The thorin authorization

An authorization middleware's sole purpose is to authorize incoming requests into your application by either verifying session data, header data or tokens sent through the input of an application.

Authorization middleware functions should be placed among the first middlewares of your action, since it verifies the source of a request and can stop any unauthorized requests from further processing. Once it validates the authorization source, it should attach any custom data or object to the intentObj via the data() function.

The core authorization middleware class is under thorin.Authorization and can be extended by other thorin components, using the pattern below:

'use strict'
const CoreAuthorization = thorin.Authorization;
thorin.Authorization = class ThorinAuthorization extends CoreAuthorization {
   constructor(name) {
      // your custom functionality
Registers an input validator that will take the given key-value pairs and validate them before your call stack is called.
  • objobject An object containing validation rules for the incoming input.
Registers an inline anonymous middleware function that will be called with func(intentObj, next), after all input validation had completed. Note that it only works with inline pure functions and not named middleware.
  • funcfunction* the function that will be called
Registers a function that will be called once the authorization middleware has completed its call stack. This is useful for logging and other post-authorization actions
  • fnfunction the function to call when the middleware has ended
authObj._runStack(intentObj, opt, done)
Similar to the middleware's _runStack function, it will execute the internal authorization call stack in the chronological order they were defined. This is usually called by the dispatcher.
  • intentObjinstance of thorin.Intent the current intent object
  • optobject additional options passed by any higher dependents
  • donefunction the function to call once the run stack has been called.
'use strict';
// Register our authorization header that will check the Authorization headers (default authorization source in thorin-transport-http)
const dispatcher = thorin.dispatcher;
const ADMIN_TOKEN = 'admin123';
   .use((intentObj, next) => {
      const authType = intentObj.authorizationSource,
         authToken = intentObj.authorization;
      if(authType !== 'TOKEN') {
         return next(thorin.error('AUTHORIZATION', 'Authorization method unsupported', 401));
      if(authToken !== ADMIN_TOKEN) {
         return next(thorin.error('AUTHORIZATION', 'Invalid authorization token', 401));
      // Attach any kind of information to the intent

// Define an action that uses the above authorization
   .alias('GET', '/resource')
   .use((intentObj, next) => {'Admin request completed');
   .before('authorize', (intentObj) => {'Authorization will happen');
Do you have a question or is something missing?

You can always create a new issue on GitHub or contact one of the core founders by chat.