@hitchy/plugin-auth 0.2.0 → 0.3.2

package/api/service/auth/manager.js

@@ -1,38 +1,10 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {
 	const api = this;
-	const { models } = api.runtime;
+	const { models, services } = api.runtime;
 
-	const DebugLog = api.log( "hitchy:plugin:auth:debug" );
+	const logDebug = api.log( "hitchy:plugin:auth:debug" );
 
 	/**
 	 * Implements several helper methods meant to simplify user/role management.
@@ -89,6 +61,15 @@ module.exports = function() {
 			}
 
 			const { Role } = models;
+
+			if ( !( role instanceof Role ) ) {
+				role = String( role ); // eslint-disable-line no-param-reassign
+
+				if ( !/^[a-z_]/i.test( role ) || /\s/.test( role ) ) {
+					throw new TypeError( "missing role information" );
+				}
+			}
+
 			const roles = role instanceof Role ? [role] : await Role.find( {
 				eq: { name: "name", value: role.name || role },
 			} );
@@ -246,7 +227,7 @@ module.exports = function() {
 			const users = await this.listUsersOfRole( role );
 
 			if ( users.length > 0 ) {
-				DebugLog( "admin user found" );
+				logDebug( "admin user found" );
 
 				return users;
 			}
@@ -260,7 +241,7 @@ module.exports = function() {
 			} else {
 				const config = api.config.auth.admin;
 
-				DebugLog( "creating admin user" );
+				logDebug( "creating admin user" );
 
 				user = new models.User();
 
@@ -274,6 +255,38 @@ module.exports = function() {
 
 			return [user];
 		}
+
+		/**
+		 * Checks if named user can be authenticated locally using provided
+		 * password.
+		 *
+		 * @param {string} username name of user to authenticate
+		 * @param {string} password password of named to user
+		 * @return {Promise<User>} promises successfully authenticated user
+		 */
+		static async checkAuthentication( username, password ) {
+			const candidates = ( await models.User
+				.find( { eq: { name: username } }, {}, { loadRecords: true } ) )
+				.filter( user => !user.strategy || user.strategy === "local" );
+
+			switch ( candidates.length ) {
+				case 0 :
+					throw new services.HttpException( 400, `no such local user: ${username}` );
+
+				case 1 : {
+					const [user] = candidates;
+
+					if ( await user.verifyPassword( password ) ) {
+						return user;
+					}
+
+					throw new services.HttpException( 403, "invalid password" );
+				}
+
+				default :
+					throw new services.HttpException( 400, "ambiguous username" );
+			}
+		}
 	}
 
 	return AuthManager;

package/api/service/authentication/passport.js

@@ -1,39 +1,12 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 const PassportLib = require( "passport" );
 
 module.exports = function() {
 	const api = this;
-	const AlertLog = api.log( "hitchy:plugin:auth:alert" );
-	const DebugLog = api.log( "hitchy:plugin:auth:debug" );
+
+	const logAlert = api.log( "hitchy:plugin:auth:alert" );
+	const logDebug = api.log( "hitchy:plugin:auth:debug" );
 
 	const passport = new PassportLib.Passport();
 
@@ -49,7 +22,7 @@ module.exports = function() {
 
 		// set up passport to persist current user in server-side session
 		passport.serializeUser( ( user, done ) => {
-			DebugLog( `serializeUser: { name: ${user.name}, uuid: ${user.uuid} }` );
+			logDebug( `serializeUser: { name: ${user.name}, uuid: ${user.uuid} }` );
 
 			done( null, user.uuid );
 		} );
@@ -68,7 +41,7 @@ module.exports = function() {
 				.then( roles => {
 					user.roles = roles;
 
-					DebugLog( `still authenticated user: name: ${user.name}, uuid: ${user.uuid}, roles: ${roles.join( "," )}` );
+					logDebug( `still authenticated user: name: ${user.name}, uuid: ${user.uuid}, roles: ${roles.join( "," )}` );
 
 					done( null, user );
 				} )
@@ -86,9 +59,9 @@ module.exports = function() {
 
 			if ( strategy ) {
 				try {
-					passport.use( strategy.name, strategy );
+					passport.use( name, strategy );
 				} catch ( error ) {
-					AlertLog( `using passport strategy ${name} failed:`, error );
+					logAlert( `using passport strategy ${name} failed:`, error );
 				}
 			}
 		}

