node.js - Passing multiple scope (ACL) middlewares to routes are only testing for the first scope

Question

My application is supposed to have 3 user scopes (User, Admin, Super Admin). I am trying to do this manually without using any external ACL library.

Here are my admin and super admin scope functions.

const adminScope = (req, res, next) => {
    if (req.user.scope !== 'admin') {
        return res.status(403).send({
            status: 'fail',
            message: 'You are not admin'
        })
    }
    next();
}


const superAdminScope = (req, res, next) => {
    if (req.user.scope !== 'superAdmin') {
        return res.status(403).send({
            status: 'fail',
            message: 'You are not Super Admin'
        })
    }
    next();
}

?

I am trying to use these with my routes as below

app.use('/admin', [passport.authenticate('jwt', { session: false }), adminScope], [adminPage])

?

The above works fine and checks if the scope of the user is admin or not.

I want all the routes in adminPages to be accessible by both Admins and Super Admins.

?

I tried by passing superAdminScope as third middleware.

app.use('/admin', [passport.authenticate('jwt', { session: false }), adminScope, superAdminScope], [adminPage])

It fails after checking just adminScope function and says

{
  status: "fail",
  message: "You are not admin"
}

?

I also tried passing both of them as an array but still the same output.

app.use('/admin', [passport.authenticate('jwt', { session: false }), [adminScope, superAdminScope]], [adminPage])

question from:https://stackoverflow.com/questions/65641978/passing-multiple-scope-acl-middlewares-to-routes-are-only-testing-for-the-firs

Answer 1

Solved it using this tutorial.

Instead of having separate functions for admin and superAdmin, I created a function to check for It.

const checkForScope = (...scopes) => (req, res, next) => {
    if (!req.user) {
        return res.status(403).send({
            status: 'fail',
            message: 'You are not logged in'
        })
    }

    const hasScope = scopes.find(scope => req.user.scope === scope)

    if (!hasScope) {
        return res.status(403).send({
            status: 'fail',
            message: 'You dont have the rights to do this'
        })
    }

    return next();
}

?

And then I can use this function as middleware in express.

app.use('/admin', [passport.authenticate('jwt', { session: false }), checkForScope('admin', 'superAdmin')], [adminPage])

This will only allow users access to the routes if they have either admin or superAdmin scope.

?

I'm not sure If this is the best way to do this but It's working.