middleware/users

module:middleware/users

Description:
  • User middleware for authenticated endpoints

    The middleware uses module:api/users and module:api/session to parse session cookies, verify it against the bk_user table, checks ACLs with module:api/acl and if access to requested endpoint is allowed, stores current user in the context.user property.

    Global mode

    Enabled via config, an example to restrict access to /app and /admin endpoints to authenticated users only, if access denied redirect to the login page.

    • Only users with admin role can access /admin/* endpoints but only role billing can access /admin/billing.
    api-users-table = bk_user
    
    middleware-body-enable = true
    
    middleware-users-enable = /app/*, /admin/*
    
    middleware-users-login-path = /login
    middleware-users-logout-path = /logout
    middleware-users-profile-path = /profile
    
    middleware-users-login-redirect = /login.html
    
    api-acl-add-* = ^/app
    
    api-acl-add-admins = ^/admin/
    api-acl-add-billing = ^/admin/billing
    
    api-acl-allow-admin = admins, -billing
    api-acl-allow-billing = billing, admins
    

    Token based authentication, for API access

    This middleware handles API access with bearer tokens, not sessions, each request must send a token in the Authorization header, see module:api/users for details about tokens.

    • Only users with api role can use token bases access to the /api/* endpoints.
    middleware-users-enable-token = /api/*
    
    api-acl-add-api = ^/api/
    api-acl-allow-api = api
    

    Routing programmatically

    For complete control how the middleware must handle requests all can be easily done in the code

    const { api, middleware } = require("backendjs");
    const { body, users } = middleware;
    
    api.app.post("/login", body, users.login);
    
    api.app.post("/logout", users.logout).
            get("/profile", users.profile);
    
    api.app.use("/api/*", users).
            use("/admin/*", users);
    
    api.app.all("/api/*", body, { handle: users.handleToken });
    
Source:

Methods

(static) authorize(context) → {undefined|Object}

Description:
  • Perform authorization checks after the user been checked for valid session.

    At least one acl must match to proceed.

Source:
Parameters:
Name Type Description
context RequestContext
Returns:
Type Description
undefined | {status:number, message:string}
  • undefined if success or an error object to pass to the next

(static) configureMiddleware()

Description:
  • Start users middleware

Source:

(static) handle(context, next)

Description:
  • Implements authentication and authorizarion middleware for user sessions

Source:
Parameters:
Name Type Description
context RequestContext
next function()
Example
api.app.use("/portal", middleware.users);

(static) handleToken(context, next)

Description:
  • Implements authentication and authorizarion middleware for user API tokens

Source:
Parameters:
Name Type Description
context RequestContext
next function()
Example
api.app.use("/portal", { handle: middleware.users.handleToken });

(static) login(context, next)

Description:
  • Login with the secret, set the user in the context, creates a cookie session and store .exp in the sessions column, cleanup expired sessions. The body must have { login, secret } properties.

    The endpoint must be public.

Source:
Parameters:
Name Type Description
context RequestContext
next function()
Example
api.app.post("/login", middleware.users.login);

api.app.post("/login", middleware.body, middleware.users.login);

(static) logout(context, next)

Description:
  • Clear session, delete expired sessions, it handles authentication so this can be used with any path

Source:
Parameters:
Name Type Description
context RequestContext
next function()
Example
api.app.post("/logout", middleware.users.logout);

(static) profile(context, next)

Description:
  • Middleware to return current user profile record, can be used for checking if current session is still active, it handles authentication so this can be used with any path

Source:
Parameters:
Name Type Description
context RequestContext
next function()
Example
api.app.get("/profile", middleware.users.profile);