/user/auth
The auth module is required by the XYZ API for request authorization.
A user_sessions{} object is declared in the module to store user sessions.
- Source
Requires
- module:/user/acl
- module:/user/fromACL
- module:jsonwebtoken
- module:/utils/processEnv
Methods
(async, inner) auth(req, res) → {Promise.<(Object|Error)>}
The auth method returns a user object to be assigned as request parameter if a request is successfully authenticated.
Requests with authorization headers will return the user fromACL method.
Without a request parameter token [eg. API key], the token value will be extracted from a request cookie matching the TITLE xyzEnvironment variable.
The token will be verified by the JWT [jsonwebtoken] library.
With a valid signature the token will be resolved as a user object by the verify method.
The auth method checks either the request parameter token or user.session if enabled.
| Name | Type | Attributes | Description |
|---|---|---|---|
req.headers | Object | Request headers. | |
headers.authorization | Object | <optional> | User authorization object. |
req.params | Object | Request parameters. | |
params.token | string | <optional> | JWT. |
req.cookies | Object | <optional> | Request cookies. |
- Source
Method resolves to either a user object or Error
- Type:
- Promise.<(Object|Error)>
(async, inner) checkParamToken(req, res) → {Promise.<(Object|Error)>}
An API key can be provided as a request parameter token.
API key access does not have admin rights.
Every request will validate the API key against the key stored in the ACL.
API keys do not expire. But changing the key in the ACL will immediately invalidate the key on successive checks.
| Name | Type | Attributes | Description |
|---|---|---|---|
req.params | Object | Request parameters. | |
params.token | string | JWT. | |
req.cookies | Object | <optional> | Request cookies. |
- Source
Method resolves to either a user object or Error
- Type:
- Promise.<(Object|Error)>
(async, inner) checkSession(req, user) → {Promise.<(Object|Error)>}
Will return if sessions are not enabled via USER_SESSION xyzEnvironment variable.
A user must have a session key which is either stored in the user_sessions object or will be validated against the session key in the ACL.
Validated session keys are stored in the user_sessions object to prevent excessive requests to the ACL for the same user from the same process.
The session key will be updated on login, eg. on a different device. This will invalidate the existing session key on devices previously logged in.
| Name | Type | Description |
|---|---|---|
req | req | HTTP request. |
user | user | User object. |
| Name | Type | Attributes | Description |
|---|---|---|---|
req.params | Object | Request parameters. | |
params.token | string | <optional> | JWT. |
- Source
Method resolves to either a user object or Error
- Type:
- Promise.<(Object|Error)>