Configuration of the express-jwt-policies library.
The settings in this file influence the behavior of the auth.authenticate
and auth.authorize functions used throughout *.routes.js files (in
server/api/{subject} directories) for authentication and/or authorization.
- Source:
Methods
(inner) authenticatedResourceLoader(req, res, next)
This middleware function is called by express-jwt-policies after successful validation of a JWT token.
It loads the user account corresponding to the "sub" claim of the token,
and attaches it to req.currentUser for later use by other middleware
functions.
If no matching user is found or the user is inactive, a standard unauthorized error (see module:server/api/utils/errors) is forwarded to the next error middleware. If another unexpected error occurs, it is also forwarded to the next error-handling middleware.
Parameters:
| Name | Type | Description |
|---|---|---|
req |
Request | Express request object. |
res |
Response | Express response object. |
next |
function | Function that calls the next middleware in the stack. |
(inner) authenticationErrorHandler(err, req, res, next)
This error-handling middleware function is called by express-jwt-policies if an authentication error occurs (i.e. a problem with the JWT token or the authenticated resource loader above).
If the error is a known error such as a missing or malformed JWT token, it is replaced by a standard unauthorized error (see module:server/api/utils/errors) and forwarded to the next error-handling middleware. Unexpected errors are forwarded without change.
Parameters:
| Name | Type | Description |
|---|---|---|
err |
Error | The error that occurred. |
req |
Request | Express request object. |
res |
Response | Express response object. |
next |
function | Function that calls the next middleware in the stack. |
(inner) authorizationErrorHandler(err, req, res, next)
This error-handling middleware function is called by express-jwt-policies if an authorization error occurs (i.e. a custom policy function determined that a user does not have access to a specific resource).
Such an error is usually replaced by a standard forbidden error (see module:server/api/utils/errors) and forwarded to the next error-handling middleware.
However, if the authorization options passed to auth.authorize include a
resourceName property and a resource ID is found in req.params.id, then
the error will instead be replaced by a standard record not found (404)
error.
This is meant to prevent unauthorized user from being able to tell the difference between a resource that does not exist and a resource which they are not authorized to access. If the former produced a 404 Not Found response and the latter a 403 Forbidden response, it would be a dead giveaway that the latter resource exists while the former does not. Responding with 404 Not Found in both cases conceals that information.
If the resource has an identifier which is not req.params.id, a custom
resourceId function can be passed to auth.authorize to retrieve the
correct ID from the request:
auth.authorize(policyFunc, {
resourceName: 'user',
resourceId: (req) => req.params.customId
});Parameters:
| Name | Type | Description |
|---|---|---|
err |
Error | The error that occurred. |
req |
Request | Express request object. |
res |
Response | Express response object. |
next |
function | Function that calls the next middleware in the stack. |