npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@leisurelink/magicbus-authentic

v3.0.1

Published

Magicbus middleware for integration with authentic.

Downloads

8

Readme

magicbus-authentic

Magicbus middleware for integration with authentic. This module exports middleware for both producers and consumers. The producer side middleware adds an "Authorization" header that uses the same signature scheme as our HTTP "Authorization" header. The consumer side uses the "Authorization" header to retrieve an AuthContext representing the producer and exports it for use by downstream middleware.

Installation

$ npm install @leisurelink/magicbus-authentic

Usage

This document assumes you're familiar with the usage of Magicbus and focuses on the particulars of this middleware. Read the documentation on magicbus for more general information.

In a Producer

var util = require('util');
var magicbus = require('@leisurelink/magicbus');
var DateHeader = require('@leisurelink/magicbus-date-header');

var serviceDomainName = 'my-domain';
var appName = 'my-publisher';

var signatureSpec = {
  keyId: 'producer-key-id',
  key: 'producer-private-key'
};

var broker = magicbus.createBroker(serviceDomainName, appName, 'amqp://localhost/');
var publisher = magicbus.createPublisher(broker);
publisher.use(new SignatureAuthorizationHeader.Producer(signatureSpec).middleware);

var messageToSend = {
  sender: 'loves receiver'
};

publisher.publish(messageToSend);

you can optionally send an AuthContext or jwt in publish options.auth

Signature Spec Options

The constructor for the producer middleware takes a specification for how the signature should be generated.

keyId - Required - The id of a public key the producer has registered in Authentic.

key - Required - The private key corresponding to the keyId.

headers - Optional - An array containing the names of headers to include in the signature. If not specified, it will use the default value ['Date']. You need to make sure all headers specified by this property actually exist in the amqp properties.headers object before the middleware executes or it will fail. See magicbus-date-header and magicbus-content-length-header for easily adding headers you want to include in the signature.

algorithm - Optional - The algorithm to use for generating the signature. If not specified, it will use the default value 'rsa-sha256'.

In a Consumer

var util = require('util');
var magicbus = require('@leisurelink/magicbus');
var DateHeader = require('@leisurelink/magicbus-date-header');

var Broker = MagicBus.Broker;
var Subscriber = MagicBus.Subscriber;

var serviceDomainName = 'my-domain';
var appName = 'my-publisher';

var signatureSpec = {
  keyId: 'producer-key-id',
  key: 'producer-private-key'
};

var authenticClient = new AuthenticClient('authentic-url', 'consumer-key-id', 'consumer-private-key');
var authScope = new AuthScope({...});

var broker = magicbus.createBroker(serviceDomainName, appName, 'amqp://localhost/');
var subscriber = magicbus.createSubscriber(broker);
subscriber.use(
    new SignatureAuthorizationHeader.Consumer(authenticClient, authScope)
      .middleware
    );
subscriber.on('some-event', function(message) {
    console.log(receivedMessage);
  });

Constructor Parameters

The consumer middleware requires an AuthenticClient and an AuthScope to be able to contact Authentic and produce an AuthContext that represents the producer of the message.

Accessing the AuthContext

there can be up to two contexts accessed via: message.properties.auth = { endpoint, user, origin }

Invalid Signatures

The consumer middleware will reject any messages that don't have a valid signature. This includes rejecting messages that don't include any "Authorization" header.

To handle a mixture of messages that have a signature and messages that don't, this library will need to be changed to not reject anonymous messages. Enforcing that only authenticated messages are handled by the end consumer could be implemented as downstream middleware, or left to the end consumer itself.

Out of Scope

This middleware is independent of and should be compatible with any message envelope. Message envelopes and any related middleware should be defined seperately.

Contributing

Running Tests

Run all tests with the usual command:

$ npm test

This will run all tests, including integration tests that require a running RabbitMQ server and a running Authentic server. To exclude the integration tests (like on a build server without access to RabbitMQ and Authentic), run:

$ npm run-script test-ex-integration

Integration Test Environment Variables

The integration tests allow you to override the values they user for connection strings, key ids, keys, etc. using environment variables. Read through /test/integration/send-receive.integration-tests.js to figure out what you need to set to run the tests in your environment.

Remaining Work

The consumer middleware still contains a lot of stuff that should be refactored to vanilla javascript.

There is no way to plug in a logging library. The consumer middleware includes a lot of console.log that should be replaced with calls to an injected logging library.

There's no caching of calls to authentic and there probably should be.