@kobotech/core-auth

Provides Authentication & Authorization utilities

Usage no npm install needed!

<script type="module">
  import kobotechCoreAuth from 'https://cdn.skypack.dev/@kobotech/core-auth';
</script>

README

Kobo360 Auth Library

This library provides utilities to support the authentication of API requests within the services

Usage

Add the dependency of this library in your project's package.json in the dependencies section;

{
  "dependencies": {
    "@kobotech/core-auth": "1.0.0"
  }
}

Run npm install to install the defined dependencies;

How to use in your library

const express = require("express");
const coreAuth = require("@kobotech/core-auth");

const app = express();

app.get(
  "/user",
  coreAuth.authenticate(jwtSecret, { view: [coreAuth.roles.ADMIN] }, ["/user"]),
  coreAuth.hasPermission("view", coreAuth.roles.ADMIN)
);

In the setup above, a /user endpoint is defined along with the authenticate middleware and the hasPermission middleware.

The authenticate middleware takes three arguments; jwtSecret, accessControlList end exclusionList

  • jwtSecret - this is the secret that is used in the creation and verification of JWT tokens
  • accessControlList - an object of allowed actions defined in the format;
{
  "<action>": ["<role>", "<role>"]
}

e.g.

{
  "admin": [
    coreAuth.roles.SUPER_ADMIN,
    coreAuth.roles.ADMIN,
    coreAuth.roles.COMMS,
    coreAuth.roles.OPS,
    coreAuth.roles.FINANCE,
    coreAuth.roles.ECEO
  ],
  "all": [
    coreAuth.roles.SUPER_ADMIN,
    coreAuth.roles.ADMIN,
    coreAuth.roles.COMMS,
    coreAuth.roles.OPS,
    coreAuth.roles.CUSTOMER,
    coreAuth.roles.DRIVER,
    coreAuth.roles.PARTNER,
    coreAuth.roles.RECIPIENT,
    coreAuth.roles.FINANCE,
    coreAuth.roles.FIELD_OFFICER,
    coreAuth.roles.ECEO,
    coreAuth.roles.KOBO_AGENT,
    coreAuth.roles.BANK
  ]
}
  • exclusionList - an array of endpoints that will be excluded from authentication.

Also in the configuration above, the hasPermission middleware, which can also be invoked via the hasResource is configured to determine whether the authenticate user has the required permission to access the resource.

As defined, the hasPermission middleware takes two arguments; permission and userType.

  • permission - this corresponds to the object key in the defined accessControlList object defined in the authenticate middleware.
  • userType - this is an optional parameter that when defined, is used to enforce that the logged in user must be of the given userType/role before they can access the resource. However, even when not defined, the userType of the user is used to determine whether they have access to the resource based on the accessControlList defined in the authenticate middleware.