@intuitionrobotics/thunderstorm
Version:
43 lines • 2.36 kB
TypeScript
import { type Request, type RequestHandler, type Response } from "express";
import { type ServerApi_Middleware } from "./HttpServer.js";
import { ApiResponse } from "./server-api.js";
/**
* The auth logic itself (session/JWT validation + scope checks) lives in the
* CONSUMER (e.g. `AccountModule.validateSession` / `KasperoProxy.validateRequest`),
* so the framework ships only this factory. A validator resolves the request to
* an account (or rejects → the rejection flows to the terminal error handler).
*
* The legacy validators take an `ApiResponse`-shaped 3rd arg to refresh the JWT
* response header; the consumer adapts the raw `res` to that shape when
* instantiating (a tiny header sink) — see the migration recipe.
*/
export type AuthValidator = (req: Request, scopes: string[], res: Response) => Promise<Express.AuthAccount>;
/**
* Build a `requireAuth(...scopes)` middleware from a consumer auth validator.
*
* export const requireAuth = makeRequireAuth((req, scopes, res) =>
* AccountModule.validateSession(req, scopes, headerSink(res)));
*
* The returned middleware populates `req.account` and works both per-route
* (`router.post("/x", requireAuth("admin"), handler(fn))`) and at router-group
* level (`router.use(requireAuth())`).
*/
export declare function makeRequireAuth(validator: AuthValidator): (...scopes: string[]) => RequestHandler;
/**
* Adapt a raw Express `res` to the `ApiResponse` a legacy `ServerApi_Middleware`
* expects. ApiResponse is now a thin res-backed helper, so this hands the gate a
* real, fully-functional one (setHeader/setHeaders for JWT refresh, redirect for
* SAML, json/text/… all delegate to `res`).
*/
export declare const headerSink: (res: Response) => ApiResponse;
/**
* Wrap a legacy `ServerApi_Middleware` `(request, data, response, scopes) => ctx`
* as Express middleware — so existing authz/proxy gates run at the route site
* without rewriting their logic (no fresh security review). Any returned context
* object is merged onto `req` (e.g. `req.account`); rejections flow to the
* app-level terminal error handler via `next(err)`.
*
* router.post("/x", useMiddleware(RemoteProxy.Middleware), handler(fn));
*/
export declare const useMiddleware: (mw: ServerApi_Middleware, ...scopes: string[]) => RequestHandler;
//# sourceMappingURL=requireAuth.d.ts.map