Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
ServiceAuthorizationMiddleware
Extract and authorize token using the provided auth params
Error handler for errors thrown by ServiceAuthorizationMiddleware
Will handle telling IMSG to redirect unauthorized requests, but will pass on any other errors to next()
The type definition of the full auhtorization object with all parameters.
Passed to the authorize function.
Properties
The type definition of the access rule.
Passed to the authorize function within the object as a list of access rules.
All properties are optional, but at least one must exist
Properties
Type defintion of the authorization mode.
SERVICE_ADMIN_ENDPOINT - Authorization validates if you are a service admin and have a valid token. Either accessed or thrown out.
OPEN_ENDPOINT - Authorization validates if you have a valid token and lets you through to the open endpoint. Either accessed or thrown out.
Either SERVICE_ADMIN_ENDPOINT or OPEN_ENDPOINT
Param | Type | Description |
---|---|---|
Param | Type | Description |
---|---|---|
Param | Type | Description |
---|---|---|
Name | Type | Description |
---|---|---|
Name | Type | Description |
---|---|---|
options
Object
Required -
options.serviceTokenSignSecret
string
Required - Secret to validate token signature against
authParams
FullAuthorizationParameters
| AuthorizationMode
Required - Authorization parameters to pass to
err
Object
Express err
req
Object
Required - Express req
res
Object
Required - Express res
next
function
Required - Express next
onPreAuth
function
Function to run before authorize is called
org
string
| function
| Boolean
Required - Organiztion to authorize against
accessRules
Array.<AccessRule>
Optional access rules to authorize against
suppressLoginTrigger
Boolean
If true, do not redirect failed authorization to login
unit
string
| function
Unit that should match token
permission
string
| function
Permission that should match token
sub
string
| function
Subject that should match token
Error
ServiceAuthorizationError - extending the Error class.
Base class for each kind of errors in ServiceAuthorizationLib.
Extends: Error
Object
Reply function to respond with the error
Returns: Object
- Response - Response object
ServiceAuthorizationError
AccessDenied Error - extending the ServiceAuthorizationError error class
PublicMessage is set to 'Access denied' and the HttpCode is set to '403'.
Thrown when a users credentials does not match the requested endpoints credentials.
Extends: ServiceAuthorizationError
ServiceAuthorizationError
Unauthorized - extending the ServiceAuthorizationError error class
PublicMessage is set to 'Unauthorized' and the HttpCode is set to '401'.
Thrown when a user tries to request an endpoint with no access to it.
Extends: ServiceAuthorizationError
ServiceAuthorizationError
ConfigError - extending the ServiceAuthorizationError error class
PublicMessage is set to 'Internal Server Error' and the HttpCode is set to '500'.
Thrown when building config variables while authorize.
Extends: ServiceAuthorizationError
authorizationSuccessResult
| authorizationErrorResult
Main authorization function
Consists of the following steps:
If token is missing and endpoint is open, authorize request.
Validate and decode service token.
If servieToken exists and endpoint is open, authorize request.
Try to authorize using serviceAdmin.
Build auth params and check if service token exists.
Authorize organization.
Authorize using optional accessRules.
Returns: authorizationSuccessResult
| authorizationErrorResult
- Either returns an authorizeSuccessResult object or an authorizationErrorResult object
The result object returnd if the authorization was successful
The error object returned if the authorization failed.
Returns either Unauthoried, AccessDenied or ConfigError
Param | Type | Default | Description |
---|---|---|---|
Param | Type | Default | Description |
---|---|---|---|
Param | Type | Description |
---|---|---|
Param | Type | Description |
---|---|---|
Param | Type | Description |
---|---|---|
Param | Type | Description |
---|
Param | Type | Description |
---|
Param | Type | Description |
---|
args
Object
Required - The args object passed to the constructor
args.publicData
Object
Required - Data to show in the error
args.internalData
Object
Required - Private data that can be logged in the error
args.publicMessage
string
"An error occurred"
Error message to be shown
args.httpCode
number
500
Http status code for error
replyOrResponseToolkit
Object
Required - Response toolkit - For example 'h' in Hapi, which handles the response
extraPublicData
Object
{}
Extra public data to shown in the error message
publicData
Object
Required - Data to show in the error
internalData
Object
Required - Private data that can be logged in the error
publicData
Object
Required - Data to show in the error
internalData
Object
Required - Private data that can be logged in the error
publicData
Object
Required - Data to show in the error
internalData
Object
Required - Private data that can be logged in the error
params |
| Required - |
params.authParams |
| Required - Object with auth parameters from the request |
params.unverifiedServiceToken |
| Required - Unverified service token in JWT format |
params.serviceTokenSignSecret |
| Required - The secret the unverified token should be validated with |
params.request |
| Required - The request object to be made availbable in authParams |
result |
| Required - |
result.credentials |
| Required - |
result.credentials.serviceToken |
| Required - Decoded service token used to authorize the request |
result.artifacts |
| Required - |
result.artifacts.reason |
| Required - Why the request was authorized |
result.artifacts.authenticationParameters |
| Required - The built authorization parameters used to authorize the request |
result.artifacts.matchingAccessRules |
| Required - The built access rules that matched the provided token |
result.artifacts.matchingServiceAdmin |
| Required - If the token matched a service admin rule |
result |
| Required - |
result.err |
| Required - The error thrown during authorization |
ServiceAuthorizationError
AccessDenied Error - extending the ServiceAuthorizationError error class
PublicMessage is set to 'Access denied' and the HttpCode is set to '403'.
