Quik Framework :: Authorization Base
- Codename: Berlin
- Version: 0.2.0-beta.76
- License: Check license here
Provides authorization helpers, strategies, and utilities. The module loads default configurations and exports common schemes and types for use across the framework.
JWT Utilities
The verifyAndDecode helper validates a token and returns its payload. If no
token is provided the function throws an InvalidTokenError.
Installation
npm install @quik/authorization
Configuration
Defaults are loaded on import via @quik/core config. Environment variables can
override the JWT settings:
JWT_SECRET(default:thisisasecret)JWT_ISSUER(default:dev.quik.land)JWT_AUDIENCE(default:dev.quik.land)JWT_EXPIRE_TIME(default:1d)JWT_REMEMBER_ME_TIME(default:1y)JWT_ALGORITHM(default:HS256) — signing algorithm; useRS256for RSA key pairs
Authorization metadata configuration:
AUTH_CHECK_FIELD(default:permissions)
Configuration keys (from @quik/core config) that back the defaults:
auth.jwt.secret(JWT signing secret)auth.jwt.issuer(issuer string)auth.jwt.audience(audience string)auth.jwt.expireTime(default token expiry)auth.jwt.rememberMeTime(remember-me expiry)auth.jwt.algorithm(signing algorithm, defaultHS256)auth.authorization.fields.permission(permission field on the user payload)auth.authorization.fields.assuranceLevel(assurance level field on the user payload)auth.authorization.fields.authenticationMethods(list of authentication methods on the user payload)auth.authorization.fields.completedFactors(list of completed factors on the user payload)
Strategy Defaults & Error Mapping
- Missing or invalid JWT tokens map to
InvalidTokenError. - Unauthorized access and permission failures map to
MustBeAuthenticatedErrorandForbiddenAccessError. - Unknown security scheme names in decorators throw
UnregisteredAuthorizationStrategyError. - Strategy registration uses the exported
StrategiesStorefor consistency with OpenAPI security metadata.
Usage
import { Utils } from '@quik/authorization';
const token = Utils.JWT.sign({
payload: { sub: 'user-123' },
expiresIn: '1d'
});
const valid = Utils.JWT.verify(token);
const payload = Utils.JWT.verifyAndDecode<{ sub: string }>(token);
API Highlights
Utils.JWT.sign(options)signs a payload and returns a JWT string.Utils.JWT.verify(token)checks a token and returns a boolean.Utils.JWT.verifyAndDecode(token)verifies and returns the payload.Utils.JWT.decode(token)decodes without verification.Utils.JWT.validatorlets you plug custom async validation.Utils.BasicAuthprovides helpers for basic auth parsing.Utils.Tokensprovides token helpers used by strategies.
Errors
Exports include authorization and scheme errors such as:
InvalidTokenErrorAssuranceLevelTooLowErrorMissingRequiredAuthenticationFactorError
Assurance Decorators
The module also exports guard decorators for assurance requirements:
AuthDecorators.RequireAssuranceLevel(minLevel)AuthDecorators.RequireAnyFactor(...factors)AuthDecorators.RequireAllFactors(...factors)AuthDecorators.RequiresAal(minLevel)alias ofRequireAssuranceLevelAuthDecorators.RequiresFactor(...factors)alias ofRequireAnyFactorAuthDecorators.RequiresMfa()alias enforcing assurance level2ForbiddenAccessErrorMustBeAuthenticatedErrorMustBeUnauthenticatedErrorUnregisteredAuthorizationStrategyError
Schemes & Strategies
Security schemes and strategy helpers are exported from:
@quik/authorization/schemes@quik/authorization/strategies
Testing & Coverage
See the root instructions for details on running pnpm run test:coverage and accessing coverage artifacts.
API Reference
Generated API documentation is available in the authorization API section.