Skip to content

Connectum API Reference / @connectum/auth / createProtoAuthzInterceptor

Function: createProtoAuthzInterceptor()

createProtoAuthzInterceptor(options?): Interceptor

Defined in: packages/auth/src/proto/proto-authz-interceptor.ts:132

Create a proto-based authorization interceptor.

Uses protobuf custom options (connectum.auth.v1) for declarative authorization rules defined in .proto files. When proto options do not resolve the decision, falls back to programmatic rules and an authorize callback.

Authorization decision flow:

1.  resolveMethodAuth(req.method)  -- read proto options
2.  public = true                  --> skip (allow without authn)
3.  Get auth context               -- lazy: don't throw yet
3b. internal = true:               -- service-to-service (ADR-029)
      no context                   --> throw Unauthenticated
      no requires                  --> allow (any trusted internal caller)
      has requires                 --> fall through to step 4 (inclusive roles)
4.  requires defined, no context   --> throw Unauthenticated
4b. requires defined, has context  --> satisfiesRequirements? allow : deny
5.  policy = "allow"              --> allow
6.  policy = "deny"               --> deny
7.  Evaluate programmatic rules   -- unconditional rules work without context
8.  Fallback: authorize callback  --> requires auth context
9.  Apply defaultPolicy           --> deny without context = Unauthenticated

IMPORTANT: This interceptor MUST run AFTER an authentication interceptor in the chain (except for methods marked as public in proto options or matched by unconditional programmatic rules). For internal methods the upstream interceptor is createInternalAuthInterceptor; the chain order is errorHandler -> (jwtAuth | internalAuth) -> protoAuthz — the auth interceptors populate the AuthContext that this interceptor consumes.

Parameters

options?

ProtoAuthzInterceptorOptions = {}

Proto authorization interceptor options

Returns

Interceptor

ConnectRPC interceptor

Examples

Basic usage with proto options only

typescript
import { createProtoAuthzInterceptor } from '@connectum/auth';

const authz = createProtoAuthzInterceptor();
// Proto options in .proto files control authorization

With fallback programmatic rules

typescript
import { createProtoAuthzInterceptor } from '@connectum/auth';

const authz = createProtoAuthzInterceptor({
  defaultPolicy: 'deny',
  rules: [
    { name: 'admin-only', methods: ['admin.v1.AdminService/*'], requires: { roles: ['admin'] }, effect: 'allow' },
  ],
  authorize: (ctx, req) => ctx.roles.includes('superadmin'),
});