Checks Authorisation using tokens from a remote web server
npm install auth-clientvar ac=require('auth-client')({server:settings.authServer,client:settings.client,apiKey:settings.apiKey}),server: configuration for the remote authorization server with the following attributes;authURL: The login authorization urllogoutURL: The url for logging outkeepAliveURL: The url for keeping a session activeswapCodeURL: The url for exchanging an authorization code for an access_tokenuserAuthURL: The url for authorizing a role with a tokenclient: The relying party client information including the following attributes;client_id: a client id which was registered with the authorization serverclient_secret: a client password which was registered with the authorization serverauthCode: the name of the code parameter. Defaults tocodeas specified by OAUTHtokenName: the name of the token used to access the user info. Defaults to access_tokenapiKey: an array of objects representing api keys which can be used by mobile apps to access an api via X-Api-Key header e.g.{key:"ABC123", thirdParty:"acme"}redirectURI: a url to be redirected to following authorization. Defaults to the current url.redirectLogin: if undefined the user's browser will not be redirected. A 401 will be sent instead. This is to support AJAX
noRespond: don't do a res.send so this can be chained
scope: The scope of the authorization request, the name of the resource to be accessed.operation: The operation on the resource to be checkedclientReq: The name of the object on the expressreqobject to sent as the original client requestclientRes: The name of the object on the expressreqobject to write any authDetails in the authentication response.
AUTH_CLIENT_MODE: If this is set topromiscuousAndNODE_ENV==developmentthen the authorization check always allows access to anyone.
Secure a URL for any authenticated user with permission to perform an operation on a resource
// Traditional web app with no AJAX
var Support={scope:'aProtectedResource',
operation:'Update',
redirectURI:'http://localhost:8888/secure',
redirectLogin:true, //301 will be sent by server
noRespond:true // swapCode will not do a res.send so it can be chained with other functions
}
app.get('/secure',noCache,ac.swapCode(Support),ac.check(Support),ac.keepAlive(),routes.secure);
// AJAX application
var SupportAJAX={
scope:'aProtectedResource',
operation:'Update',
client_id:'MemberSearch',
noRespond:true,
redirectURI:'http://localhost:8888/index.html%23/'
// no redirectLogin means that 401 is sent by server instead of 301
}
app.all('/ajaxsecure',ac.swapCode(SupportAJAX),ac.check(SupportAJAX),routes.secure);| Version | Date | Description |
|---|---|---|
| v0.4.11 | 2020-03-04 | Updated dependencies to latest versions and removed use of deprecated req.param |
| v0.4.10 | 2018-02-27 | Updated dependencies to latest versions |
| v0.4.9 | 2017-06-19 | Multiple API keys can be configured for various third parties |
| v0.4.8 | 2017-05-16 | Support authDetail object in the response so cater for conditional access |
| v0.4.7 | 2017-02-01 | Republished as github latest not up to date. |
| v0.4.6 | 2016-10-25 | Fixed to check the authHeader before other sources of the key |
| v0.4.5 | 2016-03-21 | Allow mobile apps to use apiKey instead of XSRF check |
| v0.4.4 | 2015-09-28 | Clear token cookie on unauthorised (401) |
| v0.4.3 | 2014-09-04 | Debug module |
| v0.4.2 | 2014-09-02 | Location in 403 response |
| v0.4.1 | 2014-08-22 | Resource check |
| v0.3.3 | 2014-08-20 | Added promiscuous mode |
| v0.3.2 | 2014-08-05 | Check looks for token in body,query, cookie |
| v0.3.1 | 2014-07-18 | Can set original client request as an object from express req object |
| v0.3.0 | 2014-07-16 | Added logout and checks for operations on resources |
| v0.2.0 | 2014-06-13 | Added swapCode,keepAlive and angularJS XSRF check |
| v0.1.0 | 2014-05-28 | Created |
(The MIT License)
Copyright (c) 2016 PC