@financial-times/s3o-middleware

3.0.1 • Public • Published

S3O-middleware

Middleware to handle authenticating with S3O

Parsing cookies

This middleware can parse standard cookies via the cookie package. If wanting to use signed cookies or json cookies, please use the cookie-parser middleware before using the S3O middleware.

Finding the username of the logged in user

The username can be found in the request cookie, under req.cookies.s3o_username.

Setting the ttl of the cookie for an authenticated request

Defaults to fifteen minutes. Use Express' app.set function before sending users to authenticate: app.set('s3o-cookie-ttl', 86400000); // one day (in ms)

Usage example for Express

If many routes require auth:

const express = require('express');
const app = express();

// Add routes here which don't require auth
const authS3O = require('@financial-times/s3o-middleware');
app.use(authS3O);
// Add routes here which require auth

If only paths within a given directory require auth:

const express = require('express');
const app = express();
const router = express.Router();
const authS3O = require('@financial-times/s3o-middleware');
router.use(authS3O);
app.use('/admin', router);

If specific paths require auth:

const express = require('express');
const app = express();
const router = express.Router();
const authS3O = require('@financial-times/s3o-middleware');

app.get('/', authS3O, router);
app.post('/', authS3O);

If you don't want the automatic redirect to the S3O login page, use the authS3ONoRedirect middleware. This could be because you want to protect an API endpoint for authenticated AJAX requests, for example. If the cookies are not present or are invalid, the authS3ONoRedirect middleware will respond with a simple 403: Forbidden response:

const express = require('express');
const app = express();
const router = express.Router();
const { authS3ONoRedirect } = require('@financial-times/s3o-middleware');

app.get('/some-authenticated-api', authS3ONoRedirect, router);

If your application terminates https at a LoadBalancer or some other proxy, S3O will try to redirect to the http version. You can override this by adding express middleware to force the protocol of the redirect url.

app.use('/', function(req, res, next) {
	req.headers['x-forwarded-proto'] = 'https';
	next();
});

Upgrade to s3o version 4

Set x-s3o-version header to 'v4' and optionally pass a system-code header x-s3o-systemcode

app.use('/', function(req, res, next) {
	req.headers['x-s3o-version'] = 'v4';
	req.headers['x-s3o-systemcode'] = 'your-system-code';
	next();
});

Package Sidebar

Install

npm i @financial-times/s3o-middleware

Weekly Downloads

4

Version

3.0.1

License

ISC

Unpacked Size

24.6 kB

Total Files

10

Last publish

Collaborators

  • robgodfrey
  • robertboulton
  • seraph2000
  • hamza.samih
  • notlee
  • emmalewis
  • aendra
  • the-ft
  • rowanmanning
  • chee
  • alexwilson