Role based authorization with express-jwt?
Is it the only and recommended way?
pretty much, yeah.
this isn't a "controller function", though. this is an example of middleware, which is what you want to use in this case.
a more complete example would be:
var router = new express.Router();// process jwt stuffvar processjwt = jwt({secret: 'shhhhhhared-secret'});// authorization checkfunction authorizationCheck(req, res, next) { if (!req.user.admin) { return res.sendStatus(401); } else { // move to the next middleware, cause it's ok next(); } }// the real route handlerfunction myRouteHandler(req, res){ doSomeWork(function(err, data){ if (err) { return next(err); } res.json(data); });}// put it all togetherrouter.use("/protected", processjwt, authorizationCheck);router.get("/protected", myRouteHandler);there are dozens of variations on this setup that can be used, but this gets the idea across.