Thrown when a users credentials does not match the requested endpoints credentials.
Extends: ServiceAuthorizationError
Object
Reply function to respond with the error
Overrides: ServiceAuthorizationError#hapiReply
Returns: Object
- Response - Response object
Module with helper functions for the Tokens.
Object
Extracts and decodes a service token from a raw request
Returns: Object
- serviceToken - The service token
String
| null
Extracts IMID token from a raw request if present
Returns: String
| null
- imidToken - The IMID token if present
String
Get the subject from the service token
Returns: String
- organization - The subject identifier set on the service token
String
Get the subject's organization
Returns: String
- organization - The organization the subject belongs to
Array.<String>
Get the subject's mapped units
Returns: Array.<String>
- units - An array of all units the subject belongs to
null
| String
Get the subject's selected unit
Returns: null
| String
- unit - The subject's selected unit, null if no unit selected
Array.<String>
Get the subject's organization permissions
Organization permissions are located under permissions.org
Returns: Array.<String>
- } permissions - The subject's org permissions
Array.<String>
Get the subject's permissions for the specified unit
Unit permissions are located under permissions.units[unit]
Returns: Array.<String>
- permissions - The subject's permissions for the specified unit
Boolean
Checks if a token belogs to an admin for the service
Returns: Boolean
- isServiceAdmin - True if the token belongs to an admin for the service
Object
Get the subject's userinfo
Returns: Object
- userinfo - The userinfo object set on the subject
ServiceAuthorizationError
ConfigError - extending the ServiceAuthorizationError error class
PublicMessage is set to 'Internal Server Error' and the HttpCode is set to '500'.
Thrown when building config variables while authorize.
Extends: ServiceAuthorizationError
Object
Reply function to respond with the error
Overrides: ServiceAuthorizationError#hapiReply
Returns: Object
- Response - Response object
ServiceAuthorizationError
Unauthorized - extending the ServiceAuthorizationError error class
PublicMessage is set to 'Unauthorized' and the HttpCode is set to '401'.
Thrown when a user tries to request an endpoint with no access to it.
Extends: ServiceAuthorizationError
Object
Reply function to respond with the error
Overrides: ServiceAuthorizationError#hapiReply
Returns: Object
- Response - Response object
Param | Type |
---|---|
Param | Type |
---|---|
Param | Type |
---|---|
Param | Type |
---|---|
Param | Type |
---|---|
Param | Type |
---|---|
Param | Type |
---|---|
Param | Type | Description |
---|---|---|
Param | Type |
---|---|
Param | Type |
---|---|
Param
Type
Description
publicData
Object
Required - Data to show in the error
internalData
Object
Required - Private data that can be logged in the error
Param
Type
Default
Description
replyOrResponseToolkit
Object
Required - Response toolkit - For example 'h' in Hapi, which handles the response
extraPublicData
Object
{}
Extra public data to shown in the error message
Param
Type
Default
Description
args
Object
Required - The args object passed to the constructor
args.publicData
Object
Required - Data to show in the error
args.internalData
Object
Required - Private data that can be logged in the error
args.publicMessage
string
"An error occurred"
Error message to be shown
args.httpCode
number
500
Http status code for error
Param
Type
Default
Description
replyOrResponseToolkit
Object
Required - Response toolkit - For example 'h' in Hapi, which handles the response
extraPublicData
Object
{}
Extra public data to shown in the error message
request
http.IncomingMessage
request
http.IncomingMessage
request
http.IncomingMessage
request
http.IncomingMessage
request
http.IncomingMessage
request
http.IncomingMessage
request
http.IncomingMessage
request
http.IncomingMessage
Required -
unit
String
Required - The unit permissions should be checked in
request
http.IncomingMessage
request
http.IncomingMessage
Param
Type
Description
publicData
Object
Required - Data to show in the error
internalData
Object
Required - Private data that can be logged in the error
Param
Type
Default
Description
replyOrResponseToolkit
Object
Required - Response toolkit - For example 'h' in Hapi, which handles the response
extraPublicData
Object
{}
Extra public data to shown in the error message
Param
Type
Description
publicData
Object
Required - Data to show in the error
internalData
Object
Required - Private data that can be logged in the error
Param
Type
Default
Description
replyOrResponseToolkit
Object
Required - Response toolkit - For example 'h' in Hapi, which handles the response
extraPublicData
Object
{}
Extra public data to shown in the error message