package/api/service/authentication/strategies.js

@@ -1,45 +1,107 @@
+"use strict";
+
+const LocalStrategy = require( "passport-local" ).Strategy;
+
 /**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
+ * Temporarily tracks additional session data per remotely authenticated user.
  *
- * Copyright (c) 2021 cepharum GmbH
+ * Some strategies (such as passport-saml) expect certain strategy-related data
+ * per authenticated user to be present on `req.user` prior to accepting request
+ * for logging out. In hitchy, `req.user` is fetched from database on every
+ * request and thus no temporary data is available. Hence, this local map is
+ * used instead to track any additional data for those strategies.
  *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
+ * @type {Map<any, any>}
  */
-
-"use strict";
-
-const LocalStrategy = require( "passport-local" ).Strategy;
+const RemoteAuthCustomData = new Map();
 
 module.exports = function() {
 	const api = this;
-	const { models } = api.runtime;
+	const { models, services } = api.runtime;
+
+	const logAlert = api.log( "hitchy:plugin:auth:alert" );
+
+	/**
+	 * Fetches named user's local profile.
+	 *
+	 * @param {string} strategyName name of strategy used to authenticate user
+	 * @param {string} username name of user to search locally for related profile
+	 * @param {boolean} createIfMissing set true to create user's profile if it's missing currenly
+	 * @param {function(Error?, object):void} doneFn callback invoked with encountered error or user's profile
+	 * @returns {void}
+	 */
+	function getLocalProfile( strategyName, username, createIfMissing, doneFn ) {
+		models.User.find( { eq: { name: username } } )
+			.then( candidates => candidates.find( user => user.strategy === strategyName ) )
+			.then( match => {
+				if ( match ) {
+					return match;
+				}
+
+				if ( createIfMissing ) {
+					const newUser = new models.User();
+					newUser.name = username;
+					newUser.strategy = strategyName;
 
-	const AlertLog = api.log( "hitchy:plugin:auth:alert" );
+					return newUser.save();
+				}
+
+				throw new TypeError( "selected user does not exist" );
+			} )
+			.then( profile => doneFn( null, profile ) )
+			.catch( doneFn );
+	}
 
 	/**
 	 * Implements helpers for generating strategies for passport.js.
 	 */
 	class AuthenticationStrategies {
+		/**
+		 * Picks user based on provided name and checks if provided password is
+		 * matching or not.
+		 *
+		 * @param {string} username name of user to authenticate
+		 * @param {string} password named user's password for authentication
+		 * @param {function(Error?, object, object)} done invoked with optional error, authenticated user or some message as feedback
+		 * @returns {void}
+		 */
+		static checkAuthentication( username, password, done ) {
+			models.User
+				.find( { eq: { username } }, {}, { loadRecords: true } )
+				.then( matches => {
+					switch ( matches.length ) {
+						case 0 :
+							done( null, false, { message: "Incorrect username." } );
+							return undefined;
+
+						case 1 : {
+							const [user] = matches;
+
+							if ( user.strategy && user.strategy !== "local" ) {
+								done( null, false, { message: "Authenticating this user requires different strategy." } );
+								return undefined;
+							}
+
+							return user.verifyPassword( password ).then( result => {
+								if ( result ) {
+									done( null, user );
+								} else {
+									done( null, false, { message: "Incorrect password." } );
+								}
+							} );
+						}
+
+						default :
+							done( null, false, { message: "Ambiguous username." } );
+							return undefined;
+					}
+				} )
+				.catch( err => {
+					logAlert( err );
+					done( err );
+				} );
+		}
+
 		/**
 		 * Generates local strategy authenticating user based on local user
 		 * model managed in local ODM.
@@ -48,43 +110,153 @@ module.exports = function() {
 		 */
 		static generateLocal() {
 			const strategy = new LocalStrategy( ( name, password, done ) => {
-				models.User
-					.find( { eq: { name } }, {}, { loadRecords: true } )
-					.then( matches => {
-						switch ( matches.length ) {
-							case 0 :
-								done( null, false, { message: "Incorrect username." } );
-								return undefined;
+				services.AuthManager.checkAuthentication( name, password, done )
+					.then( user => {
+						done( null, user );
+					} )
+					.catch( error => {
+						if ( error instanceof services.HttpException && Math.floor( error.statusCode / 100 ) === 4 ) {
+							done( null, false, { message: error.message } );
+						} else {
+							done( error );
+						}
+					} );
+			} );
+
+			strategy.passwordRequried = true;
+
+			return strategy;
+		}
+
+		/**
+		 * Generates SAML strategy authenticating user against some remote IdP
+		 * based on SAML v2.0 protocol.
+		 *
+		 * @param {string} strategyName name of resulting strategy in context of your application
+		 * @param {Hitchy.Plugin.Auth.SamlConfig} config SAML protocol configuration
+		 * @returns {Strategy} generated strategy for use with passport.js
+		 */
+		static generateSaml( strategyName, config ) {
+			const verifyLocalProfileOnLogin = ( req, userInfo, done ) => {
+				RemoteAuthCustomData.set( `${strategyName}:${userInfo.nameID}`, { ...userInfo } );
+
+				getLocalProfile( strategyName, userInfo.nameID, true, done );
+			};
+
+			const verifyLocalProfileOnLogout = ( req, userInfo, done ) => {
+				getLocalProfile( strategyName, userInfo.nameID, false, done );
+			};
+
+			const { Strategy } = require( "passport-saml" );
+			const strategy = new Strategy( {
+				...config,
+				passReqToCallback: true,
+			}, verifyLocalProfileOnLogin, verifyLocalProfileOnLogout );
 
