Configuration
Default configuration keys for @quik/authorization. See Config Keys for the full generated table.
auth.jwt.secret(JWT_SECRET, defaultthisisasecret) — signing secret. Change this in every non-development environment.auth.jwt.issuer/auth.jwt.audience(JWT_ISSUER/JWT_AUDIENCE) — values embedded in and verified against signed tokens.auth.jwt.expireTime(JWT_EXPIRE_TIME, default1d) — default token lifetime.auth.jwt.rememberMeTime(JWT_REMEMBER_ME_TIME, default1y) — lifetime used when therememberMeoption is passed toUtils.JWT.sign.auth.jwt.algorithm(JWT_ALGORITHM, defaultHS256) — signing algorithm; useRS256for RSA key pairs.auth.authorization.fields.permission(AUTH_CHECK_FIELD, defaultpermissions) — field read from the user payload by permission checks.auth.authorization.fields.assuranceLevel(AUTH_AUTHORIZATION_ASSURANCE_LEVEL_FIELD, defaultassuranceLevel) — field used byAuthDecorators.RequireAssuranceLevel.auth.authorization.fields.authenticationMethods/auth.authorization.fields.completedFactors— fields combined byAuthDecorators.RequireAnyFactor/RequireAllFactorsto determine which factors a user has completed.
Notes
- Defaults are loaded on import, so
auth.jwt.*andauth.authorization.fields.*are available as soon as@quik/authorizationis imported. - There is no default JWT secret suitable for production —
auth.jwt.secretmust be overridden viaJWT_SECRETor a config file outside local development.