Categories:
aura-validate-apikey utility
aura-validate-apikey utility validates an APIKey of an incoming request
Introduction
aura-validate-apikey utility is used for the validation of an APIKey of an incoming request
Find more information in the Github repository: https://github.com/Telefonica/aura-common-utilities/tree/master/packages/aura-utilities/src/aura-validate-apikey/
Initialization
aura-validate-apikey utility is a singleton module prepared to be used with orchestrator.
(async () => {
try {
// Sorted modules initialization
const sortedModules = [AuthenticationApiKey, ...];
// Instantiate the Service App.
const appOrchestrator = new Orchestrator();
// Add configuration, that will be required by almost all other modules
appOrchestrator.setConfigurationManager(ConfigurationManager);
// Add the dependent modules in order.
appOrchestrator.addModules(sortedModules);
// Initiate the App.
await appOrchestrator.init();
} catch (error) {
logger.error({ error: error.message, msg: 'Server cannot start', stck: error, corr: CorrelatorUtil.auraSystem });
}
})();
Use aura-validate-apikey utility
After initialising the AuthenticationApiKey instance (calling static init method once), the APIKey could be validated by different methods:
-
Middleware use APIKey Authorization for the swagger tools middleware use. This function lets us send a callback when the validation has finished. (Not used yet).
AuthenticationApiKey.instance.validateApiKeySwaggerTool(request, securityDefinition, scopes, callback); -
Without callback It validates APIKey from header and URL.
AuthenticationApiKey.instance.validateApiKey(authHeader, requestUrl, correlator); It exposes a method that only receives request and a correlator. All necessary parameters are extracted from the request: AuthenticationApiKey.instance.validateApiKeyAuthorization(request, correlator);
Aura APIKey model
Each externally available API endpoint in Aura is authenticated by an APIKey that should have been generated independently for each environment.
These APIKeys contain an encrypted data model that allows both checking that the key was encrypted with the environment ENCRYPTION_KEY and that it granted the access to the given API endpoint and method.
The APIKey model is described below:
| Field | Type | Description |
|---|---|---|
| i | string | id autogenerated unique identifier (UUID) of the APIKey. Added to be able to invalidate individually one APIKey. ⚠️ Future use. |
| s | string | scope that will be accessible with this APIKey. Currently, it contains part of the path of the endpoint. - To access all endpoints of Aura Services, it contains aura-services. - To access only one of the endpoints, for instance, to access only /token in authentication-api, it should contain aura-services:token. To access /token and /ping, its content should be aura-services:token,ping. It is used in all modules. |
| a | string | authorized. It should contain the name of the client that is authorized by this APIKey: Kernel, Novum, etc. Currently, it is not checked, meaning that this field is not taken into account for accessing or not to an endpoint. |
| v | string | version. Version of Aura where it has been created. ⚠️ Future use, it will be used in case of changing the internal model. |
| e | string | environment where this APIKey applies. ⚠️ Future use. Currently, it is checked by having a different ENCRYPTION_KEY per environment. |
| m | string | mode. API access mode granted by this APIKey: r (read), w (write), rw (read and write). |
| t | Date | date of creation of the APIKey. Used to invalidate already created APIKeys. |
| c | string | checksum of the APIKey to validate that the APIKey is encrypted with the defined ENCRYPTION_KEY. It is used in all modules. |
API Key validation is applied in:
- aura-bot to validate requests coming from aura-bridge
- aura-authentication-api
- aura-bridge
- channel-communications-manager