Remove setToken from interface to prevent accidentally security probl…

…ems.
Authress · Nov 5, 2024 · 9354e75 · 9354e75
1 parent b0d543e
commit 9354e75
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ This is the changelog for [Authress SDK](readme.md).
 * [Breaking] UserId is now required in all `userPermissions` apis. This improves **Security By Default** requiring explicit check on who the user is.
 * [Breaking] Removal of property `accessToAllSubResources`.
 * [Breaking] `ServiceClientTokenProvider` is now a first-class Javascript Class, it cannot be used as a function.
+* [Breaking] `setToken` has been removed from the interface. To set a user token, pass in a function into the AuthressClient constructor.
 
 ## 2.3 ##
 * Require minimum Node version to be 16.

diff --git a/docs/methods.md b/docs/methods.md
@@ -6,15 +6,14 @@
 ```js
 const { AuthressClient } = require('@authress/sdk');
 
-// What is my authressApiUrl? => API Host: https://authress.io/app/#/api?route=overview
-const authressClient = new AuthressClient({ authressApiUrl: 'https://auth.yourdomain.com' });
-
 // on api route
 [route('/resources/<resourceId>')]
 async function getResource(resourceId) {
   // Get the user token and pass it to authress
   const authorizationToken = request.headers.get('authorization');
-  authressClient.setToken(authorizationToken);
+
+  // What is my authressApiUrl? => API Host: https://authress.io/app/#/api?route=overview
+  const authressClient = new AuthressClient({ authressApiUrl: 'https://auth.yourdomain.com' }, () => authorizationToken);
 
   // Check Authress to authorize the user
   try {
@@ -123,13 +122,12 @@ Some of the resources in the API are paginated. These resources contain a `pagin
 
 ```js
 const { AuthressClient } = require('@authress/sdk');
-const authressClient = new AuthressClient({ authressApiUrl: 'https://auth.yourdomain.com' })
 
 // on api route
 async function (resourceId) {
   // Get the user token and pass it to authress
   const authorizationToken = request.headers.get('authorization');
-  authressClient.setToken(authorizationToken);
+  const authressClient = new AuthressClient({ authressApiUrl: 'https://auth.yourdomain.com' }, () => authorizationToken);
 
   // Get the users resources
   const response = await authressClient.userPermissions.getUserResources(userId, `resources/*`, 10, null, 'READ');

diff --git a/index.d.ts b/index.d.ts
@@ -1025,13 +1025,6 @@ export class AuthressClient {
    */
   tenants: TenantsApi;
 
-  /**
-   * @summary Set the users token here, so that requests made with this Authress Client will have the user's permissions
-   * @type {Function<void>}
-   * @param {string} jwtToken The user's JWT access token.
-   */
-  setToken(jwtToken: string): void;
-
   /**
    * @summary Verify an incoming Authress JWT request access token here.
    * @type {Function<Promise<Record<string, unknown>>>}

diff --git a/index.js b/index.js
@@ -32,6 +32,9 @@ class AuthressClient {
     this.tenants = new TenantsApi(this.httpClient);
   }
 
+  /**
+   * Deprecated: Will be removed in library version 4.0
+   */
   setToken(token) {
     this.httpClient.tokenProvider = () => token;
   }