Provides close-to-the metal utilities for authenticating and authorizing users across NYPR properties.
This addon leverages torii
in combination with ember-simple-auth
to handle auth and session state. Torii is used to handle interacting with third-party auth providers such as Facebook, and ESA is used to manage session state, authenticating, and authorizing outgoing requests.
This addon provides an ember-data model, adapter, and serializer for a user
, configured to interact with NYPR's auth back-end microservice.
Note this are subject to change in the future.
email: attr('string'),
givenName: attr('string'),
familyName: attr('string'),
preferredUsername: attr('string'),
picture: attr('string'),
facebookId: attr('string'),
status: attr('string'),
socialOnly: equal('status', 'FORCE_CHANGE_PASSWORD'),
hasPassword: not('socialOnly')
Interacting with the backend service should be handled by other, higher-level addons, such as the nypr-account-settings, but for reference, the requests related to the user model will be listed here. The expected config values are detailed further below. Config values will be notated in angle brackets.
Auth headers are added to all outgoing user-related requests.
X-Provider
: string value hint for back end service if a third-party service (e.g. Facebook) provided the auth tokenAuthorization
: a hashed, encoded auth token
See the auth microservice REST docs for more information.
GET <authAPI>/v1/session
The call to the store to retrieve the current user is actually a query
, instead of a findRecord
, which is what the ember-data
semantics would dictate. The reason for this is described in this guide from ember-simple-auth
on managing the current user. This addon follows the pattern outlined there very closely.
Post body is an object of field names and values for the new user.
POST <authAPI>/v1/user
PATCH <authAPI>/v1/user
Outgoing PATCH
requests only include values for the fields that are changing, as specified by the JSON merge patch strategy outlined here: https://tools.ietf.org/html/rfc7396.
DELETE <authAPI>/v1/user
A basic extension of ESA's OAuth2PasswordGrantAuthenticator
, specifying the serverTokenEndpoint
as <authAPI>/v1/session
.
Overrides the authenticate
and getSession
methods of the basic torii authenticator to communicate with our auth service back end when a user to credentialed via a third-party API.
The nypr
authorizer is how the X-Provider
header is added to outgoing requests. The auth backend uses this as a hint to determine which third-party server-side auth API it should use (if any) to authenticate the incoming access token.
This use of authorizer has been deprecated since nypr-auth 0.1.1. ember-simple-auth started warning of deprecation since version 1.6.0, and will deprecate authorizers when they release version 2.0. Instead, the authorize function on the session service is overridden to add the X-Provider
header.
A useful service for upstream apps to get the current user model. If a user is authenticated, it returns an ember-data record with their information as retrieved from the auth back end. If the current access token is invalid, ESA will wipe any local data for security purposes an reload the app.
Function
Call this as early as possible in your app to fetch the current authenticated user.
Object
The currently loaded user as an ember-data record.
Examples
// app/routes/application.js
export default Route.extend({
currentUser: Ember.service.inject(),
beforeModel() {
this.get('currentUser').load(); // makes a call to the back end and will set
// the results to `user` when it resolves
// if the session is not authenticated, this is a
// no op. if the session is expired or otherwise
// rejected by the server, this will reload the app
},
model() { ... }
})
The session
service provided by nypr-auth
is an extension of ESA's session
service. The additional methods are listed below.
browserId
is how we track anonymous user sessions via Etag
server headers managed by the publisher
backend.
Please used the syncBrowserId
method as early as possible in your app in order to get a session ID. The browserId
is saved in localStorage
as part of non-authenticated ESA session data, so it will persist across windows and logouts. syncBrowserId
will first check for an existing browserId
before fetching a new once. In the case when it finds out, it will alter the request so that it is reporting an existing ID to publisher rather than requesting a new one.
If someone is logged in as a staff user, there are additional editorial controls an app may choose to display. The staffAuth
method will check against an admin endpoint and update session data with an isStaff
boolean and a staffName
value if the user is an admin. More staff attributes may be added in the future.
This method can be used to perform a basic check against the auth service with a provided email and password. It allows for an app to assert given credentials are valid without triggering ESA's framework events regarding successful and unsuccessful validation attempts.
This addon requires a small set of config values in order for it to connect to the correct back end services.
The host of the auth
microservice backend. Used for most auth-related requests.
Publisher's admin backend host. Used to see if the current session is authenticated as a staff user.
The full host and pathname to the browserID
endpoint. It's currently named EtagAPI
for legacy reasons, but that is subject to change.
git clone [email protected]:nypublicradio/nypr-auth.git
this repositorycd nypr-auth
yarn
ember serve
- Visit your app at https://localhost:4200.
yarn test
(Runsember try:each
to test your addon against multiple Ember versions)ember test
ember test --server
ember build
For more information on using ember-cli, visit https://ember-cli.com/.