Beta
Powered by

# Security

Outdated

Orchestrator is the sole public-facing application. Typically, it provides a REST API, which serves as the exclusive means for clients to interact with the services. Since the services operate with elevated permissions, all security measures must be enforced at this level.

# Guards

All checks should be delegated through guards. Workers SDK introduces this functionallity for NitroJS framework.

# Creation

Guards are stored inside the guards directory of the orchestrator. A guard's name should accurately represent the entity required for the guard to pass, with a file extension of .guard.ts.

Workers SDK provides defineNitroGuard function, which is guard's entry point. A guard should not return any value; if data needs to be provided to the request, event.context must be extended. In such cases, a module declaration is required for IDE code completion:

declare module 'h3' {
    interface H3EventContext {
        variableToExtend: string // The type of variable is not limited to string
    }
}
export const jwtGuard = defineNitroGuard(async (event) => {
    const authToken = getHeader(event, 'Authorization')
    if (!authToken) {
        throw createError({
            message: `Couldn't obtain JWT. A header might be missing.`,
            statusMessage: 'Unauthorized',
            status: 401,
        })
    }

    const [authUser, error] = await token.verify<AuthUser>({
        token: authToken,
        secret: useRuntimeConfig().jwtSecret,
    })

    if (error) {
        throw createError({
          message: 'Missing user information in JWT.',
          statusMessage: 'Unauthorized',
          status: 401,
        })
      }

    const { role, email, organizationId } = authUser!

    event.context.user = { role, email }
})

declare module 'h3' {
  interface H3EventContext {
    user: AuthUser
  }
}

# Registration

A guard registration is very similar to defining an event handler by default:

export default defineEventHandler(event => {
    return true;
})

With Workers SDK, defineGuardEventHandler can be used, which takes an object with a config property where guards can be passed:

export default defineGuardEventHandler({ guards: [jwtGuard, idempotencyGuard] }, async (event) => {
    return true;
})

Something unclear? Found a mistake? Let us know on Develit Slack!