0.1.6 • Published 3 years ago

authorize-request v0.1.6

Weekly downloads
-
License
ISC
Repository
-
Last release
3 years ago

Authorise Request

Authorize Request is expected to be used in a microservice architecture environment where you need to provide granular access control from users based on their roles provided in the Idenntity Token.

For this to work properly, these things must be ready:

  1. You are running Cloud Run (managed) based microservice architecture.
  2. Services that are using this tool is placed behind API Gateway or is placed behind another service and authentication is delegated to it.
  3. You have deployed a config server within Cloud Run that is based on Spring Cloud Config Server
  4. Your config server is hosting roles.yml

Requirements

Please make sure in the environment you have the following:

  1. IAM Permissions
    1. Cloud Run Invoker on the config service.
    2. Cloud Run View - used to find the URL for the config service
  2. Environement variables
    1. PROJECT_NUMBER should look like this e.g. PROJECT_NUMBER=657672267210
    2. GCLOUD_REGTION should contain the region in which the config service is deployed e.g. GCLOUD_REGTION=asia-northeast1
    3. optional - CONFIG_REPO_BRANCH_NAME should specify the branch name of the config repository. If skipped, it will by default set it to what was specified at config server's default e.g. CONFIG_REPO_BRANCH_NAME=dev

Authenticating Requests

This tool currently does not do authentication on its own. It expects authentication to be done before hands by API gateway or by GraphQL. The authentication result should be contained in the request header.

The tool expects the payload of the JWT to be base64 encoded and included in x-graphql-userinfo or x-apigateway-api-userinfo (in the order of preference).

curl --location --request GET 'http://HOST' \
--header 'x-apigateway-api-userinfo: eyJyb2xlcyI6WyJyb2xlcy9lbmFibGVyIl19'

Authentication Result

In the example above the payload is the following:

{ "roles": ["roles/enabler"] }

For the transition period away from Salesforce, the tool also accepts the roles in the key alias permission_set. (prefers roles)

{ "permission_sets": ["roles/enabler"] }

Usage

import { authorizeRequest } from 'authorize-request'

app.get(
  '/some/path',
  authorizeRequest('admin.users.create'),
  (req: Request, res: Response) => {
    // do something
  }
)

If the user does not have the required permission, the request will be rejected with status code 401.

axiosexpressgoogleapisjwt-decodelodash
@everything-registry/sub-chunk-1184
0.1.6

3 years ago

0.1.4

3 years ago

0.1.5

3 years ago

0.1.3

3 years ago

0.1.2

3 years ago

0.1.1

3 years ago

0.1.0

3 years ago