> For the complete documentation index, see [llms.txt](https://docs.oidc-spa.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oidc-spa.dev/docs/v8/integration-guides/backend-token-validation/node-http.md).
# node:http
This is how your API handler would typically look like:
import { createServer } from "node:http";
import { parse } from "node:url";
import * as fs from "node:fs/promises";
import { bootstrapAuth, getUser } from "./auth"; // See below
function startNodeServer() {
bootstrapAuth({
implementation: "real", // or "mock", see: https://docs.oidc-spa.dev/v/v8/integration-guides/backend-token-validation/mock-modes
issuerUri: process.env.OIDC_ISSUER_URI!,
expectedAudience: process.env.OIDC_AUDIENCE
});
const server = createServer(async (req, res) => {
const { pathname } = parse(req.url!, true);
if (req.method === "GET" && pathname === "/api/todos") {
const user = await getUser({ req, res });
const json = await fs.readFile(
`todos_${user.id}.json`,
"utf8"
);
res.writeHead(200, { "Content-Type": "application/json" });
res.end(json);
return;
}
if (
req.method === "GET" &&
pathname?.startsWith("/api/todos-for-support/")
) {
// Will reject the request if user making the request
// doesn't have "support-staff" role
await getUser({ req, res, requiredRole: "support-staff" });
const userId = decodeURIComponent(
pathname.replace("/api/todos-for-support/", "")
);
const json = await fs.readFile(
`todos_${userId}.json`,
"utf8"
);
res.writeHead(200, { "Content-Type": "application/json" });
res.end(json);
return;
}
res.writeHead(404).end();
});
server.listen(parseInt(process.env.PORT ?? "3000"), () => {
console.log("Server running");
});
}
Let's see how to export the utils to make it happen:
{% code title="src/auth.ts" %}
```ts
import { oidcSpa, extractRequestAuthContext } from "oidc-spa/server";
import { z } from "zod";
import type { IncomingMessage } from "node:http";
import type { ServerResponse } from "node:http";
const { bootstrapAuth, validateAndDecodeAccessToken } = oidcSpa
.withExpectedDecodedAccessTokenShape({
// This is purely declarative. Here you'll specify
// the claim that you expect to be present in the access token payload.
decodedAccessTokenSchema: z.object({
sub: z.string(),
name: z.string(),
email: z.string().optional(),
// Keycloak specific, convention to manage authorization.
realm_access: z.object({
roles: z.array(z.string())
}).optional()
})
})
.createUtils();
export { bootstrapAuth };
// Your local representation of a user.
export type User = {
id: string;
name: string;
email: string | undefined;
};
export async function getUser(params: {
req: IncomingMessage;
res: ServerResponse;
requiredRole?: "realm-admin" | "support-staff";
}): Promise {
const { req, res, requiredRole } = params;
const bail = (statusCode: 400 | 401 | 403) => {
res.writeHead(statusCode).end();
return new Promise(() => {});
};
const requestAuthContext = extractRequestAuthContext({
request: req,
// Set this to false only if you don't have a reverse HTTP proxy in front of your
// server. (Almost never the case in modern deployments).
trustProxy: true
});
if( !requestAuthContext ){
// Demo shortcut: we return 401 on missing Authorization, but a mixed
// public/private endpoint could instead return undefined here and let
// the caller decide whether to process an anonymous request.
console.warn("Anonymous request");
return bail(401); // Unauthorized
}
if (!requestAuthContext.isWellFormed) {
console.warn(requestAuthContext.debugErrorMessage);
return bail(400); // Bad Request
}
const { isSuccess, debugErrorMessage, decodedAccessToken } =
await validateAndDecodeAccessToken(
requestAuthContext.accessTokenAndMetadata
);
if (!isSuccess) {
console.warn(debugErrorMessage);
return bail(401); // Unauthorized
}
// Your custom Authorization logic: Grant per request access depending
// on the access token claim.
if (requiredRole) {
if (!decodedAccessToken.realm_access?.roles.includes(requiredRole)) {
console.warn(`User missing role: ${requiredRole}`);
return bail(403); // Forbidden
}
}
// Here you can potentially enrich the user object with additional
// data that you would retrieve from your database if the access token
// claim does not contain everything you need.
const { sub, name, email } = decodedAccessToken;
const user: User = { id: sub, name, email };
return user;
}
```
{% endcode %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.oidc-spa.dev/docs/v8/integration-guides/backend-token-validation/node-http.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.