endpoint handler are executed
Implements EventEmitter and will emit login event each time user logged in
or loginFailed event with 2 parameters(userID, isLocked) when user UB authentication failed
- Mixes In:
- EventEmitter
Members
callerIP: string
static
readonly
IP address of a user. May differ from IP address current user login from.
May be empty if request come from localhost.
id: number
static
readonly
Current session identifier. === 0 if session not started, ===1 in case authentication not used, >1 in case user authorized
uData: Object
static
readonly
Custom properties, defined in Session.on('login') handlers for logged-in user.
We strongly recommend to not modify value of uData outside the Session.on('login') handler -
such modification is not persisted between calls.
Properties documented below are added by @unitybase/uba model, but other model can define his own properties.
Properties:
Session.on('login') handlers for logged-in user.
We strongly recommend to not modify value of uData outside the Session.on('login') handler -
such modification is not persisted between calls.
Properties documented below are added by @unitybase/uba model, but other model can define his own properties.
| Name | Type | Attributes | Description |
|---|---|---|---|
userID |
number | Logged in user ID. The same as Session.userID. Added by |
|
login |
string | Logged in user name. Added by |
|
roles |
string | Logged in user roles names separated by comma. In most case better to use uData.roleIDs array. Added by |
|
roleIDs |
Array.<number> | Array or role IDs for logged in user roles. Added by |
|
employeeShortFIO |
string |
<optional> |
Short name of employee. Added by |
employeeFullFIO |
string |
<optional> |
Full name of employee |
employeeID |
number |
<optional> |
Employee ID |
staffUnitFullName |
string |
<optional> |
|
staffUnitName |
string |
<optional> |
|
staffUnitID |
number |
<optional> |
permanent staffUnitID. Added by |
employeeOnStaffID |
number |
<optional> |
permanent employeeOnStaffID. Added by |
parentID |
number |
<optional> |
permanent staffUnitID parent. Added by |
parentUnityEntity |
string |
<optional> |
permanent staffUnitID parent entity type. Added by |
orgUnitIDs |
string |
<optional> |
all orgUnit's IDs as CSV string. Added by |
permanentOrgUnitIDs |
string |
<optional> |
all user orgUnit ID's permanent employeeOnStaffIDs in CSV. Added by |
tempStaffUnitIDs |
string |
<optional> |
array temporary staffUnitIDs in CSV. Added by |
tempEmployeeOnStaffIDs |
string |
<optional> |
array of temporary employeeOnStaffIDs in CSV. Added by |
assistantStaffUnitIDs |
string |
<optional> |
array of assistant staffUnitIDs in CSV. Added by |
assistantEmployeeOnStaffIDs |
string |
<optional> |
array of assistant employeeOnStaffIDs in CSV. Added by |
allStaffUnitIDs |
string |
<optional> |
array of all (permanent + temporary + assistant) staffUnitIDs in CSV. Added by |
allEmployeeOnStaffIDs |
string |
<optional> |
array of all (permanent + temporary + assistant) employeeOnStaffIds in CSV. Added by |
tempPositions |
string |
<optional> |
stringified array ob temporary position objects: {staffUnitID, employeeOnStaffID}. Added by |
assistantPositions |
string |
<optional> |
stringified array ob assistant position objects: {staffUnitID, employeeOnStaffID}. Added by |
allPositions |
string |
<optional> |
stringified array of permanent + temporary + assistant position objects: {staffUnitID, employeeOnStaffID}. Added by |
userID: number static readonly
userLang: string static readonly
userRoleNames: string static readonly
- Deprecated:
- Use Session.uData.roles
userRoles: number static readonly
- Deprecated:
- Use Session.uData.roleIDs - an array of roles IDs
Methods
runAsAdmin(func) → *
static
Call function as admin.
