Applying Security to your NodeJS pages

You can apply security to your pages and redirect users who are not logged in or have no permissions to view a specific page.

Security Protection with NodeJS

Security Provider setup with NodeJS is similar to what you are used to do for the other server models (PHP / ASP / ASP.NET), the different in the workflow is the way you restrict access on the pages. For PHP, ASP and ASP.NET you would do this using the Security Enforcer on the page, while with NodeJS you apply the restrictions on the Server Side, in a Server Action.

Server Side

First we need to setup the Server Side part.
We already created the normal server action required for a login system like login and logout. We also crated a server action called user which will be used to restrict our pages. It contains a database connection and a database query, so nothing unusual:

First let’s add the Security Provider to our server action. Right click the database connection step:

And add the Security Provider:

Set up your security provider as you usually do. We are using a database security provider in our example:

That’s how we set it up:

So just setup your security provider as you need it.

Right click the Security Provider step:

And add Security Restrict:

Select any permission if needed / if you created some, or just leave this field empty:

Then select the URL where the users who are not logged in should be redirected to:

We click the routes picker and select the login page, which we have already created:

Then select the URL where the users who are not authorized should be redirected to:

We click the routes picker and select the unauthorized page, which we have already created:

Save your server action:

Page Setup

Now open the Pages Manager and select the page which you want to protect:

Select App and click the Select Server Action in the Server Side Data options:

Select the server action called user which we just created:

Save your page and you are done:

That’s how to restrict access to your NodeJS pages.


Thanks for this @Teodor, with this restrict would this not display any of the protected page / layouts html or would it essentially show it and render it and then redirect (quicker than the human eye) but would technically still be accessible (obviously anything in the server connect would be protected I imagine)


No, it won’t load the route if the user is not authorized or not logged in.

1 Like

Thanks for the confirmation @Teodor looking forward to getting stuck into the Node side of things I have been learning about it to get my head around it for when I jump in to using it in Wappler.

1 Like

will this work in a similar manner for SPA?

Yes :slight_smile:


I can’t save the security provider.

Windows 10
Wappler v3.0.0. beta-6.

Solved in rc4

After logging in I am returned to the login screen.
If I use the wrong credentials i get a warning, so it seems like it’s accepting my login

Agron2 not a possibility for password hashing anymore ?

Argon2 algorithm is only available in PHP.

2 posts were split to a new topic: Error with authentication in NodeJS

I continue to test work with nodejs projects. I decided to try to configure security for the nodejs project. But I ran into a problem.

The manual shows:

I created a new project. And what does the page settings look like for me:

How do I access server actions as shown in the guide?

Perhaps you are running into this?

Hi Ken

Yes, I’ve already discovered that it’s because of the layout. I came across this topic, where the same situation is discussed: Problems following Node.js "Applying Security" Tutorial/Docs

In my case, as in the topic above, I did not create the layout at all, because I plan to create a classic multi-page application. Which raises the question, is it even possible to fully work with nodejs without using layouts?

The system of layouts and approach in building applications on nodejs in the current form, this is basically the concept of SPA.

What if you don’t need a SPA, but a classic multi-page application?

Using node layout and content pages doesn mean you should be building SPA pages…
Layouts are really useful for reusing your navbar/footer etc across your content pages.


Hello, when selecting “Permissions” in “Restrict Properties”: If I select more than one, does it mean that the logged user has to have both permissions? (that’s how it seems to be working now)

Is there a way to make the enforcer pass if the logged user has either of the selected permissions?


Yes, all permissions listed are required.

You’ll need to redesign your model to adhere to this behavior.

This is an old tutorial but the principal is the same, you need to use two tables, one for user details, the other for roles. That way a user can reside in more than one role simultaneously


Thanks a lot!.

It makes sense when explicitly stated. Wappler’s permissions field’s tooltip and documentation don’t make it clear IMO.

Thanks a lot, I’ll check this link. :slightly_smiling_face:

Server side data is missing from the UI. Am I missing a step or is this definitely a bug? Trying to restrict pages…