fastify-authz-auth0 v1.0.4
fastify-authz-auth0
This module does not provide an authentication strategy, but it provides an utility to handle authorization in your routes, without adding overhead.
Check out the complete example here.
Install
npm i fastify-authz-auth0 --save
Usage
Import this package in your src/index.js
and register this plugin before registering your API routes.
'use strict';
// Require the auth plugin
const auth = require('fastify-authz-auth0');
const routes = require('./app/v1');
function create() {
//creates the core fastify server instance with defaults
const fastify = core.createServer();
//Register auth plugin before registering routes
fastify.register(auth);
//custom routes set up
fastify.register(routes, { prefix: '/v1' });
return fastify;
}
async function start() {
const fastify = create();
core.start(fastify);
}
module.exports = {
create,
start
};
And when defining API routes, make sure you have a preHandler
calling this auth
function, which is decorated to the fastify instance.
Example API route
definition
fastify.route({
method: 'GET',
url: '/product-types/:productTypeId',
schema: {
params: {
type: 'object',
properties: {
productTypeId: { type: 'string', format: 'uuid' }
}
},
response: {
200: getProductTypeByIdSuccessfulResponse,
...errorResponses
}
},
// Pass the array of permissions for this route.
preHandler: fastify.auth(['read:product-types']),
handler: getProductTypeByIdHandler(fastify)
});
Authentication & Authorization
Authentication confirms user/ service identity to grant access to the system.
Authorization determines whether the user/ service has permissions to access the resources.
Auth0 provides authentication and authorization as a service. It takes the overhead of generating accessTokens with the list of permissions based on role of user.
The permissions inside the token are embedded like below:
...
"permissions": [
"read:product-types"
]
...
How this plugin works
This plugin will check for
authorization
property containing the value in the form ofBearer <Token(Generated By Auth0)>
in the request headers or body or query parameters.Then the
token
is decoded usingjsonwebtoken
module and picks thepermissions
array in the token.- If the list of
permissions
which are passed, when calling theauth
function inpreHandler
matches against thepermissions
obtained from the token then theapi
is served otherwise it responds with403 {UnAuthorized}
Acknowledgements
This project is kindly sponsored by:
License
Licensed under ---
5 years ago