Built-in "always alive"(newer expired) admin session is always created when the application starts,
so this is very cheap method - it will not trigger Session.login event every time context is switched (Session.setUser and Session.runAsUser does)
Can be used in scheduled tasks, not-authorized methods, etc. to obtain a admin Session context
Arguments:
-
func (function) Function to be called in admin context
runAsUser(userID, func) → *
static
Call function as custom user.
New session will be created. Will fire login event.
Arguments:
-
userID ID of user
-
func Function to be called in user's session.
setUser(userID, secretopt) → String
static
Create new session for userID
Arguments:
-
userID (Number) ID of user
-
[secret] (String) secret word. If defined then session secretWord is JSON.parse(returns).result+secret
Events
login
Fires just after user successfully logged-in but before auth response is written to client.
Model developer can subscribe to this event and add some model specific data to Session.uData.
Since all uData content is passed to client and accessible on client via
$App.connection.userData(someCustomProperty) do not add there a security sensitive data.
Standard models like @unitybase/uba and @unitybase/org are subscribed to this event and add
most useful information to the uData - {@see Session.uData Session.uData} documentation.
Never override uData using Session.uData = {...}, in this case you delete uData properties,
defined in other application models.
Instead define or remove properties using Session.uData.myProperty = ...
or use delete Session.uData.myProperty if you need to undefine something.
Example below add someCustomProperty to Session.uData:
// @param {THTTPRequest} req
Session.on('login', function (req) {
var uData = Session.uData
uData.someCustomProperty = 'Hello!'
})
See real life example inside @unitybase/org/org.js.
loginFailed
Fires in case auth endpoint is called with authentication schema UB and userName is founded in database,
but password is incorrect.
If wrong passord is entered more than UBA.passwordPolicy.maxInvalidAttempts(from ubs_settings) times
user will be locked
2 parameters are passes to this event userID(Number) and isUserLocked(Boolean)
Session.on('loginFailed', function(userID, isLocked){
if (isLocked)
console.log('User with id ', userID, 'entered wrong password and locked');
else
console.log('User with id ', userID, 'entered wrong password');
})
newUserRegistration
Legacy event CERT authentication schema only
For CERT schema user registered means auth endpoint is called with registration=1 parameter.
Called before start event "registration" and before starting check the user. You can create new user inside this event.
Parameter is look like
{
"authType": 'CERT',
"serialSign": '<serialSign>',
"name": '<user name>',
"additional": '',
"issuer": '<issuer>',
"serial": '<serial>',
"certification_b64": '<certification_b64>'
}
registration
Fires in case new user registered in system and authentication schema support
"registration" feature.
Currently only CERT and UB schemas support this feature
For CERT schema user registered means auth endpoint is called with registration=1 parameter.
For UB schema user registered means 'publicRegistration' endpoint has been called and user confirmed
registration by email otp
Inside event handler server-side Session object is in INCONSISTENT state and you must not use it!!
Only parameter (stringified object), passed to event is valid user-relative information.
For CERT schema parameter is look like
{
"authType": 'CERT',
"id_cert": '<id_cert>',
"user_name": '<user_name>',
"additional": '',
"certification_b64": '<certification_b64>'
}
For UB schema parameter is look like
{
"authType": 'UB',
"publicRegistration": true,
userID,
userOtpData
}
Each AUTH schema can pass his own object as a event parameter, but all schema add authType.
Below is a sample code for CERT schema:
Session.on('registration', function(registrationParams){
}
securityViolation
Fires in case of any security violation:
- user is blocked or not exists (in uba_user)
- user provide wrong credential (password, domain, encripted secret key, certificate etc)
- for 2-factor auth schemas - too many sessions in pending state (max is 128)
- access to endpoint "%" deny for user (endpoint name not present in uba_role.allowedAppMethods for eny user roles)
- password for user is expired (see ubs_settings UBA.passwordPolicy.maxDurationDays key)
- entity method access deny by ELS (see rules in uba_els)
Single parameter is passes to this event reason: string
Session.on('securityViolation', function(reason){
console.log('Security violation for user with ID', Session.userID, 'from', Session.callerIP, 'reason', reason);
})
admin session is always created when the application starts,
so this is very cheap method - it will not trigger Session.login event every time context is switched (Session.setUser and Session.runAsUser does)
Can be used in scheduled tasks, not-authorized methods, etc. to obtain a admin Session context
func (function) Function to be called in admin context
login event.
