Class BackendAuthClient<DatabaseUser, UserId, AssumedUserParams>

An auth client for creating and validating JWTs embedded in cookies. This should only be used in a backend environment as it accesses native Node packages.

Type Parameters

DatabaseUser extends AnyObject
UserId extends string | number
AssumedUserParams extends AnyObject = EmptyObject

Index

Constructors

constructor

new BackendAuthClient<
    DatabaseUser extends AnyObject,
    UserId extends string | number,
    AssumedUserParams extends AnyObject = EmptyObject,
>(
    config: BackendAuthClientConfig<DatabaseUser, UserId, AssumedUserParams>,
): BackendAuthClient<DatabaseUser, UserId, AssumedUserParams>
Type Parameters
- DatabaseUser extends AnyObject
- UserId extends string | number
- AssumedUserParams extends AnyObject = EmptyObject
Parameters
- config: BackendAuthClientConfig<DatabaseUser, UserId, AssumedUserParams>
Returns BackendAuthClient<DatabaseUser, UserId, AssumedUserParams>
- Defined in auth-client/backend-auth.client.ts:204

Properties

`Protected`cachedParsedJwtKeys

cachedParsedJwtKeys: Record<string, Readonly<JwtKeys>> = {}

`Protected` `Readonly`config

config: BackendAuthClientConfig<DatabaseUser, UserId, AssumedUserParams>

Methods

`Protected`createCookieRefreshHeaders

createCookieRefreshHeaders(
    __namedParameters: {
        requestHeaders: IncomingHttpHeaders;
        userIdResult: Readonly<UserIdResult<UserId>>;
    },
): Promise<OutgoingHttpHeaders | undefined>
Creates a 'cookie-set' header to refresh the user's session cookie.
Parameters
- __namedParameters: {
  requestHeaders: IncomingHttpHeaders;
  userIdResult: Readonly<UserIdResult<UserId>>;
  }
Returns Promise<OutgoingHttpHeaders | undefined>
- Defined in auth-client/backend-auth.client.ts:303

createLoginHeaders

createLoginHeaders(
    __namedParameters: {
        isSignUpCookie: boolean;
        requestHeaders: IncomingHttpHeaders;
        userId: UserId;
    },
): Promise<OutgoingHttpHeaders>
Use these headers to log a user in.
Parameters
- __namedParameters: { isSignUpCookie: boolean; requestHeaders: IncomingHttpHeaders; userId: UserId }
Returns Promise<OutgoingHttpHeaders>
- Defined in auth-client/backend-auth.client.ts:612

createLogoutHeaders

createLogoutHeaders(
    params: Readonly<
        _RequireExactlyOne<
            { allCookies: true; isSignUpCookie: boolean },
            "allCookies" | "isSignUpCookie",
        > & { serviceOrigin?: string },
    >,
): Promise<Record<string, string | string[]> & { "set-cookie": string[] }>
Use these headers to log out the user.
Parameters
- params: Readonly<
      _RequireExactlyOne<
          { allCookies: true; isSignUpCookie: boolean },
          "allCookies" | "isSignUpCookie",
      > & { serviceOrigin?: string },
  >
Returns Promise<Record<string, string | string[]> & { "set-cookie": string[] }>
- Defined in auth-client/backend-auth.client.ts:556

`Protected`getAssumedUser

getAssumedUser(
    __namedParameters: {
        requestHeaders: IncomingHttpHeaders;
        user: DatabaseUser;
    },
): Promise<DatabaseUser | undefined>
Reads the user's assumed user headers and, if configured, gets the assumed user.
Parameters
- __namedParameters: { requestHeaders: IncomingHttpHeaders; user: DatabaseUser }
Returns Promise<DatabaseUser | undefined>
- Defined in auth-client/backend-auth.client.ts:417

`Protected`getCookieParams

getCookieParams(
    __namedParameters: {
        isSignUpCookie: boolean;
        requestHeaders: Readonly<IncomingHttpHeaders> | undefined;
    },
): Promise<Readonly<CookieParams>>
Get all the parameters used for cookie generation.
Parameters
- __namedParameters: {
  isSignUpCookie: boolean;
  requestHeaders: Readonly<IncomingHttpHeaders> | undefined;
  }
  - isSignUpCookie: boolean
    Set this to true when we are setting the initial cookie right after a user signs up. This allows them to auto-authorize when they verify their email address.
    
