Module: caf_security/plug_security

Security plug for authentication.

Properties:

  {keysDir: string=, trustedPubKeyFile: string, privateKeyFile: string=,
   publicKeyFile: string=, accountsURL: string, allowNobodyUser: boolean,
   quotaURL: string=, quotaCA: string=}

where:

  • keysDir: directory for all key material.
  • trustedPubKeyFile: trusted public key that verifies tokens. Uses a self-signed certificate in PEM format, see openssl.
  • privateKeyFile and publicKeyFile: optional asymetric keys to weaken tokens. Typically we use a remote service instead.
  • accountsURL: URL of the accounts service.
  • allowNobodyUser: whether to allow the json_rpc.DEFAULT_FROM client to authenticate without credentials.
  • quotaURL: the URL of the quota service, or missing if service off.
  • quotaCA: the CA entrypoint for the service, or missing if service off.
Source:

Extends

Methods

__ca_attenuateToken__(megaTokenStr, constraints, cb0)

Weakens an authentication token generating generating one (or many) token(s).

Parameters:
Name Type Description
megaTokenStr string

A serialized token.

constraints tkDescArray

A description of the new token(s).

cb0 cbType

A callback to return the new token(s) or an error.

Source:
See:

__ca_authenticate__(from, tokenStr, cb0)

Authenticates the incoming request.

Parameters:
Name Type Description
from string

Principal sending this request.

tokenStr string

Token to authenticate the principal.

cb0 cbType

A callback with an error or the authenticated token.

Source:

__ca_blockCreate__(from, to) → {boolean}

Whether we should block attempts to create a missing CA.

Only the owner should be allowed to create new CAs, i.e., from === to.

Parameters:
Name Type Description
from string

Source of the request.

to string

Target CA to be created if missing.

Source:
Returns:

True if we should only allow returning a reference to an existing CA.

Type
boolean

__ca_pulse__(cb0)

Cleans up token caches.

Called by cron_security periodically to force token re-validation.

Parameters:
Name Type Description
cb0 cbType

A callback to continue after cleaning.

Source:

__ca_quotaNewCA__(tokenStr, cb0opt)

Registers a new CA with the Quota service.

Parameters:
Name Type Attributes Description
tokenStr string

An encoded token. This token was originally used to create the CA.

cb0 cbType <optional>

An optional callback to return an error.

Source:

__ca_verifyToken__(tokenStr) → {tokenType|null}

Verifies the provided serialized token is trusted

Parameters:
Name Type Description
tokenStr string

A serialized token to validate.

Source:
Returns:

A parsed, validated token, or null if token invalid.

Type
tokenType | null