This module provides authentication into an SSO service that is capable of providing the following endpoints (Endpoint location is configurable):
GET /validate: Validates a "session_key" header (exact name of header is configurable) or "x-api-key" header
and retunrs a JSON string of the authenticated user. The sso service validates HTTP basic auth which
cerifies the authenenticity of the X-Forwarded-For header containing the clients IP Address. This establishes
a trust between the calling microserice and the sso provider.
GET /logout: Logs out the user
Install: npm install --save kjd-auth
Usage: const auth = require('kjd-auth'); let authClient = auth.AuthClient(config); //This must be a full config object.
//This enables authentication in the middleware app. This allows using
//req.user in routes to get the authenticated user. If no user is authenticated
//then req.user will be null/undefined (falsey).
app.use(auth.ssoMiddlewareAuthentication);
//To require authentication on a route
app.get('/private', auth.authRequiredFailureRedirect, function(req, res){
//req.user has an authenitcated user. If auth failed the user is redirected to the
//signin page provided in the config.
res.json(req.user);
});
app.get('/api/v1/private', auth.authRequiredFailure401, function(req, res){
//req.user has an authenitcated user. If auth failed a 401 unauthroized
//is returned. Use this when you don't want the caller to be redirect (api endpoints)
res.json(req.user);
});
//Returns the current user. If not authenticated this route will return a 401
app.get('/me', auth.getCurrentUserRoute);
//Logout the current user from the SSO service by redirectly them to the SSO logout
//url provided in the config. First verify they are logged in since there is no
//need to logout a user who is not logged in. Either way this has the same end result
//of returning the caller to the SSO login page.
app.get('/logout', auth.authRequiredFailureRedirect, auth.getCurrentUserRoute);
This module keeps a cache of valid session and API keys to increase performance. A single request can skip the cache by adding ?noCache=true to the URL or includig noCache=true in the request header. See the example configuration below: { //When set to false 401 (uathroized) will not be returned authenticationEnabled: true,
//This is used when auth fails and the request should be redirected back to the origin hostname
currentApplicationHostname: "someapp.example.com",
//The name of the session cookie that will be checked for authentication
sessionCookieName: "my_session",
//Defines the name of the session key header name. Note x-api-key is used for API key since this is standard
sessionKeyHeaderName: "my_session",
//The domain the cookie is assinged to. The leading . is important here.
cookieDomain: ".example.com",
//Login Page URL - Full url (with protocol) for login
loginPageUrl: "https://sso.example.com",
//Validation URL - Full url (with protocl) used to validate authentication
validationUrl: "https://sso.example.com/validate",
//Microservice Basic Auth Username and Password - Used for basic auth to the validaton service.
//Clients IP address added into the X-Forwaded-For header so the clients IP can be validated
username: "user",
password: "password",
//Logout URL - Full url (with protocl) for logout. There is a logout route below that redircts the user to this logout URL
ssoLogoutUrl: "https://sso.example.com/logout",
//Cache enabled - If this is set to false then no caching will occur. This is not recomened for performance reasons.
//Single requests can skip the cache by adding no-cache in the header or in the url query. Example: example.com?nocache=true
cacheEnabled: true,
cacheTTLSec: 300
}
Without Comments in JSON:
{
"authenticationEnabled": true,
"currentApplicationHostname": "someapp.example.com",
"sessionCookieName": "my_session",
"sessionKeyHeaderName": "my_session",
"cookieDomain": ".example.com",
"loginPageUrl": "https://sso.example.com",
"validationUrl": "https://sso.example.com/validate",
"username": "user",
"password": "password",
"ssoLogoutUrl": "https://sso.example.com/logout",
"cacheEnabled": true,
"cacheTTLSec": 300
}