Skip to content


Repository files navigation

Swagger RBAC middleware

Build StatusKnown Vulnerabilities

Simple middleware with RBAC on JSON swagger document

  swagger: "2.0",
  produces: ["application/json"],
  host: "localhost:3001",
  basePath: "/v1",
  paths: {
    "/testfoo/:type/:id": {
      get: {
        tags: ["/foo"],
        rbac: ["group1"]
    "/testfoo/:foo/:foo/:foo": {
      get: {
        "x-swagger-router-controller": "foo",
        operationId: "fooControllerWithPage",
        tags: ["/foo"],
        rbac: ["group1"]
    "/testfoobar/:foo": {
      get: {
        "x-swagger-router-controller": "foobar",
        operationId: "foobarController",
        tags: ["/foobar"]

If the RABC role is defined in the route the middleware will match it with what's defined in req.groups.


const swaggerDoc = {
  swagger: "2.0",
  produces: ["application/json"],
  host: "localhost:3001",
  basePath: "/v1",
  paths: {
    "/testfoo/:type/:id": {
      get: {
        tags: ["/foo"],
        rbac: ["group1"]
    "/testfoo/:foo/:foo/:foo": {
      get: {
        "x-swagger-router-controller": "foo",
        operationId: "fooControllerWithPage",
        tags: ["/foo"],
        rbac: ["group1"]
    "/testfoobar/:foo": {
      get: {
        "x-swagger-router-controller": "foobar",
        operationId: "foobarController",
        tags: ["/foobar"]

const config = swaggerDocToConf(swaggerDoc);

app.use((req, res, next) => {
  req.groups = ["group1"]; // adding groups to req

// setting middleware

app.get("/v1/testfoo/:foo/:foo", (req, res, next) => {

const response = await request(app)
  .end((err, res) => {
    if (err) throw err;

For all the endpoints that have no rbac defined the middleware will make the request got through. Please check the tests for more examples.