Connectum API Reference / @connectum/auth / createProtoAuthzInterceptor
Function: createProtoAuthzInterceptor()
createProtoAuthzInterceptor(
options?):Interceptor
Defined in: packages/auth/src/proto/proto-authz-interceptor.ts:132
Create a proto-based authorization interceptor.
Uses protobuf custom options (connectum.auth.v1) for declarative authorization rules defined in .proto files. When proto options do not resolve the decision, falls back to programmatic rules and an authorize callback.
Authorization decision flow:
1. resolveMethodAuth(req.method) -- read proto options
2. public = true --> skip (allow without authn)
3. Get auth context -- lazy: don't throw yet
3b. internal = true: -- service-to-service (ADR-029)
no context --> throw Unauthenticated
no requires --> allow (any trusted internal caller)
has requires --> fall through to step 4 (inclusive roles)
4. requires defined, no context --> throw Unauthenticated
4b. requires defined, has context --> satisfiesRequirements? allow : deny
5. policy = "allow" --> allow
6. policy = "deny" --> deny
7. Evaluate programmatic rules -- unconditional rules work without context
8. Fallback: authorize callback --> requires auth context
9. Apply defaultPolicy --> deny without context = UnauthenticatedIMPORTANT: This interceptor MUST run AFTER an authentication interceptor in the chain (except for methods marked as public in proto options or matched by unconditional programmatic rules). For internal methods the upstream interceptor is createInternalAuthInterceptor; the chain order is errorHandler -> (jwtAuth | internalAuth) -> protoAuthz — the auth interceptors populate the AuthContext that this interceptor consumes.
Parameters
options?
ProtoAuthzInterceptorOptions = {}
Proto authorization interceptor options
Returns
Interceptor
ConnectRPC interceptor
Examples
Basic usage with proto options only
import { createProtoAuthzInterceptor } from '@connectum/auth';
const authz = createProtoAuthzInterceptor();
// Proto options in .proto files control authorizationWith fallback programmatic rules
import { createProtoAuthzInterceptor } from '@connectum/auth';
const authz = createProtoAuthzInterceptor({
defaultPolicy: 'deny',
rules: [
{ name: 'admin-only', methods: ['admin.v1.AdminService/*'], requires: { roles: ['admin'] }, effect: 'allow' },
],
authorize: (ctx, req) => ctx.roles.includes('superadmin'),
});