{"id":20913808,"url":"https://github.com/sakuraapi/auth-audience","last_synced_at":"2025-05-13T09:31:21.846Z","repository":{"id":48035562,"uuid":"96572652","full_name":"sakuraapi/auth-audience","owner":"sakuraapi","description":"Middleware to support JWT audience role for SakuraApi servers","archived":true,"fork":false,"pushed_at":"2022-12-22T08:33:07.000Z","size":213,"stargazers_count":1,"open_issues_count":11,"forks_count":2,"subscribers_count":2,"default_branch":"develop","last_synced_at":"2025-04-18T21:28:18.832Z","etag":null,"topics":["api","express","expressjs","javascript","jwt","nodejs","sakuraapi","typescript"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sakuraapi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-07-07T20:02:55.000Z","updated_at":"2024-12-27T00:45:30.000Z","dependencies_parsed_at":"2023-01-30T06:16:10.463Z","dependency_job_id":null,"html_url":"https://github.com/sakuraapi/auth-audience","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakuraapi%2Fauth-audience","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakuraapi%2Fauth-audience/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakuraapi%2Fauth-audience/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sakuraapi%2Fauth-audience/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sakuraapi","download_url":"https://codeload.github.com/sakuraapi/auth-audience/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253913060,"owners_count":21983249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","express","expressjs","javascript","jwt","nodejs","sakuraapi","typescript"],"created_at":"2024-11-18T15:08:03.592Z","updated_at":"2025-05-13T09:31:21.837Z","avatar_url":"https://github.com/sakuraapi.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# auth-audience\n\nMiddleware to support JWT audience role for SakuraApi servers\n\nInclude this as a plugin when instantiating `SakuraApi`. For example:\n```\n  const authAudienceOptions = {\n    // see: IAuthAudienceOptions for all your options\n  };\n  \n  const sapi = new SakuraApi({\n    // ... other stuff\n    plugins: [\n      {\n        options: authAudienceOptions,\n        order: 1,\n        plugin: addAuthAudience\n      }\n    ]\n  });\n```\n\n# Install\n`npm i @sakuraapi/auth-audience`\n\n\n# Configuration\n\nYou'll need to setup your environment (`src/config/environment.ts`, for example) with at least the following:\n```\nmodules.export = {\n  authentication: {\n    jwt: {\n      audience: \"audience.somedomain.somewhere\",\n      issuer: \"issuer.somedomain.somewhere\",\n      key: \"12345678901234567890123456789012\"\n    }\n  }\n};\n```\n\nThe `audience` is the identifier for the server on which you are implementing this plugin, it should have also been configured in your `auth-native-authority` or `auth-oauth-authority` settings.\n\nThe `issuer` is the identifier of the server that's providing the JWT credentials. \n\nThe key is the shared secret with the issuer. It's a 32 character key. Remember, if your issuer is supporting multiple audience servers, they don't have to share the same private keys -- in fact, you might not want them to.\n\nThis shouldn't need to be stated: don't commit your production private keys to your repo. Instead, inject them during deployment. How you do this is beyond the scope of this readme. This, by the way, is why you don't provide your key via the `authOptions` above. By putting it in your config files, you're able to create a config file for production that takes an environmental variable instead of having the key hard coded.\n\n## domained Audience\nThere will be times when in a multi tenanted environment when you will want to have a server authenticate on those different domains.  Each domain will have the 3-tuple of `audience`-`issuer`-`key`.  This auth-audience plugin is able to handle multiple domains (i.e., depending on the domain in the JWT, determining if the audience is supported and if the JWT signs correctly with the secret key for that audience given the domain)\n```\n   jwt: {\n       domainedAudiences: {\n           \"field\": {\n               audience: \"audience1.somedomain.somewhere\",\n               issuer: \"issuer1.somedomain.somewhere\",\n               key: \"123\"\n           },\n           \"default\": {\n               audience: \"audience2.somedomain.somewhere\",\n               issuer: \"issuer2.somedomain.somewhere\",\n               key: \"456\"\n           }\n       }\n   }\n   ```\n   \n# Use\n`auth-audience` exports `AuthAudience`. This can be used on your `@Routable` api calsses.