    This should only be set to true when a new user is signing up.
  - requestHeaders: Readonly<IncomingHttpHeaders> | undefined
Returns Promise<Readonly<CookieParams>>
- Defined in auth-client/backend-auth.client.ts:233

`Protected`getDatabaseUser

getDatabaseUser(
    __namedParameters: {
        assumingUser: AssumedUserParams | undefined;
        isSignUpCookie: boolean;
        requestHeaders: IncomingHttpHeaders;
        userId: UserId | undefined;
    },
): Promise<DatabaseUser | undefined>
Calls the provided getUserFromDatabase config.
Parameters
- __namedParameters: {
      assumingUser: AssumedUserParams | undefined;
      isSignUpCookie: boolean;
      requestHeaders: IncomingHttpHeaders;
      userId: UserId | undefined;
  }
Returns Promise<DatabaseUser | undefined>
- Defined in auth-client/backend-auth.client.ts:262

getInsecureOrSecureUser

getInsecureOrSecureUser(
    params: {
        allowUserAuthRefresh: boolean;
        isSignUpCookie: boolean;
        requestHeaders: IncomingHttpHeaders;
        serviceOrigin?: string;
    },
): Promise<
    _RequireOneOrNone<
        {
            insecureUser: GetUserResult<DatabaseUser>;
            secureUser: GetUserResult<DatabaseUser>;
        },
        "secureUser"
        | "insecureUser",
    >,
>
Combines .getInsecureUser() and .getSecureUser() into one method.
Parameters
- params: {
      allowUserAuthRefresh: boolean;
      isSignUpCookie: boolean;
      requestHeaders: IncomingHttpHeaders;
      serviceOrigin?: string;
  }
  - allowUserAuthRefresh: boolean
    If true, this method will generate headers to refresh the user's auth session. This should likely only be done with a specific endpoint, like whatever endpoint you trigger with the frontend auth client's checkUser.performCheck callback.
  - isSignUpCookie: boolean
  - requestHeaders: IncomingHttpHeaders
  - OptionalserviceOrigin?: string
    Overrides the client's already established serviceOrigin.
Returns Promise<
    _RequireOneOrNone<
        {
            insecureUser: GetUserResult<DatabaseUser>;
            secureUser: GetUserResult<DatabaseUser>;
        },
        "secureUser"
        | "insecureUser",
    >,
>
- Defined in auth-client/backend-auth.client.ts:667

getInsecureUser

getInsecureUser(
    __namedParameters: {
        allowUserAuthRefresh: boolean;
        requestHeaders: IncomingHttpHeaders;
    },
): Promise<GetUserResult<DatabaseUser> | undefined>
Parameters
- __namedParameters: { allowUserAuthRefresh: boolean; requestHeaders: IncomingHttpHeaders }
  - allowUserAuthRefresh: boolean
    If true, this method will generate headers to refresh the user's auth session. This should likely only be done with a specific endpoint, like whatever endpoint you trigger with the frontend auth client's checkUser.performCheck callback.
  - requestHeaders: IncomingHttpHeaders
Returns Promise<GetUserResult<DatabaseUser> | undefined>
Deprecated
This only half authenticates the user. It should only be used in circumstances where JavaScript cannot be used to attach the CSRF token header to the request (like when opening a PDF file). Use .getSecureUser() instead, whenever possible.
- Defined in auth-client/backend-auth.client.ts:713

getJwtParams

getJwtParams(): Promise<
    Readonly<CreateJwtParams> & Readonly<
        Pick<CreateJwtParams, "issuer" | "audience" | "jwtKeys">,
    > & PartialWithUndefined<{ allowedClockSkew: Readonly<AnyDuration> }>,
>
Get all the JWT params used when creating the auth cookie, in case you need them for something else too.

