customAuthentication

Specifies your module for Profound API to run to do custom authentication and/or authorization instead of using the Profound API User Authentication.

customAuthentication: "authentication/authorize.js"

Input: The npm express request object (required)

The request object has a property called apiRoute which contains information about the specific API being called.

Return:

To cause a response of 401 - Not Authorized
- Return Null
- Or a JavaScript object with a property named "authenticated" and a value of anything except a Boolean true.

To cause an authenticated user you should return a JavaScript Object with the below properties:

{
  authenticated: true,    // This is to authorize to deny the request.
  user: "theUserName",    // This is option, but can be used to hook into the existing Profound API permissions checking
  roles: [],              // This is optional, but can be used to hook into the existing Profound API permissions checking 
  canExecute: boolean     // This is optional. If return the user or roles property, then it will not use the existing Profound API permissions checking.
}

This Custom Authentication module can do perform a few different things:

1- Authenticate the requester by any means necessary, such as database, file, external web services, etc.
2- Assign Role(s) to the newly Authenticated User.
3- Authorized the requester to perform the requested API call

An example of an authentication module using a csv file to authenticate a caller based upon a http header property "authorization" to the first column of a user lines stored in csv. And if authenticated assign that users roles to that response.

This example allows for using both the built in Profound API Role Permission Security with endless means of Authentication.

const fs = require("fs");
const path = require("path");
const crypto = require('crypto');

function userListAuth(request) {
  
  // Invalid Requester
  if (!request.headers || !request.headers.authorization)
    return { authenticated: false };


  // Get the requester User/Password (is encoded) and then Hash it
  let auth = request.headers.authorization.replace("Basic ", "");
  let hashPwd = crypto.createHash('sha1').update(auth).digest('hex');


  // Get all of the users from a file (or database.. or etc)
  let userFile = path.join(__dirname, "userList.csv");
  let data = fs.readFileSync(userFile).toString().split("\r\n");


  // Find the user record that has the same hash
  for (let i = 0; i < data.length; i++) {
    let parts = data[i].split(",");

    // If found -- return that user as authenticated
    if (parts[1].trim() == hashPwd)
      return { authenticated: true, user: parts[0].trim(), roleNames: parts.slice(2) };

  }

  // No matching Hash -- return not authenticated
  return { authenticated: false };
}

exports.run = userListAuth;