The auth method returns a user object to be assigned as request parameter if a request is successfully authenticated.

Requests with authorization headers will return the user fromACL method.

Without a request parameter token [eg. API key], the token value will be extracted from a request cookie matching the TITLE environment variable.

The token will be verified by the JWT [jsonwebtoken] library.

With a valid signature the token will be resolved as a user object by the verify method.

The auth method checks either the request parameter token or user.session if enabled.

An API key can be provided as a request parameter token.

API key access does not have admin rights.

Every request will validate the API key against the key stored in the ACL.

API keys do not expire. But changing the key in the ACL will immediately invalidate the key on successive checks.

Will return if sessions are not enabled via USER_SESSION environment variable.

A user must have a session key which is either stored in the user_sessions object or will be validated against the session key in the ACL.

Validated session keys are stored in the user_sessions object to prevent excessive requests to the ACL for the same user from the same process.

The session key will be updated on login, eg. on a different device. This will invalidate the existing session key on devices previously logged in.