userID ID of user
func Function to be called in user's session.
userID (Number) ID of user
[secret] (String) secret word. If defined then session secretWord is JSON.parse(returns).result+secret
login
Since all uData content is passed to client and accessible on client via
$App.connection.userData(someCustomProperty) do not add there a security sensitive data.
Standard models like @unitybase/uba and @unitybase/org are subscribed to this event and add
most useful information to the uData - {@see Session.uData Session.uData} documentation.
Never override uData using Session.uData = {...}, in this case you delete uData properties,
defined in other application models.
Instead define or remove properties using Session.uData.myProperty = ...
or use delete Session.uData.myProperty if you need to undefine something.
Example below add someCustomProperty to Session.uData:
// @param {THTTPRequest} req
Session.on('login', function (req) {
var uData = Session.uData
uData.someCustomProperty = 'Hello!'
})See real life example inside @unitybase/org/org.js.
loginFailed
Fires in case auth endpoint is called with authentication schema UB and userName is founded in database,
but password is incorrect.
If wrong passord is entered more than UBA.passwordPolicy.maxInvalidAttempts(from ubs_settings) times
user will be locked
2 parameters are passes to this event userID(Number) and isUserLocked(Boolean)
Session.on('loginFailed', function(userID, isLocked){
if (isLocked)
console.log('User with id ', userID, 'entered wrong password and locked');
else
console.log('User with id ', userID, 'entered wrong password');
})newUserRegistration
Legacy event CERT authentication schema only
For CERT schema user registered means auth endpoint is called with registration=1 parameter.
Called before start event "registration" and before starting check the user. You can create new user inside this event.
Parameter is look like
{
"authType": 'CERT',
"serialSign": '<serialSign>',
"name": '<user name>',
"additional": '',
"issuer": '<issuer>',
"serial": '<serial>',
"certification_b64": '<certification_b64>'
}registration
Fires in case new user registered in system and authentication schema support "registration" feature.
Currently only CERT and UB schemas support this feature
For CERT schema user registered means auth endpoint is called with registration=1 parameter.
For UB schema user registered means 'publicRegistration' endpoint has been called and user confirmed registration by email otp
Inside event handler server-side Session object is in INCONSISTENT state and you must not use it!! Only parameter (stringified object), passed to event is valid user-relative information.
For CERT schema parameter is look like { "authType": 'CERT', "id_cert": '<id_cert>', "user_name": '<user_name>', "additional": '', "certification_b64": '<certification_b64>' }
For UB schema parameter is look like { "authType": 'UB', "publicRegistration": true, userID, userOtpData }
Each AUTH schema can pass his own object as a event parameter, but all schema add authType.
Below is a sample code for CERT schema:
Session.on('registration', function(registrationParams){
}securityViolation
Fires in case of any security violation:
- user is blocked or not exists (in uba_user)
- user provide wrong credential (password, domain, encripted secret key, certificate etc)
- for 2-factor auth schemas - too many sessions in pending state (max is 128)
- access to endpoint "%" deny for user (endpoint name not present in uba_role.allowedAppMethods for eny user roles)
- password for user is expired (see ubs_settings UBA.passwordPolicy.maxDurationDays key)
- entity method access deny by ELS (see rules in uba_els)
Single parameter is passes to this event reason: string
Session.on('securityViolation', function(reason){
console.log('Security violation for user with ID', Session.userID, 'from', Session.callerIP, 'reason', reason);
})