Some routes need protection, some routes are ok for public access, but still need UserID

[apprithm]

Hi all,

I have the following scenarios:

1. route /profile need require user have the token. If there is no token return 401
2. route /feed allow public access, but if user sends token in the header, it will return additional information(specific to this user) in the response.

Will the following code give me the expected result without side effects? Is this a good practice ? Or, should I add each case to specific route in the routes file ?

var unProtected = [
    /feed
]
app.use(expressJwt({secret: config.secret}).unless({path: unProtected}))
app.use(expressJwt({secret: config.secret,credentialsRequired:false}))

So far, I tested the code with those 2 routes, it's working well.
But I have many more routes and I haven't tested 1 by 1 yet.

[johnfrades]

following. also need this kind of thing

[crinitic]

This might help:
https://stackoverflow.com/questions/52249505/apply-jwt-on-express-routes-without-raising-an-error

[johnfrades]

I've solved it by creating this middleware

const looselyAuthenticatedMiddleware = (req): boolean => {
    const token = req.headers.authorization;
    if (token) {
        JWT.verify(token, config.secret, function(err, decode) {
            return true
        })
    } else {
        return true;
    }
}

const looseAuthenticatedRoute = jwt({ secret: config.secret }).unless({custom: looselyAuthenticatedMiddleware});

Just pass "looseAuthenticatedRoute" middleware on the route that you want to be open for 2 use cases:

1. Still be able to access the route even if theres no token
2. If theres token, there will be a value inside the "req.user"