-							case 1 : {
-								const [user] = matches;
+			/**
+			 * Triggers requesting user being logged out remotely.
+			 *
+			 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+			 * @returns {Promise<boolean>} promises indicator if request was redirected to come back after remote logout succeeded
+			 */
+			strategy.logOutRemotely = req => {
+				if ( req.query.SAMLResponse ) {
+					return Promise.resolve( false );
+				}
 
-								if ( user.strategy && user.strategy !== "local" ) {
-									done( null, false, { message: "Authenticating this user requires different strategy." } );
-									return undefined;
+				const res = req.context.response;
+
+				return new Promise( ( resolve, reject ) => {
+					const { user } = req;
+
+					const remoteSessionKey = `${strategyName}:${user.name}`;
+
+					if ( !user || user.strategy !== strategyName || !RemoteAuthCustomData.has( remoteSessionKey ) ) {
+						resolve( {} );
+					} else {
+						// inject custom auth data into `req.user` as expected by passport-saml strategy
+						const data = RemoteAuthCustomData.get( remoteSessionKey );
+
+						for ( const name of Object.keys( data ) ) {
+							user[name] = data[name];
+						}
+
+						user.nameID = user.name;
+
+						if ( !user.nameID || !user.nameIDFormat ) {
+							reject( new Error( "missing nameID and nameIDFormat of user required for requesting logout at IdP" ) );
+						} else {
+							// ask strategy for generating logout URL for redirecting client to
+							strategy.logout( req, ( error, logoutUrl ) => {
+								if ( error ) {
+									reject( error );
+								} else {
+									resolve( { name: remoteSessionKey, url: logoutUrl } );
 								}
+							} );
+						}
+					}
+				} )
+					.then( ( { name, url } ) => {
+						if ( url ) {
+							// first pass -> redirect to IdP
+							res.redirect( 302, url );
+							return true;
+						}
 
-								return user.verifyPassword( password ).then( result => {
-									if ( result ) {
-										done( null, user );
-									} else {
-										done( null, false, { message: "Incorrect password." } );
-									}
-								} );
-							}
+						// second pass -> returned from IdP
 
-							default :
-								done( null, false, { message: "Ambiguous username." } );
-								return undefined;
+						if ( name ) {
+							RemoteAuthCustomData.delete( name );
 						}
-					} )
-					.catch( err => {
-						AlertLog( err );
-						done( err );
+
+						return false;
 					} );
-			} );
+			};
 