\n\nSome rules to keep in mind:\n\n1. Authenticators are applied from left to right (in terms of their placement in an array).\n1. Each route has an array of authenticators that is a defined as `[...route-level-authenticators, ...class-level-authenticators]`.\n1. The first authenticator to succeed stops the iteration through authenticators.\n1. If all authenticators fail, the first one to have failed dictates the response.\n1. Authenticators can be provided alone, or as an array.\n\n## Example 1:\n```\n@Routable({\n    authenticators: [AuthAudience, Anonymous],\n    baseUrl: 'someapi'\n})\nclass SomeApi {}\n```\n(`Anonymous` is an authenticator exported by `@sakuraapi/api`).\n\nExample 1 subjects all `someapi` routes to `AuthAudience`. If that fails, then it subjects the request to `Anonymous` (which will never fail). If `AuthAudience` succeeds, a JWT for the user will be available on `res.locals.jwt` (or wherever you put it if you override `onAuthorized` in your options).\n\n## Example 2:\n```\n@Routable({\n    authenticators: AuthAudience,\n    baseUrl: 'someapi'\n})\nclass SomeApi {}\n```\n\nSubjects all `someapi` routes to `AuthAudience`, if that fails the user will get a 401 or whatever you set in your options.\n\n## Example 3\n```\n@Routable({\n    baseUrl: 'someapi'\n})\nclass SomeApi {}\n```\nThis just lets everything through.\n\n## Example 4\n```\n@Routable({\n    baseUrl: 'someapi'\n})\nclass SomeApi {\n    @Route({\n        authenticators: Anonymous\n        method: 'get',\n        path: 'handler1'\n    })\n    handler1(res, req, next) {\n        next();\n    }\n\n    @Route({\n        authenticators: AuthAudience\n        method: 'get',\n        path: 'handler2'\n    })\n    handler2(res, req, next) {\n        next();\n    }\n}\n```\nHere, `someapi/handler1` route is Anonymous and will let anyone through. `someapi/handler2` route is subjected to `AuthAudience`.\n\n## Example 5\n ```\n @Routable({\n     authenticators: AuthAudience,\n     baseUrl: 'someapi'\n })\n class SomeApi {\n     @Route({\n         authenticators: Anonymous\n         method: 'get',\n         path: 'handler1'\n     })\n     handler1(res, req, next) {\n         next();\n     }\n \n     @Route({\n         method: 'get',\n         path: 'handler2'\n     })\n     handler2(res, req, next) {\n         next();\n     }\n }\n ```\nIn the above example, all routes would be subjected to `AuthAudience`, but `someapi/handler1` would override that and let anyone through as Anonymous.\n\nIn this case, route `someapi/handler1` would not have a JWT injected since Anonymous would be executed before `AuthAudience`. Be careful with your ordering.\n\n# Contributions\n[![CLA assistant](https://cla-assistant.io/readme/badge/sakuraapi/auth-audience)](https://cla-assistant.io/sakuraapi/auth-audience)\n\n* Sign the Contributor License Agreement (CLA)\n* Fork the project; make your contribution (don't forget to write your unit-tests); do a pull request back to develop (pull updates frequently to not fall too far behind)\n* Before heading off to work on something, considering collaborating first by either (1) opening an issue or (2) starting a conversation on gitter or in the Google forum that leads to back to (1)\n* All work should be done against an issue (https://github.com/sakuraapi/auth-audience/issues)\n* All contributions require unit-tests\n* Use the linter (`npm run lint`) to verify you comply with the style guide\n* Reset your changes to the docs/ directory before submitting changes - that directory is generated by TypeDoc and we only update it when we're releasing new updates. If you want to update the documentation, change the appropriate comments in the code.\n\n\n# Bug Reporting\n* An ideal bug report will include a PR with a unit-testing demonstrating the bug. TDBR (test driven bug reporting). :)\n* Feel free to open an issue before you start working on a PR to prove / demonstrate your bug report, but please close that ticket if you find that your bug was an error on your side\n\n# Community and Conduct\n\nEveryone should be treated with respect. Though candor is encouraged, being mean will not be tolerated.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsakuraapi%2Fauth-audience","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsakuraapi%2Fauth-audience","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsakuraapi%2Fauth-audience/lists"}