UNPKG

@intuitionrobotics/thunderstorm

Version:
43 lines 2.36 kB
import { type Request, type RequestHandler, type Response } from "express"; import { type ServerApi_Middleware } from "./HttpServer.js"; import { ApiResponse } from "./server-api.js"; /** * The auth logic itself (session/JWT validation + scope checks) lives in the * CONSUMER (e.g. `AccountModule.validateSession` / `KasperoProxy.validateRequest`), * so the framework ships only this factory. A validator resolves the request to * an account (or rejects → the rejection flows to the terminal error handler). * * The legacy validators take an `ApiResponse`-shaped 3rd arg to refresh the JWT * response header; the consumer adapts the raw `res` to that shape when * instantiating (a tiny header sink) — see the migration recipe. */ export type AuthValidator = (req: Request, scopes: string[], res: Response) => Promise<Express.AuthAccount>; /** * Build a `requireAuth(...scopes)` middleware from a consumer auth validator. * * export const requireAuth = makeRequireAuth((req, scopes, res) => * AccountModule.validateSession(req, scopes, headerSink(res))); * * The returned middleware populates `req.account` and works both per-route * (`router.post("/x", requireAuth("admin"), handler(fn))`) and at router-group * level (`router.use(requireAuth())`). */ export declare function makeRequireAuth(validator: AuthValidator): (...scopes: string[]) => RequestHandler; /** * Adapt a raw Express `res` to the `ApiResponse` a legacy `ServerApi_Middleware` * expects. ApiResponse is now a thin res-backed helper, so this hands the gate a * real, fully-functional one (setHeader/setHeaders for JWT refresh, redirect for * SAML, json/text/… all delegate to `res`). */ export declare const headerSink: (res: Response) => ApiResponse; /** * Wrap a legacy `ServerApi_Middleware` `(request, data, response, scopes) => ctx` * as Express middleware — so existing authz/proxy gates run at the route site * without rewriting their logic (no fresh security review). Any returned context * object is merged onto `req` (e.g. `req.account`); rejections flow to the * app-level terminal error handler via `next(err)`. * * router.post("/x", useMiddleware(RemoteProxy.Middleware), handler(fn)); */ export declare const useMiddleware: (mw: ServerApi_Middleware, ...scopes: string[]) => RequestHandler; //# sourceMappingURL=requireAuth.d.ts.map