* Resolves the appropriate client for a request based on the Authorization header. * * - No studioAuthKey configured (authDb is undefined): always return the base client. * - SuperUser claim: return the base client (full access, no policy enforcement). * - Regular user claim: return authDb with
(
client: ClientContract<SchemaDef>,
authDb: ClientContract<SchemaDef>,
req: express.Request,
isAuthKeyEnabled: boolean,
)
| 392 | * - No / invalid token: return the base client. |
| 393 | */ |
| 394 | function resolveClient( |
| 395 | client: ClientContract<SchemaDef>, |
| 396 | authDb: ClientContract<SchemaDef>, |
| 397 | req: express.Request, |
| 398 | isAuthKeyEnabled: boolean, |
| 399 | ): ClientContract<SchemaDef> { |
| 400 | const authHeader = req.headers['authorization']; |
| 401 | |
| 402 | // If AuthKey is not enabled, and Authorization header is not present, then it is the basic access without auth. |
| 403 | if (!isAuthKeyEnabled && !authHeader) { |
| 404 | return client; |
| 405 | } |
| 406 | |
| 407 | if (!authHeader?.startsWith('Bearer ')) { |
| 408 | return authDb; |
| 409 | } |
| 410 | |
| 411 | const token = authHeader.substring(7); |
| 412 | let claim: UserClaim; |
| 413 | try { |
| 414 | claim = UserClaimSchema.parse(JSON.parse(Buffer.from(token, 'base64').toString('utf8'))); |
| 415 | } catch (err) { |
| 416 | console.error( |
| 417 | colors.red(`Failed to parse user claim from token: ${err instanceof Error ? err.message : String(err)}`), |
| 418 | ); |
| 419 | return authDb; |
| 420 | } |
| 421 | |
| 422 | if (claim.type === 'superUser') { |
| 423 | // SuperUser has full access without policy enforcement, so we return the base client directly. |
| 424 | return client; |
| 425 | } else { |
| 426 | return authDb.$setAuth(claim.data) as ClientContract<SchemaDef>; |
| 427 | } |
| 428 | } |
| 429 | |
| 430 | function startServer( |
| 431 | client: ClientContract<SchemaDef>, |
no test coverage detected