Returns Promise<
    Readonly<CreateJwtParams> & Readonly<
        Pick<CreateJwtParams, "issuer" | "audience" | "jwtKeys">,
    > & PartialWithUndefined<{ allowedClockSkew: Readonly<AnyDuration> }>,
>
- Defined in auth-client/backend-auth.client.ts:533

getSecureUser

getSecureUser(
    __namedParameters: {
        allowUserAuthRefresh: boolean;
        isSignUpCookie: boolean;
        requestHeaders: IncomingHttpHeaders;
    },
): Promise<GetUserResult<DatabaseUser> | undefined>
Securely extract a user from their request headers.
Parameters
- __namedParameters: {
      allowUserAuthRefresh: boolean;
      isSignUpCookie: boolean;
      requestHeaders: IncomingHttpHeaders;
  }
  - allowUserAuthRefresh: boolean
    If true, this method will generate headers to refresh the user's auth session. This should likely only be done with a specific endpoint, like whatever endpoint you trigger with the frontend auth client's checkUser.performCheck callback.
  - isSignUpCookie: boolean
  - requestHeaders: IncomingHttpHeaders
Returns Promise<GetUserResult<DatabaseUser> | undefined>
- Defined in auth-client/backend-auth.client.ts:454

`Protected`logForUser

logForUser(
    params: {
        assumedUserParams: AssumedUserParams | undefined;
        user: DatabaseUser | undefined;
        userId: UserId | undefined;
    },
    message: string,
    extra?: Record<string, unknown>,
): void
Conditionally logs a message if logging is enabled for the given user context.
Parameters
- params: {
      assumedUserParams: AssumedUserParams | undefined;
      user: DatabaseUser | undefined;
      userId: UserId | undefined;
  }
- message: string
- Optionalextra: Record<string, unknown>
Returns void
- Defined in auth-client/backend-auth.client.ts:209

Class BackendAuthClient<DatabaseUser, UserId, AssumedUserParams>

Type Parameters

Index

Constructors

Properties

Methods

Constructors

constructor

Type Parameters

Parameters

Returns BackendAuthClient<DatabaseUser, UserId, AssumedUserParams>

Properties

ProtectedcachedParsedJwtKeys

Protected Readonlyconfig

Methods

ProtectedcreateCookieRefreshHeaders

Parameters

Returns Promise<OutgoingHttpHeaders | undefined>

createLoginHeaders

Parameters

Returns Promise<OutgoingHttpHeaders>

createLogoutHeaders

Parameters

Returns Promise<Record<string, string | string[]> & { "set-cookie": string[] }>

ProtectedgetAssumedUser

Parameters

Returns Promise<DatabaseUser | undefined>

ProtectedgetCookieParams

Parameters

isSignUpCookie: boolean

requestHeaders: Readonly<IncomingHttpHeaders> | undefined

Returns Promise<Readonly<CookieParams>>

ProtectedgetDatabaseUser

Parameters

Returns Promise<DatabaseUser | undefined>

getInsecureOrSecureUser

Parameters

allowUserAuthRefresh: boolean

isSignUpCookie: boolean

requestHeaders: IncomingHttpHeaders

OptionalserviceOrigin?: string

Returns Promise< _RequireOneOrNone< { insecureUser: GetUserResult<DatabaseUser>; secureUser: GetUserResult<DatabaseUser>; }, "secureUser" | "insecureUser", >,>

getInsecureUser

Parameters

allowUserAuthRefresh: boolean

requestHeaders: IncomingHttpHeaders

Returns Promise<GetUserResult<DatabaseUser> | undefined>

Deprecated

getJwtParams

Returns Promise< Readonly<CreateJwtParams> & Readonly< Pick<CreateJwtParams, "issuer" | "audience" | "jwtKeys">, > & PartialWithUndefined<{ allowedClockSkew: Readonly<AnyDuration> }>,>

getSecureUser

Parameters

allowUserAuthRefresh: boolean

isSignUpCookie: boolean

requestHeaders: IncomingHttpHeaders

Returns Promise<GetUserResult<DatabaseUser> | undefined>

ProtectedlogForUser

Parameters

Returns void

Settings

On This Page

`Protected`cachedParsedJwtKeys

`Protected` `Readonly`config

`Protected`createCookieRefreshHeaders

`Protected`getAssumedUser

`Protected`getCookieParams

`Protected`getDatabaseUser

`Optional`serviceOrigin?: string

Returns Promise<
_RequireOneOrNone<
{
insecureUser: GetUserResult<DatabaseUser>;
secureUser: GetUserResult<DatabaseUser>;
},
"secureUser"
| "insecureUser",
>,
>

Returns Promise<
Readonly<CreateJwtParams> & Readonly<
Pick<CreateJwtParams, "issuer" | "audience" | "jwtKeys">,
> & PartialWithUndefined<{ allowedClockSkew: Readonly<AnyDuration> }>,
>

`Protected`logForUser