Add authentication (JWT, OAuth), authorization (RBAC), audit logging for all flag changes, data encryption, and compliance documentation. Support API keys for SDKs. By the end, the service meets enterprise security requirements.
← Back to Module 09 overviewInstall: npm install jsonwebtoken @types/jsonwebtoken
Create src/middleware/auth.ts:
import { Request, Response, NextFunction } from 'express';
import jwt from 'jsonwebtoken';
export interface AuthenticatedRequest extends Request {
user?: { id: string; email: string; role: string };
}
export function authMiddleware(
req: AuthenticatedRequest,
res: Response,
next: NextFunction
) {
const token = req.headers.authorization?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'Unauthorized' });
}
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET || 'secret');
req.user = decoded as any;
next();
} catch (err) {
res.status(401).json({ error: 'Invalid token' });
}
}
export function requireRole(role: string) {
return (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
if (req.user?.role !== role && req.user?.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
next();
};
}