dehaze

Authenticated Access

Space Cloud supports JWT based authentication.

How does authentication work?

As you can see, authentication is performed outside of Space Cloud. However, it validates whether a request is authenticated and enforces your authorization/access-control logic.

Space Cloud expects a JWT token in every incoming request. For HTTP requests, the token should be present inside Authorization header as Bearer <token>, whereas for websocket requests, the token should be present in the data.token key of the message body.

The security module in Space Cloud checks whether a token is valid or not based on the following criteria:

  • The token should get verified by anyone of the secrets provided to Space Cloud. Check out the docs for configuring JWT secrets to learn more about providing secrets to Space Cloud.
  • If the token contains an expiry (seconds since epoch in the exp claim), then its value should be in the future.

Space Cloud considers a request to be authenticated, only if it contains a valid token. Once a token is considered valid, its claims are parsed and made available in the args.auth variable to be used by security rules.

If a user tries to change any of the token claims or tries to create his/her false token, it would fail at the verification stage because of the nature of JWTs. You can check out the official website of the JWT project to learn more about it.

Where to get tokens from?

Usually, a token is generated and provided by an authentication service on a successful signin/signup request by a user. These tokens are signed with a secret by the authentication service. This secret needs to be provided to Space Cloud for token-based authentication to work.

You can either use the in-built user management module of Space Cloud as an authentication service or use a custom / third-party service like Firebase Auth, Auth0, etc.

Enforcing authentication

Authentication is enforced by all security rules except allow rule. However, if you want to enforce authentication only for a particular resource, you should use the authenticated rule like this:

{
  "rule": "authenticated"
}

Have a technical question?

Improve the docs!