-			strategy.passwordRequried = true;
+			Object.defineProperty( strategy, "$$doNotSeal$$", { value: true } );
+
+			return strategy;
+		}
+
+		/**
+		 * Creates strategy for illustrating and testing integration with remote IdP
+		 * supporting OpenID Connect with Authorization Code Flow.
+		 *
+		 * @param {string} strategyName name of resulting strategy in context of your application
+		 * @param {ClientMetaData} config OpenID Connect client configuration
+		 * @returns {Promise<Strategy>} promises generated strategy for use with passport.js
+		 */
+		static async generateOpenIdConnect( strategyName, config ) { // eslint-disable-line consistent-this
+			const verifyLocalProfileOnLogin = ( req, tokens, userInfo, done ) => {
+				getLocalProfile( strategyName, userInfo.preferred_username, true, done );
+			};
+
+			const { Issuer, Strategy } = require( "openid-client" );
+			const issuer = await Issuer.discover( config.discovery_url );
+			const client = new issuer.Client( config );
+
+			const strategy = new Strategy( {
+				client,
+				passReqToCallback: true,
+			}, verifyLocalProfileOnLogin );
+
+			strategy.logOutRemotely = req => {
+				const key = `${strategyName}:logout_state`;
+
+				if ( req.session[key] && req.query.state === req.session[key] ) {
+					return Promise.resolve( false );
+				}
+
+				const state = req.session[key] = require( "crypto" ).randomBytes( 32 ).toString( "base64" ); // eslint-disable-line no-param-reassign
+
+				// redirect user to discovered end_session_url of IdP
+				req.context.response.redirect( 302, client.endSessionUrl( { state } ) );
+
+				return Promise.resolve( true );
+			};
+
+			Object.defineProperty( strategy, "$$doNotSeal$$", { value: true } );
 
 			return strategy;
 		}

package/api/service/authorization/node.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {

package/api/service/authorization/policy-generator.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {

package/api/service/authorization/tree.js

@@ -1,39 +1,11 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {
 	const api = this;
 	const { services, models } = api.runtime;
 
-	const AlertLog = api.log( "hitchy:plugin:auth:alert" );
-	const DebugLog = api.log( "hitchy:plugin:auth:debug" );
+	const logAlert = api.log( "hitchy:plugin:auth:alert" );
+	const logDebug = api.log( "hitchy:plugin:auth:debug" );
 
 	let cachedTree;
 
@@ -130,7 +102,7 @@ module.exports = function() {
 		addRule( rule ) {
 			const { selector, role, user, accept } = rule;
 
-			DebugLog( "adding authorization rule", { selector, role, user, accept } );
+			logDebug( "adding authorization rule", { selector, role, user, accept } );
 
 			const node = this.selectNode( selector );
 
@@ -154,7 +126,7 @@ module.exports = function() {
 		removeRule( rule ) {
 			const { selector, role, user, accept } = rule;
 
-			DebugLog( "removing authorization rule", { selector, role, user, accept } );
+			logDebug( "removing authorization rule", { selector, role, user, accept } );
 
 			const node = this.selectNode( selector, false );
 
@@ -197,7 +169,7 @@ module.exports = function() {
 					}
 				} );
 			} catch ( cause ) {
-				AlertLog( cause.message );
+				logAlert( cause.message );
 				return false;
 			}
 
@@ -241,7 +213,7 @@ module.exports = function() {
 				const users = {};
 				const roles = {};
 
-				DebugLog( `restoring ${entries.length} authorization rule(s) from database` );
+				logDebug( `restoring ${entries.length} authorization rule(s) from database` );
 
 				for ( const entry of entries ) {
 					const userKey = entry.user ? entry.user.toString( "hex" ) : undefined;
@@ -279,7 +251,7 @@ module.exports = function() {
 		loadFromConfiguration( configuration ) {
 			const { authorizations = {} } = configuration || {};
 
-			DebugLog( `loading authorization(s) from configuration` );
+			logDebug( `loading authorization(s) from configuration` );
 
 			const processLevel = ( source, prefix ) => {
 				const names = Object.keys( source );
@@ -310,7 +282,7 @@ module.exports = function() {
 									[isRole ? "role" : "user"]: id,
 								} );
 							} else {
-								AlertLog( `invalid user/role selector in ${key || "rule"} on ${name}` );
+								logAlert( `invalid user/role selector in ${key || "rule"} on ${name}` );
 							}
 						}
 					}

package/config/auth.js

@@ -3,6 +3,7 @@
 module.exports = function() {
 	return {
 		auth: {
+			prefix: "/api/auth",
 			strategies: {
 				// local: this.runtime.services.AuthStrategies.generateLocal()
 			},
@@ -10,6 +11,10 @@ module.exports = function() {
 				// "feature.export.pdf": "@customers"
 				// "feature.export.text": "@customers,@testers"
 			},
+			roles: [
+				// "customers",
+				// "testers",
+			],
 		}
 	};
 };