Verifying roles & authentication with Passport.js

Question

So I\'d like to make some routes in an API that will show different data based on the user role, defined in MongoDB. Here\'s a sampling of what I have right now, it works...

Answer 1

I would suggest that you use HTTP status codes and an error object, this is a common API convention and it allows your API users to know what's happening and why:

app.get('/premium-resource', function(req, res, next) {
  passport.authenticate('bearer', function(err, user) {
    if (user){
      if (user.role === 'premium'){
        return res.send(200,{userContent:'you are a premium user'});
      }else{
        return res.send(403,{
          'status': 403,
          'code': 1, // custom code that makes sense for your application
          'message': 'You are not a premium user',
          'moreInfo': 'https://myawesomeapi.io/upgrade'
        });
      }
    }else{
      return res.send(401,{
        'status': 401,
        'code': 2, // custom code that makes sense for your application
        'message': 'You are not authenticated.',
        'moreInfo': 'https://myawesomeapi.io/docs'
      });
    }
  })(req, res, next);
});

Disclaimer: I work at Stormpath and we put a lot of thought into API authentication and design, we have a really presentation on the topic:

https://stormpath.com/blog/designing-rest-json-apis/