Token Validation at TMS API
Closed this issue · 1 comments
johanfol commented
As the TMS API, I want to validate the expiration and signature of Tazama format tokens so that only valid tokens are accepted.
Acceptance Criteria:
- The system must require a bearer token in the Authorization header.
- The Authentication Library must validate the token's expiration date.
- The Authentication Library must validate the token's signature using public keys.
- The Authentication Library must reject invalid or expired tokens.
- The Authentication Library must log any validation errors.
- The TMS API must integrate with Authentication Library to Validate the external token.
- The TMS API must return a 401: Unauthorized exception for any token validation failures.
- The TMS API must have a configurable
AUTHENTICATED
variable, which if switched tofalse
, not require an Auth header, and skip all validations and authorization.
Justus-at-Tazama commented
@johanfol - Can we please add a separate and authentication-specific environment variable to turn the authentication service on and off? If we are piggy-backing off the existing NodeENV
variable, we won't be able to test this effectively in pre-production environments. The combination of the two concepts into a single variable also defeats our "separation of concerns" design principle.