diff --git a/docs/software-development-kits/javascript/express.mdx b/docs/software-development-kits/javascript/express.mdx index 62f44ef..f37c7e2 100644 --- a/docs/software-development-kits/javascript/express.mdx +++ b/docs/software-development-kits/javascript/express.mdx @@ -47,34 +47,33 @@ yarn add @aserto/aserto-node ```ts interface Authorizer { config: AuthorizerConfig, - channelCredentials: ChannelCredentials = credentials.createSsl() }; type AuthorizerConfig = { authorizerServiceUrl?: string; tenantId?: string; authorizerApiKey?: string; + token?: string; authorizerCertFile?: string; + insecure?: boolean; }; ``` ### Topaz ```ts -import { getSSLCredentials } from "@aserto/aserto-node"; - -const sslCredentials = getSSLCredentials(`${process.env.HOME}/.config/topaz/certs/grpc-ca.crt`) +import { Authorizer } from "@aserto/aserto-node"; const authClient = new Authorizer({ authorizerServiceUrl: "localhost:8282", -}, sslCredentials); + authorizerCertFile: `${process.env.HOME}/.config/topaz/certs/grpc-ca.crt` +}); ``` #### Example: ```ts import { Authorizer, - getSSLCredentials, identityContext, policyContext, policyInstance, @@ -83,15 +82,15 @@ import { const authClient = new Authorizer( { authorizerServiceUrl: "localhost:8282", + authorizerCertFile: `${process.env.HOME}/.config/topaz/certs/grpc-ca.crt` }, - getSSLCredentials(`${process.env.HOME}/.config/topaz/certs/grpc-ca.crt`) ); authClient .Is({ identityContext: identityContext( "rick@the-citadel.com", - "IDENTITY_TYPE_SUB" + "SUB" ), policyInstance: policyInstance("rebac", "rebac"), policyContext: policyContext("rebac.check", ["allowed"]), @@ -110,7 +109,7 @@ await authClient .Is({ identityContext: identityContext( "morty@the-citadel.com", - "IDENTITY_TYPE_SUB" + "SUB" ), policyInstance: policyInstance("todo", "todo"), policyContext: policyContext("todoApp.POST.todos", ["allowed"]), @@ -124,7 +123,7 @@ await authClient .Is({ identityContext: identityContext( "morty@the-citadel.com", - "IDENTITY_TYPE_SUB" + "SUB" ), policyInstance: policyInstance("todo", "todo"), policyContext: policyContext("todoApp.POST.todos", ["allowed"]), @@ -140,7 +139,7 @@ await authClient .DecisionTree({ identityContext: identityContext( "morty@the-citadel.com", - "IDENTITY_TYPE_SUB" + "SUB" ), policyInstance: policyInstance("todo", "todo"), policyContext: policyContext("todoApp.POST.todos", ["allowed"]), @@ -157,10 +156,6 @@ await authClient ### Middleware -:::note -`express@^4.0.0` is a peer dependency for the Middleware. Make sure it is installed in your project. -::: - When authorization middleware is configured and attached to a server, it examines incoming requests, extracts authorization parameters like the caller's identity, calls the Aserto authorizers, and rejects messages if their access is denied. `failWithError`: When set to `true`, will forward errors to `next` instead of ending the response directly. @@ -246,14 +241,10 @@ const rebacMw = new Middleware({ // Only users that are in the `evil_genius` group are allowed to delete todos. app.delete("/todos/:id", checkJwt, rebacMw.Check({ - object: { - type: "group", - id: "evil_genius" - }, - relation: { - name: "member", - } -}) + objectType: "group", + objectId: "evil_genius" + relation: "member", +})) ``` #### Mappers @@ -294,13 +285,14 @@ const restMw = new Middleware({ The whole identity resolution can be overwritten by providing a custom function. ```ts +// needs to return an IdentityContext import { identityContext } from "@aserto/aserto-node"; const restMw = new Middleware({ client: authClient, policy: policy, identityMapper: async () => { - return identityContext('test', 'IDENTITY_TYPE_SUB') + return identityContext('test', 'SUB') }, }) ``` @@ -314,7 +306,8 @@ By default, the policy path is derived from the URL path. To provide custom logic, use a PolicyMapper. For example: ```ts -import { policyContext } from "@aserto/aserto-node"; +// needs to return an IdentityContext +import { identityContext } from "@aserto/aserto-node"; const restMw = new Middleware({ client: authClient, @@ -362,17 +355,43 @@ async (req: Request) => { return { customKey: req.params.id } }; type IdentityMapper = (req?: Request) => Promise; // You can also use the built-in policyContext function to create a identity context and pass it as the mapper response -identityContext = (value: string, type: keyof IdentityTypeMap) - -IdentityTypeMap { - IDENTITY_TYPE_UNKNOWN: 0; - IDENTITY_TYPE_NONE: 1; - IDENTITY_TYPE_SUB: 2; - IDENTITY_TYPE_JWT: 3; +const identityContext = (value: string, type: keyof typeof IdentityType) => { + +IdentityType { + /** + * Unknown, value not set, requests will fail with identity type not set error. + * + * @generated from enum value: IDENTITY_TYPE_UNKNOWN = 0; + */ + UNKNOWN = 0, + /** + * None, no explicit identity context set, equals anonymous. + * + * @generated from enum value: IDENTITY_TYPE_NONE = 1; + */ + NONE = 1, + /** + * Sub(ject), identity field contains an oAUTH subject. + * + * @generated from enum value: IDENTITY_TYPE_SUB = 2; + */ + SUB = 2, + /** + * JWT, identity field contains a JWT access token. + * + * @generated from enum value: IDENTITY_TYPE_JWT = 3; + */ + JWT = 3, + /** + * Manual, propagates thw identity field as-is, without validation, into the input object. + * + * @generated from enum value: IDENTITY_TYPE_MANUAL = 4; + */ + MANUAL = 4 } // example -identityContext("morty@the-citadel.com", "IDENTITY_TYPE_SUB") +identityContext("morty@the-citadel.com", "SUB") ``` ##### Policy