🚧 The Saascannon docs are currently under construction, we are working hard to document Saascannon thoroughly 🚧
Guides
Node API Quickstart

Node.js API Quickstart

After your users have logged in using the SPA SDK, you will need to implement a backend API to handle the requests from your frontend. This guide will show you how to implement a simple Node.js API using express that will allow you to authenticate users and authorize requests.

Prerequisites

Before starting, you will need a Saascannon tenant, if you have not already you will need to create a saascannon tenant and then configure.

Installation

npm i @saascannon/auth

Initialise the package

import { SaascannonAuth } from "@saascannon/auth";
 
const scAuth = new SaascannonAuth("https://your-tenant.region.saascannon.app");
 
// Verify credentials
const userAccessTokenDetails = scAuth.verifyUserToken("user-bearer-token");
 
// Verify permissions ('posts:publish' OR 'admin')
const userCanPublishPosts = userAccessTokenDetails.hasPermissionTo([
  ["posts:publish"],
  ["admin"],
]);

Express Wrapper

If you are using express, you can use some pre-built wrappers for implementing saascannon auth into your service easily.

import { SaascannonAuth } from "@saascannon/auth";
import { expressAuthGuard, Request } from "@saascannon/auth/express";
import express, { Response, NextFunction } from "express";
 
const scAuth = new SaascannonAuth("https://your-tenant.region.saascannon.app");
 
const app = express();
 
const { verifyUserCredential, verifyUserPermissions } = expressAuthGuard();
 
// Ensure users are authenticated for all routes
app.use(verifyUserCredential(scAuth));
 
// Route with permissions middleware
app.post(
  "/posts",
  verifyUserPermissions([["posts:publish"], ["admin"]]),
  (req: Request, res: Response) => {
    if (
      req.body.restrictedField &&
      // You can also check permissions within the route
      !req.user.hasPermissionTo("posts:publish-with-rf")
    ) {
      return res.sendStatus(403);
    }
 
    // Example function to publish a post
    publishPost(req.body);
 
    return res.sendStatus(201);
  },
);
 
// Handle Errors
app.use((err: any, req: Request, res: Response, next: NextFunction) => {
  // User is not authenticated
  if (err.code === "unauthenticated") {
    return res.sendStatus(401);
  }
 
  // Insufficient permissions
  if (err.code === "unauthorized") {
    return res.sendStatus(403);
  }
 
  res.sendStatus(500);
});
SPA QuickstartSecurity