ExuluAuthentication wraps IMP’s authentication logic in a single authenticate call. It resolves the caller’s identity from whichever credential is present — an API key, a NextAuth session token, or an internal shared secret — and returns a normalized result object that includes the authenticated User on success or an error code and message on failure.
Use ExuluAuthentication in custom Express routes or middleware that need to enforce the same authentication rules as the built-in IMP API.
API surface
ExuluAuthentication.authenticate
apikey, authtoken, or internalkey should be provided. The function evaluates them in this order: internalkey → authtoken → apikey. When none is supplied it returns error: true with code 401.
An IMP API key in the format
<value>/<name>. The key prefix is compared against bcrypt-hashed entries in the users table where type = "api".A decoded NextAuth session object with at least an
email field. The platform’s middleware decodes the JWE Bearer token before calling authenticate; pass the decoded payload here.A plaintext string compared against
process.env.INTERNAL_SECRET. Intended for service-to-service calls (e.g. between the IMP server and the Uppy file upload service). Returns a synthetic internal user when matched.A Knex database connection. Obtain one from
postgresClient().true when authentication failed.Human-readable reason for the failure (present when
error is true).HTTP status code. Always present:
200 on success, 401 on all authentication failures.The authenticated user record, including hydrated
role, team, and project relations (present when error is false).Example
Authentication paths
Related
- Administration / API keys: create and revoke API keys.
postgresClient: obtain thedbconnection.