module:middleware/users
- Description:
User middleware for authenticated endpoints
The middleware uses module:api/users and module:api/session to parse session cookies, verify it against the bk_user table, checks ACLs with module:api/acl and if access to requested endpoint is allowed, stores current user in the context.user property.
Global mode
Enabled via config, an example to restrict access to /app and /admin endpoints to authenticated users only, if access denied redirect to the login page.
- Only users with
adminrole can access /admin/* endpoints but only rolebillingcan access/admin/billing.
api-users-table = bk_user middleware-body-enable = true middleware-users-enable = /app/*, /admin/* middleware-users-login-path = /login middleware-users-logout-path = /logout middleware-users-profile-path = /profile middleware-users-login-redirect = /login.html api-acl-add-* = ^/app api-acl-add-admins = ^/admin/ api-acl-add-billing = ^/admin/billing api-acl-allow-admin = admins, -billing api-acl-allow-billing = billing, adminsToken based authentication, for API access
This middleware handles API access with bearer tokens, not sessions, each request must send a token in the Authorization header, see module:api/users for details about tokens.
- Only users with
apirole can use token bases access to the/api/*endpoints.
middleware-users-enable-token = /api/* api-acl-add-api = ^/api/ api-acl-allow-api = apiRouting programmatically
For complete control how the middleware must handle requests all can be easily done in the code
const { api, middleware } = require("backendjs"); const { body, users } = middleware; api.app.post("/login", body, users.login); api.app.post("/logout", users.logout). get("/profile", users.profile); api.app.use("/api/*", users). use("/admin/*", users); api.app.all("/api/*", body, { handle: users.handleToken });- Only users with
- Source:
Methods
(static) authorize(context) → {undefined|Object}
- Description:
Perform authorization checks after the user been checked for valid session.
At least one acl must match to proceed.
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
context |
RequestContext |
Returns:
| Type | Description |
|---|---|
| undefined | {status:number, message:string} |
|
(static) configureMiddleware()
- Description:
Start users middleware
- Source:
(static) handle(context, next)
- Description:
Implements authentication and authorizarion middleware for user sessions
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
context |
RequestContext | |
next |
function() |
Example
api.app.use("/portal", middleware.users);
(static) handleToken(context, next)
- Description:
Implements authentication and authorizarion middleware for user API tokens
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
context |
RequestContext | |
next |
function() |
Example
api.app.use("/portal", { handle: middleware.users.handleToken });
(static) login(context, next)
- Description:
Login with the secret, set the user in the context, creates a cookie session and store .exp in the
sessionscolumn, cleanup expired sessions. The body must have { login, secret } properties.The endpoint must be public.
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
context |
RequestContext | |
next |
function() |
Example
api.app.post("/login", middleware.users.login);
api.app.post("/login", middleware.body, middleware.users.login);
(static) logout(context, next)
- Description:
Clear session, delete expired sessions, it handles authentication so this can be used with any path
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
context |
RequestContext | |
next |
function() |
Example
api.app.post("/logout", middleware.users.logout);
(static) profile(context, next)
- Description:
Middleware to return current user profile record, can be used for checking if current session is still active, it handles authentication so this can be used with any path
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
context |
RequestContext | |
next |
function() |
Example
api.app.get("/profile", middleware.users.profile);