Middleware

Device Authentication Middleware

Using `requireDevice()` and `requireAdmin()` middleware to protect routes with JWT-based device auth.

Protecting routes with device auth

const express = require('express');
const { createDeviceRegistry } = require('@epheme/core');

const app = express();
app.use(express.json());

const { issueDeviceJWT, requireDevice, requireAdmin } = createDeviceRegistry({ 
  deviceJwtSecret: process.env.DEVICE_JWT_SECRET || 'dev-secret' 
});

// Public endpoint — issues a device token
app.post('/issue-token', (req, res) => {
  const device = { id: 'device-123', tenant: 'acme', role: 'device' };
  const token = issueDeviceJWT(device);
  res.json({ token });
});

// Protected by device auth
app.get('/api/status', requireDevice(), (req, res) => {
  res.json({ device: req.device });
});

// Admin-only route (requires X-Device-Admin-Secret header)
app.post('/api/admin/reset', requireAdmin({ envKey: 'ADMIN_SECRET' }), (req, res) => {
  res.json({ ok: true });
});

// Role-based access control
app.post('/api/configure', requireDevice({ requiredRole: 'admin' }), (req, res) => {
  res.json({ configured: true });
});

app.listen(3000);

Calling protected endpoints:

// Get a token first
const t = await (await fetch('/issue-token', { method: 'POST' })).json();

// Use it with `Authorization: Bearer TOKEN` header
const res = await fetch('/api/status', {
  headers: { 'Authorization': `Bearer ${t.token}` }
});

// For admin endpoints, use X-Device-Admin-Secret instead
const adminRes = await fetch('/api/admin/reset', {
  method: 'POST',
  headers: { 'X-Device-Admin-Secret': process.env.ADMIN_SECRET }
});

Middleware signatures:

  • requireDevice({ requiredRole }) — checks Authorization: Bearer JWT header
  • requireAdmin({ envKey }) — checks X-Device-Admin-Secret header against env var
  • On success, attaches req.device with JWT payload: { device_id, tenant, role, type }