With authentication, we ensure that our application is being used by an authorized person with valid credentials. In most of the applications that you will build in the future, you will find that there are users who have different permissions on the application. For example, a given student might have the permissions to see their grade, but a student is not able to modify the grades. Otherwise, a user who is a teacher can update grades and access other features that a student cannot.

We will implement authorization using another NPM module express-jwt-permissions. By using this module, we will be able to implement authorization in a very simple way. Open the security-api.js file and apply the following changes:

const logIn = (username, password) => {
    if (username == 'admin' && password == 'admin') {
        
        let userData = {
            name: "Admin",
            permissions: ["admin:create:match", "admin:update:scores"]
        }
        
        return generateToken(userData)
        
    } else {
        return null
    }
    
}

That's all! The previous library will look into the JWT and check whether it has the permissions attribute defined. If so, we will extract this information and restrict access to users who do not have the admin permission. In the next section, we will implement the admin REST controller and see how we restrict the access to more details.

Having said that, we are ready to start the Admin API implementation!