helper to verify an endpoint's security requirements in a single line of code.
The entire artwork will function only when all parts are complete and correctly assembled. This will be covered in a series of articles (an experiment of mine to present content in this way: I will add links to the subsequent articles to the previous ones).
In the following article, we'll begin with the basic setup.
