/user/auth

The auth module is required by the XYZ API for request authorization.

A user_sessions{} object is declared in the module to store user sessions.

Requires

Methods

(async, inner) auth(req, res) → {Object}

The auth method returns a user object to be assigned as request parameter if a request is successfully authenticated.

Requests with authorization headers will return the user fromACL method.

Without a request parameter token [eg. API key], the token value will be extracted from a request cookie matching the TITLE environment variable.

The token will be verified by the JWT [jsonwebtoken] library.

With a valid signature the token will be resolved as a user object by the verify method.

The auth method checks either the request parameter token or user.session if enabled.

Parameters:
NameTypeDescription
reqObject

HTTP request.

Properties
NameTypeAttributesDescription
headersObject

Request headers.

Properties
NameTypeAttributesDescription
authorizationObject<optional>

User authorization object.

params.tokenstring<optional>

Authorization token.

cookiesObject<optional>

Request cookies.

resObject

HTTP response.

Returns:

User

Type: 
Object

(async, inner) checkParamToken(req, res, user)

An API key can be provided as a request parameter token.

API key access does not have admin rights.

Every request will validate the API key against the key stored in the ACL.

API keys do not expire. But changing the key in the ACL will immediately invalidate the key on successive checks.

Parameters:
NameTypeDescription
reqObject

HTTP request.

Properties
NameTypeAttributesDescription
params.tokenstring

Authorization token.

cookiesObject<optional>

Request cookies.

resObject

HTTP response.

userObject

(async, inner) checkSession(req, user) → {string}

Will return if sessions are not enabled via USER_SESSION environment variable.

A user must have a session key which is either stored in the user_sessions object or will be validated against the session key in the ACL.

Validated session keys are stored in the user_sessions object to prevent excessive requests to the ACL for the same user from the same process.

The session key will be updated on login, eg. on a different device. This will invalidate the existing session key on devices previously logged in.

Parameters:
NameTypeDescription
reqObject

HTTP request.

Properties
NameTypeAttributesDescription
params.tokenstring<optional>

Authorization token.

userObject
Returns:

user.session

Type: 
string